AAD B2C specifics

This page is for MSAL 3.x

If you are interested in MSAL 2.x, please see AAD B2C specifics in MSAL 2.x

Use MSAL.NET to sign-in users with social identities

You can use MSAL.NET to sign-in users with social identities by using Azure AD B2C. AAD B2C is built around the notion of policies. In MSAL.NET, specifying a policy translates to providing an authority.

When you instantiate the Public client application, you need to specify the policy in authority
When you want to apply a policy, you need to call an override of AcquireTokenAsync containing an authority parameter

Authority for a B2C tenant and policy

The authority to use is https://login.microsoftonline.com/tfp/{tenant}/{policyName} where:

tenant is the name of the Azure AD B2C tenant,
policyName the name of the policy to apply (for instance "b2c_1_susi" for sign-in/sign-up).

The current guidance from B2C is to use b2clogin.com as the authority. For example, $"https://{your-tenant-name}.b2clogin.com/tfp/{your-tenant-ID}/{policyname}". For more information, see this documentation.

// Azure AD B2C Coordinates
public static string Tenant = "fabrikamb2c.onmicrosoft.com";
public static string ClientID = "90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6";
public static string PolicySignUpSignIn = "b2c_1_susi";
public static string PolicyEditProfile = "b2c_1_edit_profile";
public static string PolicyResetPassword = "b2c_1_reset";

public static string AuthorityBase = $"https://fabrikamb2c.b2clogin.com/tfp/{Tenant}/";
public static string Authority = $"{AuthorityBase}{PolicySignUpSignIn}";
public static string AuthorityEditProfile = $"{AuthorityBase}{PolicyEditProfile}";
public static string AuthorityPasswordReset = $"{AuthorityBase}{PolicyResetPassword}";

Instantiating the application

When building the application, you need to provide, as usual, the authority, built as above

application = PublicClientApplicationBuilder.Create(ClientID)
               .WithB2CAuthority(Authority)
               .Build();

Acquiring a token to apply a policy

Acquiring a token for an Azure AD B2C protected API in a public client application requires you to use the overrides with an authority:

IEnumerable<IAccount> accounts = await application.GetAccountsAsync();
AuthenticationResult ar = await application .AcquireToken(scopes, parentWindow)
                                            .WithAccount(GetAccountByPolicy(accounts, policy))
                                            .ExecuteAsync();

with:

policy being one of the strings above (for instance PolicySignUpSignIn)

GetAccountByPolicy(IEnumerable<IAccount>, string) is a method that finds an account for a given policy. For instance:

 private IAccount GetAccountByPolicy(IEnumerable<IAccount> accounts, string policy)
 {
  foreach (var account in accounts)
  {
   string userIdentifier = account.HomeAccountId.ObjectId.Split('.')[0];
   if (userIdentifier.EndsWith(policy.ToLower())) return account;
  }
  return null;
 }

Applying a policy (for instance letting the end user edit their profile or reset their password) is currently done by calling AcquireTokenAsync.

Note that in the case of these two policies you don't use the returned token / authentication result.

Special case of EditProfile and ResetPassword policies

When you want to provide an experience where your end users sign-in with a social identity, and then edit their profile you want to apply the B2C EditProfile policy. The way to do this, is by calling AcquireTokenAsync with the specific authority for that policy and a UIBehavior set to UIBehavior.NoPrompt to avoid the account selection dialog to be displayed (as the user is already signed-in)

private async void EditProfileButton_Click(object sender, RoutedEventArgs e)
{
 IEnumerable<IAccount> accounts = await app.GetAccountsAsync();
 try
 {
  var authResult = await app.AcquireToken(scopes:App.ApiScopes)
                               .WithAccount(GetUserByPolicy(accounts, App.PolicyEditProfile)),
                               .WithPrompt(Prompt.NoPrompt),
                               .WithB2CAuthority(App.AuthorityEditProfile)
                               .ExecuteAsync();
  DisplayBasicTokenInfo(authResult);
 }
 catch
 {
  . . .
}

Google Auth and Embedded Webview

If you are a B2C developer using Google as an identity provider we recommand you use the system browser, as Google does not allow authentication from embedded webviews. Currently, login.microsoftonline.com is a trusted authority with Google. Using this authority will work with embedded webview. However using b2clogin.com is not a trusted authority with Google, so users will not be able to authenticate.

We will provide an update to the wiki and this issue if things change.

Samples illustrating acquiring tokens interactively with MSAL.NET for B2C applications

Sample	Platform	Description
active-directory-b2c-xamarin-native	Xamarin iOS, Xamarin Android, UWP	A simple Xamarin Forms app showcasing how to use MSAL.NET to authenticate users via Azure Active Directory B2C, and access a Web API with the resulting tokens.

Getting started with MSAL.NET

AAD B2C specifics

Use MSAL.NET to sign-in users with social identities

Authority for a B2C tenant and policy

Instantiating the application

Acquiring a token to apply a policy

Special case of EditProfile and ResetPassword policies

Google Auth and Embedded Webview

Samples illustrating acquiring tokens interactively with MSAL.NET for B2C applications

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!