Azure-Samples
diff --git a/‎.env.sample‎
Lines changed: 22 additions & 6 deletions b/‎.env.sample‎
Lines changed: 22 additions & 6 deletions
diff --git a/‎.env.sample.b2c‎
Lines changed: 0 additions & 9 deletions b/‎.env.sample.b2c‎
Lines changed: 0 additions & 9 deletions
diff --git a/‎README.md‎
Lines changed: 10 additions & 0 deletions b/‎README.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎README_B2C.md‎
Lines changed: 0 additions & 30 deletions b/‎README_B2C.md‎
Lines changed: 0 additions & 30 deletions
diff --git a/‎app_config.py‎
Lines changed: 23 additions & 4 deletions b/‎app_config.py‎
Lines changed: 23 additions & 4 deletions
@@ -1,16 +1,32 @@
 # Note: If you are using Azure App Service, go to your app's Configuration,
 # and then set the following values into your app's "Application settings".
 
+# The following variables are required for the app to run.
 CLIENT_ID=<client id>
 CLIENT_SECRET=<client secret>
 
-# The AUTHORITY variable expects a full authority URL.
+# This sample can be configured as a Microsoft Entra ID app,
+# a Microsoft Entra External ID app, or a B2C app.
+
+# 1. If you are using a Microsoft Entra ID tenent,
+#    configure the AUTHORITY variable as
+#    "https://login.microsoftonline.com/TENANT_GUID"
+#    or "https://login.microsoftonline.com/subdomain.onmicrosoft.com".
 #
-# If you are using an AAD tenent, configure it as
-# "https://login.microsoftonline.com/TENANT_GUID"
-# or "https://login.microsoftonline.com/subdomain.onmicrosoft.com".
+#    Alternatively, leave it undefined if you are building a multi-tenant AAD app
+#    in world-wide cloud
+#AUTHORITY=<authority url>
 #
-# If you are using a CIAM tenant, configure it as "https://subdomain.ciamlogin.com"
 #
-# Alternatively, leave it undefined if you are building a multi-tenant app in world-wide cloud
+# 2. If you are using a Microsoft Entra External ID for customers (CIAM) tenant,
+#    configure AUTHORITY as "https://subdomain.ciamlogin.com"
 #AUTHORITY=<authority url>
+#
+#
+# 3. If you are using a B2C tenant, configure the following variables:
+#    Note the B2C_TENANT_NAME shall be the display name such as "contoso"
+#
+#B2C_TENANT_NAME=<tenant name>
+SIGNUPSIGNIN_USER_FLOW=B2C_1_signupsignin1
+EDITPROFILE_USER_FLOW=B2C_1_profile_editing
+RESETPASSWORD_USER_FLOW=B2C_1_reset_password
@@ -11,12 +11,22 @@ urlFragment: ms-identity-python-webapp
 
 This is a Python web application that uses the Flask framework and the Microsoft identity platform to sign in users and make authenticated calls to the Microsoft Graph API.
 
+# Configuration
+
+## If you are configuring your Microsoft Entra ID app or Microsoft Entra External ID app
+
 To get started with this sample, you have two options:
 
 * Use the Azure portal to create the Azure AD applications and related objects. Follow the steps in
   [Quickstart: Add sign-in with Microsoft to a Python web app](https://docs.microsoft.com/azure/active-directory/develop/web-app-quickstart?pivots=devlang-python).
 * Use PowerShell scripts that automatically create the Azure AD applications and related objects (passwords, permissions, dependencies) for you, and then modify the configuration files. Follow the steps in the [App Creation Scripts README](./AppCreationScripts/AppCreationScripts.md).
 
+## If you are configuring your B2C app
+
+This sample can also work as a B2C app. If you are using a B2C tenant, follow
+[Configure authentication in a sample Python web app by using Azure AD B2C](https://learn.microsoft.com/azure/active-directory-b2c/configure-authentication-sample-python-web-app).
+
+
 # Deployment
 
 Once you finish testing this web app locally, you can deploy it to your production.
 
@@ -1,14 +1,33 @@
 import os
 
+
+if (os.getenv('B2C_TENANT_NAME')
+    and os.getenv('SIGNUPSIGNIN_USER_FLOW') and os.getenv('EDITPROFILE_USER_FLOW')):
+    # This branch is for B2C. You can delete this branch if you are not using B2C.
+    b2c_tenant = os.getenv('B2C_TENANT_NAME')
+    authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}"
+    AUTHORITY = authority_template.format(
+        tenant=b2c_tenant,
+        user_flow=os.getenv('SIGNUPSIGNIN_USER_FLOW'))
+    B2C_PROFILE_AUTHORITY = authority_template.format(
+        tenant=b2c_tenant,
+        user_flow=os.getenv('EDITPROFILE_USER_FLOW'))
+    B2C_RESET_PASSWORD_AUTHORITY = authority_template.format(
+        # If you are using the new "Recommended user flow"
+        # (https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-versions),
+        # you can remove the B2C_RESET_PASSWORD_AUTHORITY settings from this file.
+        tenant=b2c_tenant,
+        user_flow=os.getenv('RESETPASSWORD_USER_FLOW'))
+else:  # This branch is for AAD or CIAM
+    # You can configure your authority via environment variable
+    # Defaults to a multi-tenant app in world-wide cloud
+    AUTHORITY = os.getenv("AUTHORITY") or "https://login.microsoftonline.com/common"
+
 # Application (client) ID of app registration
 CLIENT_ID = os.getenv("CLIENT_ID")
 # Application's generated client secret: never check this into source control!
 CLIENT_SECRET = os.getenv("CLIENT_SECRET")
 
-# You can configure your authority via environment variable
-# Defaults to a multi-tenant app in world-wide cloud
-AUTHORITY = os.getenv("AUTHORITY", "https://login.microsoftonline.com/common")
-
 REDIRECT_PATH = "/getAToken"  # Used for forming an absolute URL to your redirect URI.
 # The absolute URL must match the redirect URI you set
 # in the app's registration in the Azure portal.