Azure Active Directory B2C (Business-to-Consumer) is a custom identity management solution provided by Microsoft Azure as part of Microsoft Entra. It is designed to handle authentication for millions of users with auto-scaling capabilities and built-in security features to mitigate various threats.
At SymSoft Solutions, we have successfully implemented Azure AD B2C across multiple projects, leveraging both standard user flows and custom policies to enhance the identity user experience. Azure AD B2C enables seamless integration with external identity providers such as Microsoft, Google, GitHub, and more via Single Sign-On (SSO). Additionally, it serves as a cloud-based user directory, securely storing local user information within the b2c-extension-application.
Integration with Applications
Azure AD B2C is easy to integrate with JavaScript-based front-end frameworks using the MSAL (Microsoft Authentication Library). This allows applications to redirect users or present authentication forms in a popup for a smoother login experience.
At the end of any user flow, Azure AD B2C issues a JWT (JSON Web Token), which serves as an identity token. Additionally, it can provide access tokens for API authentication. These tokens allow web applications to securely interact with backend APIs using MSAL or OpenID Connect (OIDC) authentication in .NET-based applications.
User Flows and Custom Policies
Azure AD B2C offers two approaches to defining authentication experiences:
User Flows (Predefined Policies)
User flows are built-in, configurable policies that define common authentication scenarios. They allow developers to:
- Customize branding (company logos, themes, UI styling).
- Modify authentication attributes collected during sign-up or sign-in.
- Configure claims returned in the JWT token.
These predefined flows are ideal for applications that require quick setup and basic identity management without extensive customization.
Custom Policies (Identity Experience Framework – IEF)
For more complex authentication requirements, custom policies offer greater control over every step of the identity journey. Unlike user flows, these policies are defined using XML files that refer to each other in a hierarchical structure.
Custom policies allow:
- Fine-grained control over authentication logic and user interactions.
- Integration with legacy identity providers (IDPs) via SAML, OAuth2, and REST APIs.
- Implementation of advanced security measures, such as risk-based authentication.
While both user flows and custom policies support attribute customization, session management, and UI customization, custom policies provide significantly more flexibility at the cost of increased complexity.
A Few Interesting Custom Flows
Here are a few unique custom flows we implemented in Azure AD B2C to solve specific business challenges:
Impersonation for Customer Support
Some business scenarios require customer support agents to impersonate users for troubleshooting and better assistance. Since impersonation is not a built-in Azure AD B2C feature, we implemented a custom policy to enable this.
Implementation:
- Customer support agents log in via an external IDP (Microsoft).
- The system verifies their credentials and retrieves their role and permissions from the b2c-extension-app.
- Agents enter the email address of the customer they want to impersonate.
- The system fetches customer information from the user directory and grants access via a modified JWT token.
This solution ensures security, traceability, and compliance while maintaining a seamless support experience.
Legacy IDP Authentication via REST API
Organizations migrating from a legacy identity provider often need to validate users against the old system before transitioning to Azure AD B2C.
Implementation:
- We built a REST API integration with the legacy IDP.
- During login, Azure AD B2C calls the API to verify legacy user credentials before issuing a token.
- Once validated, users are migrated to Azure AD B2C seamlessly.
- Optionally, you can have the users forcefully reset their password after migration to Azure AD B2C to meet the standard password policies.
This method enables a smooth and secure migration without disrupting user access.
Custom Email Verification via SendGrid
By default, Azure AD B2C uses Microsoft’s email verification for account sign-ups. However, some businesses prefer using third-party email providers like SendGrid for greater control over branding, analytics, and deliverability.
Implementation:
- We replaced the built-in email verification process with a custom SendGrid integration via a RESTful API call.
- It requires to have a SendGrid account setup in advance along with an API key stored in the Azure Policy Keys which is used to authenticate any HTTP requests made to it.
- This allowed personalized email templates with the help of dynamic templates and place holder variables.
- SendGrid supports multiple languages, improves tracking of email delivery and provide analytics regarding the engagement.
This approach ensures better user engagement and customized user experience through email.
Advantages and Limitations
Advantages
- Azure AD B2C is cloud-native solution which makes it highly scalable to handle millions of users while meeting the industry standards of compliance and security.
- User management and authentication is easier as Azure B2C handles most of it for you and provides you with the options of integrating with identity federations and enterprise providers.
- Azure AD B2C requires no on-premises identity management solutions and requires minimal setup and development effort as it provides easy to configure authentication flows.
- Azure AD B2C is cost efficient as you are charged based on Monthly Active Users (MAU) and is easy to integrate with applications developed using the modern technical stack.
Limitations
- Azure B2C provides limited customizations within the user flows and restricts the developers to use at most one external API call.
- Working with custom policies requires deeper understanding of XML configurations, orchestration steps, technical profiles and claim transformations.
- Debugging any errors within XML or issues during the user journeys is very difficult due to limited and non-descriptive error messages and logging.
- Documentation from Microsoft do not talk in detail about the advanced and more complex scenarios, making Azure B2C seem more like a black box.
Conclusion
Azure AD B2C is a powerful, scalable, and secure identity management solution for B2C applications, providing SSO, API security, and seamless integrations with third-party providers.
For simple authentication needs, user flows are quick and easy to implement. However, for businesses requiring advanced customization, custom policies offer greater flexibility—but at the cost of higher complexity and longer development time.
By carefully choosing the right approach—user flows for standard implementations and custom policies for unique identity experiences—organizations can maximize the benefits of Azure AD B2C while mitigating its limitations.