Repository: Azure-Samples/active-directory-b2c-custom-policy-starterpack
Branch: main
Commit: fc39b7dbf764
Files: 65
Total size: 1.1 MB
Directory structure:
gitextract_pz39vks8/
├── .gitignore
├── Display Controls Starterpack/
│ ├── LocalAccounts/
│ │ ├── PasswordReset.xml
│ │ ├── ProfileEdit.xml
│ │ ├── SignUpOrSignin.xml
│ │ ├── TrustFrameworkBase.xml
│ │ ├── TrustFrameworkExtensions.xml
│ │ └── TrustFrameworkLocalization.xml
│ ├── SocialAccounts/
│ │ ├── ProfileEdit.xml
│ │ ├── SignUpOrSignin.xml
│ │ ├── TrustFrameworkBase.xml
│ │ ├── TrustFrameworkExtensions.xml
│ │ └── TrustFrameworkLocalization.xml
│ ├── SocialAndLocalAccounts/
│ │ ├── PasswordReset.xml
│ │ ├── ProfileEdit.xml
│ │ ├── SignUpOrSignin.xml
│ │ ├── TrustFrameworkBase.xml
│ │ ├── TrustFrameworkExtensions.xml
│ │ └── TrustFrameworkLocalization.xml
│ └── SocialAndLocalAccountsWithMfa/
│ ├── PasswordReset.xml
│ ├── ProfileEdit.xml
│ ├── SignUpOrSignin.xml
│ ├── TrustFrameworkBase.xml
│ ├── TrustFrameworkExtensions.xml
│ └── TrustFrameworkLocalization.xml
├── LICENSE
├── LocalAccounts/
│ ├── PasswordReset.xml
│ ├── ProfileEdit.xml
│ ├── SignUpOrSignin.xml
│ ├── TrustFrameworkBase.xml
│ ├── TrustFrameworkExtensions.xml
│ ├── TrustFrameworkLocalization.xml
│ └── readme.md
├── README.md
├── SocialAccounts/
│ ├── ProfileEdit.xml
│ ├── SignUpOrSignin.xml
│ ├── TrustFrameworkBase.xml
│ ├── TrustFrameworkExtensions.xml
│ └── TrustFrameworkLocalization.xml
├── SocialAndLocalAccounts/
│ ├── PasswordReset.xml
│ ├── ProfileEdit.xml
│ ├── SignUpOrSignin.xml
│ ├── TrustFrameworkBase.xml
│ ├── TrustFrameworkExtensions.xml
│ ├── TrustFrameworkLocalization.xml
│ └── readme.md
├── SocialAndLocalAccountsWithMfa/
│ ├── PasswordReset.xml
│ ├── ProfileEdit.xml
│ ├── SignUpOrSignin.xml
│ ├── TrustFrameworkBase.xml
│ ├── TrustFrameworkExtensions.xml
│ ├── TrustFrameworkLocalization.xml
│ └── readme.md
├── TrustFrameworkPolicy_0.3.0.0.xsd
└── scenarios/
├── linkedin-identity-provider/
│ ├── SignUpOrSignin.xml
│ └── TrustFrameworkExtensions.xml
├── password-change/
│ ├── PasswordChange.xml
│ └── TrustFrameworkExtensions.xml
└── phone-number-passwordless/
├── ChangePhoneNumber.xml
├── PasswordResetEmail.xml
├── Phone_Email_Base.xml
├── ProfileEditPhoneEmail.xml
├── ProfileEditPhoneOnly.xml
├── README.md
├── SignUpOrSignInWithPhone.xml
└── SignUpOrSignInWithPhoneOrEmail.xml
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Visual Studio 2015 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# DNX
project.lock.json
artifacts/
*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# TODO: Comment the next line if you want to checkin your web deploy settings
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/packages/*
# except build/, which is used as an MSBuild target.
!**/packages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/packages/repositories.config
# NuGet v3's project.json files produces more ignoreable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.pfx
*.publishsettings
node_modules/
orleans.codegen.cs
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
*.mdf
*.ldf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# JetBrains Rider
.idea/
*.sln.iml
================================================
FILE: Display Controls Starterpack/LocalAccounts/PasswordReset.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/LocalAccounts/ProfileEdit.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/LocalAccounts/SignUpOrSignin.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/LocalAccounts/TrustFrameworkBase.xml
================================================
Username
string
TextBox
User's Object's Tenant ID
string
Tenant identifier (ID) of the user object in Azure AD.
User's Object ID
string
Object identifier (ID) of the user object in Azure AD.
Sign in name
string
TextBox
Email Address
string
Email address to use for signing in.
TextBox
Account Enabled
boolean
Specifies whether the user's account is enabled.
Specifies whether your account is enabled.
Password
string
Enter password
Password
New Password
string
Enter new password
Password
Confirm New Password
string
Confirm new password
Password
Password Policies
string
Password policies used by Azure AD to determine password strength, expiry etc.
client_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
resource_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
Subject
string
Identity Provider
string
Display Name
string
Your display name.
TextBox
Email Address
string
Email address that can be used to contact you.
TextBox
Alternate Email Addresses
stringCollection
Email addresses that can be used to contact the user.
UserPrincipalName
string
Your user name as stored in the Azure Active Directory.
UPN User Name
string
The user name for creating user principal name.
User is new
boolean
Executed-SelfAsserted-Input
string
A claim that specifies whether attributes were collected from the user.
AuthenticationSource
string
Specifies whether the user was authenticated at Social IDP or local account.
refreshTokenIssuedOnDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
refreshTokensValidFromDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
nca
string
Special parameter passed for local account authentication to login.microsoftonline.com.
grant_type
string
Special parameter passed for local account authentication to login.microsoftonline.com.
scope
string
Special parameter passed for local account authentication to login.microsoftonline.com.
objectIdFromSession
boolean
Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.
isActiveMFASession
boolean
Parameter provided by the MFA session management to indicate that the user has an active MFA session.
Given Name
string
Your given name (also known as first name).
TextBox
Surname
string
Your surname (also known as family name or last name).
TextBox
Verification Code
string
Enter your verification code
TextBox
LineMarkers, MetaRefresh
~/tenant/templates/AzureBlue/exception.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1
- Error page
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign in
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign up
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5
- Signin and Signup
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account sign up page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account change password page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
Local Account SignIn
Local Account SignIn
- https://sts.windows.net/
- https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
- https://login.microsoftonline.com/{tenant}/oauth2/token
- id_token
- query
- email openid
- false
- POST
Azure Active Directory
Azure Active Directory
false
- Write
- true
false
- Read
- true
false
- Write
- true
false
- Write
- false
- true
false
- Read
- true
false
Self Asserted
User ID signup
- api.selfasserted.profileupdate
false
Local Account
Email signup
- IpAddress
- api.localaccountsignup
Local Account Signin
- SignUpWithLogonEmailExchange
- Email
- api.localaccountsignin
- true
false
Reset password using email address
- IpAddress
- api.localaccountpasswordreset
false
Change password (username)
- api.localaccountpasswordreset
Session Management
Noop Session Management Provider
Session Mananagement Provider
Session Management Provider
Trustframework Policy Engine TechnicalProfiles
Trustframework Policy Engine Default Technical Profile
- {service:te}
Token Issuer
JWT Issuer
JWT
- {service:te}
- objectId
- true
Refresh token journey
Trustframework Policy Engine Refresh Token Setup Technical Profile
AAD SSPR
Send Code
- SendCode
Verify Code
- VerifyCode
objectId
SkipThisOrchestrationStep
false
================================================
FILE: Display Controls Starterpack/LocalAccounts/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkLocalization
Local Account SignIn
- ProxyIdentityExperienceFrameworkAppId
- IdentityExperienceFrameworkAppId
================================================
FILE: Display Controls Starterpack/LocalAccounts/TrustFrameworkLocalization.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
en
Email Address
Sign in
Sign in with your {0}
Password
Please enter your password
Please enter your {0}
Please enter a valid {0}
Sign up now
Sign up with {0} or {1}
Sign up with {0}, {1}, or {2}
Forgot your password?
Sign in
Don't have an account?
We are having trouble signing you in. Please try again later.
Facebook
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
One or more fields are filled out incorrectly. Please check your entries and try again.
The password entry fields do not match. Please enter the same password in both fields and try again.
A required field is missing. Please fill out all required fields and try again.
What is this?
Please provide the following details.
Please wait
This information is required.
Cancel
Verification is necessary. Please click Send button.
Verification code has been sent to your inbox. Please copy it to the input box below.
We are having trouble verifying your email address. Please enter a valid email address and try again.
E-mail address verified. You can now continue.
We are having trouble verifying your email address. Please try again.
Send verification code
Verify code
Send new code
Change e-mail
We are having trouble verifying your email address. Please try again later.
There have been too many requests to verify this email address. Please wait a while, then try again.
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
You are already registered, please press the back button and sign in instead.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
The password entry fields do not match. Please enter the same password in both fields and try again.
One or more fields are filled out incorrectly. Please check your entries and try again.
Continue
Cancel
An account could not be found for the provided user ID.
Your account has been locked. Contact your support person to unlock it, then try again.
This information is required.
Verification is necessary. Please click Send button.
Verification code has been sent to your inbox. Please copy it to the input box below.
We are having trouble verifying your email address. Please enter a valid email address and try again.
E-mail address verified. You can now continue.
We are having trouble verifying your email address. Please try again.
Send verification code
Verify code
Send new code
Change e-mail
We are having trouble verifying your email address. Please try again later.
There have been too many requests to verify this email address. Please wait a while, then try again.
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Sign in
Local Account Signin
Facebook
Email Address
Password
Continue
Cancel
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Continue
Cancel
================================================
FILE: Display Controls Starterpack/SocialAccounts/ProfileEdit.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/SocialAccounts/SignUpOrSignin.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/SocialAccounts/TrustFrameworkBase.xml
================================================
Username
string
TextBox
User's Object's Tenant ID
string
Tenant identifier (ID) of the user object in Azure AD.
User's Object ID
string
Object identifier (ID) of the user object in Azure AD.
Subject
string
AlternativeSecurityId
string
MailNickName
string
Your mail nick name as stored in the Azure Active Directory.
Identity Provider
string
Display Name
string
Your display name.
TextBox
Email Address
string
Email address that can be used to contact you.
TextBox
Alternate Email Addresses
stringCollection
Email addresses that can be used to contact the user.
UserPrincipalName
string
Your user name as stored in the Azure Active Directory.
UPN User Name
string
The user name for creating user principal name.
User is new
boolean
Executed-SelfAsserted-Input
string
A claim that specifies whether attributes were collected from the user.
AuthenticationSource
string
Specifies whether the user was authenticated at Social IDP or local account.
refreshTokenIssuedOnDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
refreshTokensValidFromDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
objectIdFromSession
boolean
Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.
isActiveMFASession
boolean
Parameter provided by the MFA session management to indicate that the user has an active MFA session.
Given Name
string
Your given name (also known as first name).
TextBox
Surname
string
Your surname (also known as family name or last name).
TextBox
LineMarkers, MetaRefresh
~/tenant/templates/AzureBlue/exception.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1
- Error page
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign in
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign up
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5
- Signin and Signup
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
facebook.com
Facebook
Facebook
- facebook
- https://www.facebook.com/dialog/oauth
- https://graph.facebook.com/oauth/access_token
- GET
- 0
- json
Azure Active Directory
Azure Active Directory
false
- Write
- true
false
- Read
- true
- false
- Write
- false
- true
false
- Read
- true
false
Self Asserted
User ID signup
- api.socialccountsignup
User ID signup
- api.selfasserted.profileupdate
false
Session Management
Noop Session Management Provider
Session Mananagement Provider
Session Mananagement Provider
- true
Session Management Provider
Trustframework Policy Engine TechnicalProfiles
Trustframework Policy Engine Default Technical Profile
- {service:te}
Token Issuer
JWT Issuer
JWT
- {service:te}
- objectId
- true
Refresh token journey
Trustframework Policy Engine Refresh Token Setup Technical Profile
objectId
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
false
================================================
FILE: Display Controls Starterpack/SocialAccounts/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkLocalization
Facebook
- facebook_clientid
- email public_profile
- https://graph.facebook.com/me?fields=id,first_name,last_name,name,email
================================================
FILE: Display Controls Starterpack/SocialAccounts/TrustFrameworkLocalization.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
en
Email Address
Sign in
Sign in with your social account
Sign in with your {0}
Password
Please enter your password
Please enter your {0}
Please enter a valid {0}
Sign up now
Sign up with {0} or {1}
Sign up with {0}, {1}, or {2}
Forgot your password?
Sign in
OR
Don't have an account?
We are having trouble signing you in. Please try again later.
Facebook
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
Cancel
You are already registered, please press the back button and sign in instead.
Sign in
Local Account Signin
Facebook
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Continue
Cancel
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccounts/PasswordReset.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccounts/ProfileEdit.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccounts/SignUpOrSignin.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccounts/TrustFrameworkBase.xml
================================================
Username
string
TextBox
User's Object's Tenant ID
string
Tenant identifier (ID) of the user object in Azure AD.
User's Object ID
string
Object identifier (ID) of the user object in Azure AD.
Sign in name
string
TextBox
Email Address
string
Email address to use for signing in.
TextBox
Account Enabled
boolean
Specifies whether the user's account is enabled.
Specifies whether your account is enabled.
Password
string
Enter password
Password
New Password
string
Enter new password
Password
Confirm New Password
string
Confirm new password
Password
Password Policies
string
Password policies used by Azure AD to determine password strength, expiry etc.
client_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
resource_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
Subject
string
AlternativeSecurityId
string
MailNickName
string
Your mail nick name as stored in the Azure Active Directory.
Identity Provider
string
Display Name
string
Your display name.
TextBox
Email Address
string
Email address that can be used to contact you.
TextBox
Alternate Email Addresses
stringCollection
Email addresses that can be used to contact the user.
UserPrincipalName
string
Your user name as stored in the Azure Active Directory.
UPN User Name
string
The user name for creating user principal name.
User is new
boolean
Executed-SelfAsserted-Input
string
A claim that specifies whether attributes were collected from the user.
AuthenticationSource
string
Specifies whether the user was authenticated at Social IDP or local account.
refreshTokenIssuedOnDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
refreshTokensValidFromDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
nca
string
Special parameter passed for local account authentication to login.microsoftonline.com.
grant_type
string
Special parameter passed for local account authentication to login.microsoftonline.com.
scope
string
Special parameter passed for local account authentication to login.microsoftonline.com.
objectIdFromSession
boolean
Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.
isActiveMFASession
boolean
Parameter provided by the MFA session management to indicate that the user has an active MFA session.
Given Name
string
Your given name (also known as first name).
TextBox
Surname
string
Your surname (also known as family name or last name).
TextBox
Verification Code
string
Enter your verification code
TextBox
LineMarkers, MetaRefresh
~/tenant/templates/AzureBlue/exception.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1
- Error page
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign in
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign up
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5
- Signin and Signup
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account sign up page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account change password page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
facebook.com
Facebook
Facebook
- facebook
- https://www.facebook.com/dialog/oauth
- https://graph.facebook.com/oauth/access_token
- GET
- 0
- json
Local Account SignIn
Local Account SignIn
- https://sts.windows.net/
- https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
- https://login.microsoftonline.com/{tenant}/oauth2/token
- id_token
- query
- email openid
- false
- POST
Azure Active Directory
Azure Active Directory
false
- Write
- true
false
- Read
- true
- false
- Write
- true
false
- Read
- true
false
- Write
- true
false
- Write
- false
- true
false
- Read
- true
false
Self Asserted
User ID signup
- api.socialccountsignup
User ID signup
- api.selfasserted.profileupdate
false
Local Account
Email signup
- IpAddress
- api.localaccountsignup
Local Account Signin
- SignUpWithLogonEmailExchange
- Email
- api.localaccountsignin
- true
false
Reset password using email address
- IpAddress
- api.localaccountpasswordreset
false
Change password (username)
- api.localaccountpasswordreset
Session Management
Noop Session Management Provider
Session Mananagement Provider
Session Mananagement Provider
- true
Session Management Provider
Trustframework Policy Engine TechnicalProfiles
Trustframework Policy Engine Default Technical Profile
- {service:te}
Token Issuer
JWT Issuer
JWT
- {service:te}
- objectId
- true
Refresh token journey
Trustframework Policy Engine Refresh Token Setup Technical Profile
AAD SSPR
Send Code
- SendCode
Verify Code
- VerifyCode
objectId
SkipThisOrchestrationStep
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
false
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccounts/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkLocalization
Facebook
- facebook_clientid
- email public_profile
- https://graph.facebook.com/me?fields=id,first_name,last_name,name,email
Local Account SignIn
- ProxyIdentityExperienceFrameworkAppId
- IdentityExperienceFrameworkAppId
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccounts/TrustFrameworkLocalization.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
en
Email Address
Sign in
Sign in with your social account
Sign in with your {0}
Password
Please enter your password
Please enter your {0}
Please enter a valid {0}
Sign up now
Sign up with {0} or {1}
Sign up with {0}, {1}, or {2}
Forgot your password?
Sign in
OR
Don't have an account?
We are having trouble signing you in. Please try again later.
Facebook
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
One or more fields are filled out incorrectly. Please check your entries and try again.
The password entry fields do not match. Please enter the same password in both fields and try again.
A required field is missing. Please fill out all required fields and try again.
What is this?
Please provide the following details.
Please wait
This information is required.
Cancel
Verification is necessary. Please click Send button.
Verification code has been sent to your inbox. Please copy it to the input box below.
We are having trouble verifying your email address. Please enter a valid email address and try again.
E-mail address verified. You can now continue.
We are having trouble verifying your email address. Please try again.
Send verification code
Verify code
Send new code
Change e-mail
We are having trouble verifying your email address. Please try again later.
There have been too many requests to verify this email address. Please wait a while, then try again.
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
Cancel
You are already registered, please press the back button and sign in instead.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
The password entry fields do not match. Please enter the same password in both fields and try again.
One or more fields are filled out incorrectly. Please check your entries and try again.
Continue
Cancel
An account could not be found for the provided user ID.
Your account has been locked. Contact your support person to unlock it, then try again.
This information is required.
Verification is necessary. Please click Send button.
Verification code has been sent to your inbox. Please copy it to the input box below.
We are having trouble verifying your email address. Please enter a valid email address and try again.
E-mail address verified. You can now continue.
We are having trouble verifying your email address. Please try again.
Send verification code
Verify code
Send new code
Change e-mail
We are having trouble verifying your email address. Please try again later.
There have been too many requests to verify this email address. Please wait a while, then try again.
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Sign in
Local Account Signin
Facebook
Email Address
Password
Continue
Cancel
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Continue
Cancel
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccountsWithMfa/PasswordReset.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccountsWithMfa/ProfileEdit.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccountsWithMfa/SignUpOrSignin.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccountsWithMfa/TrustFrameworkBase.xml
================================================
Username
string
TextBox
User's Object's Tenant ID
string
Tenant identifier (ID) of the user object in Azure AD.
User's Object ID
string
Object identifier (ID) of the user object in Azure AD.
Sign in name
string
TextBox
Email Address
string
Email address to use for signing in.
TextBox
Account Enabled
boolean
Specifies whether the user's account is enabled.
Specifies whether your account is enabled.
Password
string
Enter password
Password
New Password
string
Enter new password
Password
Confirm New Password
string
Confirm new password
Password
Password Policies
string
Password policies used by Azure AD to determine password strength, expiry etc.
client_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
resource_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
Subject
string
AlternativeSecurityId
string
MailNickName
string
Your mail nick name as stored in the Azure Active Directory.
Identity Provider
string
Display Name
string
Your display name.
TextBox
Phone Number
string
XXX-XXX-
Your telephone number
Verified Phone Number
string
XXX-XXX-
Your office phone number that has been verified
New Phone Number Entered
boolean
UserId for MFA
string
Email Address
string
Email address that can be used to contact you.
TextBox
Alternate Email Addresses
stringCollection
Email addresses that can be used to contact the user.
UserPrincipalName
string
Your user name as stored in the Azure Active Directory.
UPN User Name
string
The user name for creating user principal name.
User is new
boolean
Executed-SelfAsserted-Input
string
A claim that specifies whether attributes were collected from the user.
AuthenticationSource
string
Specifies whether the user was authenticated at Social IDP or local account.
refreshTokenIssuedOnDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
refreshTokensValidFromDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
nca
string
Special parameter passed for local account authentication to login.microsoftonline.com.
grant_type
string
Special parameter passed for local account authentication to login.microsoftonline.com.
scope
string
Special parameter passed for local account authentication to login.microsoftonline.com.
objectIdFromSession
boolean
Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.
isActiveMFASession
boolean
Parameter provided by the MFA session management to indicate that the user has an active MFA session.
Given Name
string
Your given name (also known as first name).
TextBox
Surname
string
Your surname (also known as family name or last name).
TextBox
Verification Code
string
Enter your verification code
TextBox
LineMarkers, MetaRefresh
~/tenant/templates/AzureBlue/exception.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1
- Error page
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign in
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign up
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5
- Signin and Signup
~/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:multifactor:1.2.5
- Multi-factor authentication page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account sign up page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account change password page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
facebook.com
Facebook
Facebook
- facebook
- https://www.facebook.com/dialog/oauth
- https://graph.facebook.com/oauth/access_token
- GET
- 0
- json
Local Account SignIn
Local Account SignIn
- https://sts.windows.net/
- https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
- https://login.microsoftonline.com/{tenant}/oauth2/token
- id_token
- query
- email openid
- false
- POST
PhoneFactor
PhoneFactor
- api.phonefactor
- true
Azure Active Directory
Azure Active Directory
false
- Write
- true
false
- Read
- true
- false
- Write
- true
false
- Read
- true
false
- Write
- true
false
- Write
- false
- true
false
- Read
- true
false
- Write
- false
- true
false
Self Asserted
User ID signup
- api.socialccountsignup
User ID signup
- api.selfasserted.profileupdate
false
Local Account
Email signup
- IpAddress
- api.localaccountsignup
Local Account Signin
- SignUpWithLogonEmailExchange
- Email
- api.localaccountsignin
- true
false
Reset password using email address
- IpAddress
- api.localaccountpasswordreset
false
Change password (username)
- api.localaccountpasswordreset
Session Management
Noop Session Management Provider
Session Mananagement Provider
Session Mananagement Provider
- true
Session Mananagement Provider
Session Management Provider
Trustframework Policy Engine TechnicalProfiles
Trustframework Policy Engine Default Technical Profile
- {service:te}
Token Issuer
JWT Issuer
JWT
- {service:te}
- objectId
- true
Refresh token journey
Trustframework Policy Engine Refresh Token Setup Technical Profile
AAD SSPR
Send Code
- SendCode
Verify Code
- VerifyCode
objectId
SkipThisOrchestrationStep
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
isActiveMFASession
SkipThisOrchestrationStep
newPhoneNumberEntered
SkipThisOrchestrationStep
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
false
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccountsWithMfa/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkLocalization
Facebook
- facebook_clientid
- email public_profile
- https://graph.facebook.com/me?fields=id,first_name,last_name,name,email
Local Account SignIn
- ProxyIdentityExperienceFrameworkAppId
- IdentityExperienceFrameworkAppId
================================================
FILE: Display Controls Starterpack/SocialAndLocalAccountsWithMfa/TrustFrameworkLocalization.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
en
Email Address
Sign in
Sign in with your social account
Sign in with your {0}
Password
Please enter your password
Please enter your {0}
Please enter a valid {0}
Sign up now
Sign up with {0} or {1}
Sign up with {0}, {1}, or {2}
Forgot your password?
Sign in
OR
Don't have an account?
We are having trouble signing you in. Please try again later.
Facebook
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
One or more fields are filled out incorrectly. Please check your entries and try again.
The password entry fields do not match. Please enter the same password in both fields and try again.
A required field is missing. Please fill out all required fields and try again.
What is this?
Please provide the following details.
Please wait
This information is required.
Cancel
Verification is necessary. Please click Send button.
Verification code has been sent to your inbox. Please copy it to the input box below.
We are having trouble verifying your email address. Please enter a valid email address and try again.
E-mail address verified. You can now continue.
We are having trouble verifying your email address. Please try again.
Send verification code
Verify code
Send new code
Change e-mail
We are having trouble verifying your email address. Please try again later.
There have been too many requests to verify this email address. Please wait a while, then try again.
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
Cancel
You are already registered, please press the back button and sign in instead.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
The password entry fields do not match. Please enter the same password in both fields and try again.
One or more fields are filled out incorrectly. Please check your entries and try again.
Continue
Cancel
An account could not be found for the provided user ID.
Your account has been locked. Contact your support person to unlock it, then try again.
This information is required.
Verification is necessary. Please click Send button.
Verification code has been sent to your inbox. Please copy it to the input box below.
We are having trouble verifying your email address. Please enter a valid email address and try again.
E-mail address verified. You can now continue.
We are having trouble verifying your email address. Please try again.
Send verification code
Verify code
Send new code
Change e-mail
We are having trouble verifying your email address. Please try again later.
There have been too many requests to verify this email address. Please wait a while, then try again.
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Sign in
Local Account Signin
Facebook
Email Address
Password
Continue
Cancel
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Continue
Cancel
Call Me
Country Code
The user has canceled multi-factor authentication
Send a new code
\d{6}
We have the following number on record for you. We can send a code via SMS or phone to authenticate you.
We have the following numbers on record for you. Choose a number that we can phone or send a code via SMS to authenticate you.
Verify Code
Please enter the verification code you received
Please enter the 6-digit code you received
Cancel
Phone number
Retry
I don't have my phone
We have the following numbers on record for you. Choose a number that we can phone to authenticate you.
We have the following number on record for you. We will phone to authenticate you.
Enter your verification code below, or
Enter a number below that we can phone to authenticate you.
Enter a number below that we can send a code via SMS to authenticate you.
Send Code
Please enter a valid phone number
We have the following number on record for you. We will send a code via SMS to authenticate you.
Enter a number below that we can send a code via SMS or phone to authenticate you.
^\+(?:[0-9][\x20-]?){6,14}[0-9]$
We have the following numbers on record for you. Choose a number that we can send a code via SMS to authenticate you.
Please select your country code
Please enter your phone number
Country or region
Phone Number
The phone number you provided is busy or unavailable. Please check the number and try again.
You hit the limit on the number of text messages. Try again shortly.
You hit the limit on the number of call attempts. Try again shortly.
You hit the limit on the number of verification attempts. Try again shortly.
The verification code you have entered does not match our records. Please try again, or request a new code.
{"DEFAULT":"Country/Region","AF":"Afghanistan","AX":"Åland Islands","AL":"Albania","DZ":"Algeria","AS":"American Samoa","AD":"Andorra","AO":"Angola","AI":"Anguilla","AQ":"Antarctica","AG":"Antigua and Barbuda","AR":"Argentina","AM":"Armenia","AW":"Aruba","AU":"Australia","AT":"Austria","AZ":"Azerbaijan","BS":"Bahamas","BH":"Bahrain","BD":"Bangladesh","BB":"Barbados","BY":"Belarus","BE":"Belgium","BZ":"Belize","BJ":"Benin","BM":"Bermuda","BT":"Bhutan","BO":"Bolivia","BQ":"Bonaire","BA":"Bosnia and Herzegovina","BW":"Botswana","BV":"Bouvet Island","BR":"Brazil","IO":"British Indian Ocean Territory","VG":"British Virgin Islands","BN":"Brunei","BG":"Bulgaria","BF":"Burkina Faso","BI":"Burundi","CV":"Cabo Verde","KH":"Cambodia","CM":"Cameroon","CA":"Canada","KY":"Cayman Islands","CF":"Central African Republic","TD":"Chad","CL":"Chile","CN":"China","CX":"Christmas Island","CC":"Cocos (Keeling) Islands","CO":"Colombia","KM":"Comoros","CG":"Congo","CD":"Congo (DRC)","CK":"Cook Islands","CR":"Costa Rica","CI":"Côte d'Ivoire","HR":"Croatia","CU":"Cuba","CW":"Curaçao","CY":"Cyprus","CZ":"Czech Republic","DK":"Denmark","DJ":"Djibouti","DM":"Dominica","DO":"Dominican Republic","EC":"Ecuador","EG":"Egypt","SV":"El Salvador","GQ":"Equatorial Guinea","ER":"Eritrea","EE":"Estonia","ET":"Ethiopia","FK":"Falkland Islands","FO":"Faroe Islands","FJ":"Fiji","FI":"Finland","FR":"France","GF":"French Guiana","PF":"French Polynesia","TF":"French Southern Territories","GA":"Gabon","GM":"Gambia","GE":"Georgia","DE":"Germany","GH":"Ghana","GI":"Gibraltar","GR":"Greece","GL":"Greenland","GD":"Grenada","GP":"Guadeloupe","GU":"Guam","GT":"Guatemala","GG":"Guernsey","GN":"Guinea","GW":"Guinea-Bissau","GY":"Guyana","HT":"Haiti","HM":"Heard Island and McDonald Islands","HN":"Honduras","HK":"Hong Kong SAR","HU":"Hungary","IS":"Iceland","IN":"India","ID":"Indonesia","IR":"Iran","IQ":"Iraq","IE":"Ireland","IM":"Isle of Man","IL":"Israel","IT":"Italy","JM":"Jamaica","JP":"Japan","JE":"Jersey","JO":"Jordan","KZ":"Kazakhstan","KE":"Kenya","KI":"Kiribati","KR":"Korea","KW":"Kuwait","KG":"Kyrgyzstan","LA":"Laos","LV":"Latvia","LB":"Lebanon","LS":"Lesotho","LR":"Liberia","LY":"Libya","LI":"Liechtenstein","LT":"Lithuania","LU":"Luxembourg","MO":"Macao SAR","MK":"North Macedonia","MG":"Madagascar","MW":"Malawi","MY":"Malaysia","MV":"Maldives","ML":"Mali","MT":"Malta","MH":"Marshall Islands","MQ":"Martinique","MR":"Mauritania","MU":"Mauritius","YT":"Mayotte","MX":"Mexico","FM":"Micronesia","MD":"Moldova","MC":"Monaco","MN":"Mongolia","ME":"Montenegro","MS":"Montserrat","MA":"Morocco","MZ":"Mozambique","MM":"Myanmar","NA":"Namibia","NR":"Nauru","NP":"Nepal","NL":"Netherlands","NC":"New Caledonia","NZ":"New Zealand","NI":"Nicaragua","NE":"Niger","NG":"Nigeria","NU":"Niue","NF":"Norfolk Island","KP":"North Korea","MP":"Northern Mariana Islands","NO":"Norway","OM":"Oman","PK":"Pakistan","PW":"Palau","PS":"Palestinian Authority","PA":"Panama","PG":"Papua New Guinea","PY":"Paraguay","PE":"Peru","PH":"Philippines","PN":"Pitcairn Islands","PL":"Poland","PT":"Portugal","PR":"Puerto Rico","QA":"Qatar","RE":"Réunion","RO":"Romania","RU":"Russia","RW":"Rwanda","BL":"Saint Barthélemy","KN":"Saint Kitts and Nevis","LC":"Saint Lucia","MF":"Saint Martin","PM":"Saint Pierre and Miquelon","VC":"Saint Vincent and the Grenadines","WS":"Samoa","SM":"San Marino","ST":"São Tomé and Príncipe","SA":"Saudi Arabia","SN":"Senegal","RS":"Serbia","SC":"Seychelles","SL":"Sierra Leone","SG":"Singapore","SX":"Sint Maarten","SK":"Slovakia","SI":"Slovenia","SB":"Solomon Islands","SO":"Somalia","ZA":"South Africa","GS":"South Georgia and South Sandwich Islands","SS":"South Sudan","ES":"Spain","LK":"Sri Lanka","SH":"St Helena, Ascension, Tristan da Cunha","SD":"Sudan","SR":"Suriname","SJ":"Svalbard","SZ":"Swaziland","SE":"Sweden","CH":"Switzerland","SY":"Syria","TW":"Taiwan","TJ":"Tajikistan","TZ":"Tanzania","TH":"Thailand","TL":"Timor-Leste","TG":"Togo","TK":"Tokelau","TO":"Tonga","TT":"Trinidad and Tobago","TN":"Tunisia","TR":"Turkey","TM":"Turkmenistan","TC":"Turks and Caicos Islands","TV":"Tuvalu","UM":"U.S. Outlying Islands","VI":"U.S. Virgin Islands","UG":"Uganda","UA":"Ukraine","AE":"United Arab Emirates","GB":"United Kingdom","US":"United States","UY":"Uruguay","UZ":"Uzbekistan","VU":"Vanuatu","VA":"Vatican City","VE":"Venezuela","VN":"Vietnam","WF":"Wallis and Futuna","YE":"Yemen","ZM":"Zambia","ZW":"Zimbabwe"}
The phone number you provided is unreachable.
User has exceeded the number of retry attempts.
Verification code
Phone Number
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) Microsoft Corporation. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE
================================================
FILE: LocalAccounts/PasswordReset.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: LocalAccounts/ProfileEdit.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: LocalAccounts/SignUpOrSignin.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: LocalAccounts/TrustFrameworkBase.xml
================================================
Username
string
TextBox
User's Object's Tenant ID
string
Tenant identifier (ID) of the user object in Azure AD.
User's Object ID
string
Object identifier (ID) of the user object in Azure AD.
Sign in name
string
TextBox
Email Address
string
Email address to use for signing in.
TextBox
Account Enabled
boolean
Specifies whether the user's account is enabled.
Specifies whether your account is enabled.
Password
string
Enter password
Password
New Password
string
Enter new password
Password
Confirm New Password
string
Confirm new password
Password
Password Policies
string
Password policies used by Azure AD to determine password strength, expiry etc.
client_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
resource_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
Subject
string
Identity Provider
string
Display Name
string
Your display name.
TextBox
Email Address
string
Email address that can be used to contact you.
TextBox
Alternate Email Addresses
stringCollection
Email addresses that can be used to contact the user.
UserPrincipalName
string
Your user name as stored in the Azure Active Directory.
UPN User Name
string
The user name for creating user principal name.
User is new
boolean
Executed-SelfAsserted-Input
string
A claim that specifies whether attributes were collected from the user.
AuthenticationSource
string
Specifies whether the user was authenticated at Social IDP or local account.
refreshTokenIssuedOnDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
refreshTokensValidFromDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
nca
string
Special parameter passed for local account authentication to login.microsoftonline.com.
grant_type
string
Special parameter passed for local account authentication to login.microsoftonline.com.
scope
string
Special parameter passed for local account authentication to login.microsoftonline.com.
objectIdFromSession
boolean
Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.
isActiveMFASession
boolean
Parameter provided by the MFA session management to indicate that the user has an active MFA session.
Given Name
string
Your given name (also known as first name).
TextBox
Surname
string
Your surname (also known as family name or last name).
TextBox
LineMarkers, MetaRefresh
~/tenant/templates/AzureBlue/exception.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1
- Error page
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign in
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign up
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5
- Signin and Signup
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account sign up page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account change password page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
Local Account SignIn
Local Account SignIn
- https://sts.windows.net/
- https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
- https://login.microsoftonline.com/{tenant}/oauth2/token
- id_token
- query
- email openid
- false
- POST
Azure Active Directory
Azure Active Directory
false
- Write
- true
false
- Read
- true
false
- Write
- true
false
- Write
- false
- true
false
- Read
- true
false
Self Asserted
User ID signup
- api.selfasserted.profileupdate
false
Local Account
Email signup
- IpAddress
- api.localaccountsignup
Local Account Signin
- SignUpWithLogonEmailExchange
- Email
- api.localaccountsignin
- true
false
Reset password using email address
- IpAddress
- api.localaccountpasswordreset
false
Change password (username)
- api.localaccountpasswordreset
Session Management
Noop Session Management Provider
Session Mananagement Provider
Session Management Provider
Trustframework Policy Engine TechnicalProfiles
Trustframework Policy Engine Default Technical Profile
- {service:te}
Token Issuer
JWT Issuer
JWT
- {service:te}
- objectId
- true
Refresh token journey
Trustframework Policy Engine Refresh Token Setup Technical Profile
objectId
SkipThisOrchestrationStep
false
================================================
FILE: LocalAccounts/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkLocalization
Local Account SignIn
- ProxyIdentityExperienceFrameworkAppId
- IdentityExperienceFrameworkAppId
================================================
FILE: LocalAccounts/TrustFrameworkLocalization.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
en
Email Address
Sign in
Sign in with your {0}
Password
Please enter your password
Please enter your {0}
Please enter a valid {0}
Sign up now
Sign up with {0} or {1}
Sign up with {0}, {1}, or {2}
Forgot your password?
Sign in
Don't have an account?
We are having trouble signing you in. Please try again later.
Facebook
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
One or more fields are filled out incorrectly. Please check your entries and try again.
The password entry fields do not match. Please enter the same password in both fields and try again.
A required field is missing. Please fill out all required fields and try again.
What is this?
Please provide the following details.
Please wait
This information is required.
Cancel
Change e-mail
Send new code
Send verification code
Verify code
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
We are having trouble verifying your email address. Please enter a valid email address and try again.
There have been too many requests to verify this email address. Please wait a while, then try again.
Verification code has been sent to your inbox. Please copy it to the input box below.
Verification code
Verification is necessary. Please click Send button.
E-mail address verified. You can now continue.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
You are already registered, please press the back button and sign in instead.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
The password entry fields do not match. Please enter the same password in both fields and try again.
One or more fields are filled out incorrectly. Please check your entries and try again.
Continue
Cancel
An account could not be found for the provided user ID.
Your account has been locked. Contact your support person to unlock it, then try again.
This information is required.
Change e-mail
Send new code
Send verification code
Verify code
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
We are having trouble verifying your email address. Please enter a valid email address and try again.
There have been too many requests to verify this email address. Please wait a while, then try again.
Verification code has been sent to your inbox. Please copy it to the input box below.
Verification code
Verification is necessary. Please click Send button.
E-mail address verified. You can now continue.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Sign in
Local Account Signin
Facebook
Email Address
Password
Continue
Cancel
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Continue
Cancel
================================================
FILE: LocalAccounts/readme.md
================================================
# Local account sign-up or sign-in user journey overview
This article gives an overview of the **local account sign-up or sign-in** user journey custom policies. We recommend you to read the [Azure AD B2C custom policy overview](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview) before reading this article.
You can find the user journey and its orchestration steps in the TrustFrameworkBase.xml file, with the Id "SignUpOrSignIn". Each Orchestration step and its referenced technical profile will be explained in detail in the following series.
## Logical Steps
For a user to be able to sign up and sign in, the following user experience must be translated into logical steps with a custom policy.
Handling Sign Up:
1. Display a page that allows users to enter their email, password, and name.
1. Verify their email with a Timed One Time Passcode sent to their email address.
1. When the user completes a sign up, we must create their account.
1. Prevent a user to sign up with an existing email address.
1. Issue an id token.
Handling Sign In:
1. Display a page where the user can enter their email and password.
1. On the sign in page, display a link to sign up.
1. If the user submits their credentials (signs in), we must validate the credentials.
1. Issue an id token.
## Translating this into custom policies
Handling Sign Up
1. This requires a Self-Asserted technical profile. It must present output claims to obtain the email, password, and name claims.
1. Make use of a special claim, which enforces email verification.
1. Use a Validation technical profile to write the account to the directory. This Validation technical profile will be of type Azure Active Directory.
1. As part of writing the account configures the technical profile to throw an error if the account exists.
1. Read any additional information from the directory user object.
1. Call a technical profile to issue a token.
Handling Sign In:
1. This requires a Self-Asserted technical profile. It must present output claims to obtain the email and password claims.
1. Use the combined sign in and sign up content definition, which provides this for us.
1. Run a Validation technical profile to validate the credentials.
1. Read any additional information from the directory user object.
1. Call a technical profile to issue a token.
## Building the custom policy
### Handling Sign In
**Orchestration Step 1**: Provides functionality for a user to sign up or sign in. This is achieved using a Self-Asserted technical profile and connected validation technical profile.
The XML required to generate this step is:
```xml
```
The combined sign up and sign in page is treated uniquely by Azure AD B2C, since it presents a sign up link that can take the user to the sign up step.
This is achieved with the following two lines:
```xml
```
Since Azure AD B2C understands that this is a sign in page, you must specify the `ClaimsProviderSelections` element with at least one reference to a `ClaimsProviderSelection`. This `ClaimsProviderSelection` maps to the `ClaimsExchange`, which ultimately calls a technical profile called `SelfAsserted-LocalAccountSignin-Email`.
The `SelfAsserted-LocalAccountSignin-Email` technical profile defines the actual page functionality:
```xml
Local Account Signin
- SignUpWithLogonEmailExchange
- Email
- api.selfasserted
- true
false
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|
|DisplayName|Friendly name which can describe the function of this technical profile.|
|Protocol|The Azure AD B2C technical profile type. In this case, it is Self-Asserted, such that a page is rendered for the user to provide their inputs.|
|Metadata|For a Self-Asserted Combined Sign in and Sign up profile, we provide a SignUpTarget, which points to the Sign Up ClaimsExchange Id in a subsequent orchestrations step.|
|InputClaims|Enables the ability to pre-populate the signInName claim|
|OutputClaims| We require the user to provide their email and password, hence referenced as output claims. There are some claims here, such as objectId, that are not presented on the page since the validation technical profile satisfies this output claim.|
|ValidationTechnicalProfiles|The technical profile to launch to validate the date the user provided, in this case to validate their credentials.|
|UseTechnicalProfileForSessionManagement|References a technical profile to add this step into the session such that during SSO, this step is skipped.|
To see all the configuration options for a Self-Asserted technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).
By calling this technical profile, we now satisfy the initial logical step for sign in. When the user submits the page, any validation technical profiles referenced by the technical profile will run. In this case, that is the validation technical profile `login-NonInteractive`.
`login-NonInteractive` is a technical profile, which makes an OpenId request using the [Resource Owner Password Credential](https://tools.ietf.org/html/rfc6749#section-4.3) grant flow to validate the users provided credentials at the Azure AD authorization server. This is an API-based login performed by the Azure AD B2C service against the Azure AD authentication service.
```xml
Local Account SignIn
- We can't seem to find your account
- Your password is incorrect
- Looks like you used an old password
- https://sts.windows.net/
- https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
- https://login.microsoftonline.com/{tenant}/oauth2/token
- id_token
- query
- email openid
- false
- POST
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|
|DisplayName|Friendly name, which can describe the function of this technical profile.|
|Protocol|The Azure AD B2C technical profile type. In this case, it is OpenId, such that Azure AD B2C understands to make an OpenId request.|
|Metadata|Various configuration options to make a valid OpenId request since the grant_type is configured password and the HTTP binding is set to POST. This also includes various error handling responses, such as incorrect password.|
|InputClaims|Passes the username and password into the POST body of the OpenId request.|
|OutputClaims| Maps the JWT issued by the authorization server into Azure AD B2C's claim bag. Here we obtain the objectId and authenticationSource, hence it is not shown on the Self-Asserted page.|
To see all the configuration options for an OpenID technical profile, find more [here](https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile).
We have now rendered a sign in page to the user, allowed the user to enter their email and password, and finally validated their credentials.
**Orchestration Step 2** - Skipped as an objectId was output by Orchestration Step 1. This step pertains to sign up.
**Orchestration Step 3** - Read any additional data from the user object.
We maybe storing additional data the user provided or other data on the user object, which allows your application/service to function correctly.
Therefore, we will read the user object for any desired attributes to add into the Azure AD B2C claims bag.
The following Orchestration step calls a technical profile called `AAD-UserReadUsingObjectId`, which provides this functionality.
The ClaimsExchange Id is unique name for this claims exchange that you can set.
```xml
```
The referenced technical profile is as follows:
```xml
- Read
- true
false
```
This technical profile does not state a protocol, therefore is automatically of type `Azure Active Directory`, which provides the ability to read or write to the directory structure.
|Element name |Description |
|---------|---------|
|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|
|Metadata|This is configured to read the directory. And to throw an error if the user is not found.|
|InputClaims|This is asking to lookup any matching user account in the directory with the objectId from the Azure AD B2C claims bag. This objectId will have been received via the `login-NonInteractive` technical profile and output into the claims bag by the `SelfAsserted-LocalAccountSignin-Email` technical profile. |
|OutputClaims|We are asking to read these claims from the directory. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |
|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|
A special case must be noted for the `signInNames.emailAddress`, this references the attribute `signInNames` which is a collection of key value pairs. In this case, we are reading back the `emailAddress` key within the `signInNames` attribute.
**Orchestration Step 4** - Issue an id token.
In most user journeys, the journey will end by issuing an id token back to the application. This orchestration step looks as follows:
```xml
```
The referenced technical profile is as follows:
```xml
JWT Issuer
JWT
- {service:te}
- objectId
- true
```
This step does not need configuring any further, but find out more [here](https://docs.microsoft.com/en-us/azure/active-directory-b2c/jwt-issuer-technical-profile).
### Handling Sign Up
To handle sign up, we must have one additional orchestration step, which allows the user to provide their email, new password, and name. And upon validating this information, we must write an account to the directory. the other steps are shared with the orchestration steps explained in `Handling Sign in`.
The additional orchestration step is as follows:
```xml
objectId
SkipThisOrchestrationStep
```
Since orchestration steps run sequentially, we must not run this step if the user is trying to sign in, and only run if the user clicked the sign up link. This is achieved using the **Precondition**. Note that during the sign in phase, the Azure AD B2C claims bag will have an objectId populated after login-NonInteractive has run. Therefore we can use the existence of this claim to skip this step as follows.
```xml
objectId
SkipThisOrchestrationStep
```
When displaying the Combined Sign up and Sign in page, it was mentioned that the metadata of the `SelfAsserted-LocalAccountSignin-Email` technical profile configures an item called `SignUpTarget`. This enables the Sign Up link on the Combined Sign in and Sign up page to call the claims exchange in Orchestration Step 2, which consequently executes the `LocalAccountSignUpWithLogonEmail` technical profile.
The technical profile is designed to capture the email, password, and the name of the user. Then write the account to the directory, as follows:
```xml
Email signup
- IpAddress
- api.localaccountsignup
- Create
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|
|Metadata|Various configuration options available for a Self-Asserted page.|
|InputClaims| If an email is sent within the query parameter during the authentication request, it can be pre-populated here.|
|OutputClaims|This asks the user to provide a verified email (via email verification), password, and names. Other claims are satisfied by the validation technical profile, and therefore not displayed. They are there only such that those claims be available to subsequent steps after this step completes.|
|ValidationTechnicalProfiles|When the user submits the page, we must validate the users email doesn't already exist, and then write the account to the directory.|
|UseTechnicalProfileForSessionManagement|References a technical profile to add this step into the session such that during SSO, this step is skipped.|
Azure AD B2C uses a special partner claim type to enforce email verification on a claim, as seen here:
```xml
```
Here we are forcing the email claim presented on screen to be verified. Azure AD B2C will therefore render the `Verify` button on the page against this text field, and only allow the user to continue if this field was verified by a code sent to the user's inbox. This technique can be used against any claim name presented to the user as an output claim `(ClaimTypeReferenceId)`.
To see all the configuration options for a Self-Asserted technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).
When the user submits the page, the Validation technical profile will run, called `AAD-UserWriteUsingLogonEmail`. This is called to attempt to write the account. It is modeled as a Validation Technical profile as this process could fail if the account already exists. This allows an error to be displayed to the screen in such cases.
The `AAD-UserWriteUsingLogonEmail` is as follows:
```xml
- Write
- true
false
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|
|Metadata|This is configured to write to the directory. And to throw an error if the user already exists with an error message.|
|InputClaims|This is attempting to find a user account with the `email` provided as part of the sign up page - `LocalAccountSignUpWithLogonEmail` technical profile.|
|PersistedClaims|This section defines which claims are to be written to the account. In this case, it will automatically create the account with this information present.|
|OutputClaims|We are asking to read these claims from account, which was just written. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |
|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|
**Orchestration Step 4** - Issue an id token.
In most user journeys, the journey will end by issuing an id token back to the application. This orchestration step looks as follows:
```xml
```
The referenced technical profile is as follows:
```xml
JWT Issuer
JWT
- {service:te}
- objectId
- true
```
This step does not need configuring any further, but find out more [here](https://docs.microsoft.com/en-us/azure/active-directory-b2c/jwt-issuer-technical-profile).
## Relying Party Policy
The relying party file contains the entry point to the User Journey described by the orchestration steps.
```xml
```
The output claims within the `Relying Party` section define what claims to populate into the token that is issued to the application/relying party.
```xml
```
The output claims listed here must be output by at least one of the technical profiles called by the user journey, otherwise the file will not upload successfully.
Since some steps can be skipped during a particular flow, these may not always be present in the token.
## Summary
By reducing the user experience to a set of logical steps, we have translated these to a set of Orchestration Steps within an Azure AD B2C policy. These orchestration steps then implement the functionality of each logical step by allowing the user to interact with pages and validate various information. Finally we issue an id token back to the application.
================================================
FILE: README.md
================================================
# Contributing
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
## Change log
### 09 August 2022
With this version the starter pack now contains a Refresh Token user journey. This journey will be executed any time an application [refreshes a token](https://docs.microsoft.com/azure/active-directory-b2c/access-tokens#request-a-token). It will check the user still exists and is enabled in the Azure AD B2C directory. It also checks that the refresh token is not expired. It compiles any claims that are not persisted in the user profile, including claims from Identity Provider's and REST API calls. A new set of refreshed tokens is then issued.
This fix allows for refresh token to be revoked from users and prevents directory deleted users from getting continued access.Change affects all starterpack samples.
|Policy |Notes |
|-------|-------|
| B2C_1A_TrustFrameworkBase | Added Refresh Token claims, Refresh Token ClaimsTransformations, Refresh Token Technical Profiles and Refresh Token User Journey |
| B2C_1A_SignUpOrSignIn | Added Refresh Token Endpoint to Relying Party |
### Migrate existing policy to this version
Your custom policy can invoke a custom refresh token journey. Add the following user journey to your *TrustFrameworkExtensions.xml* file to get started.
1. Open the extensions file of your policy. For example, `SocialAndLocalAccounts/TrustFrameworkExtensions.xml`.
1. Locate the [UserJourneys](userjourneys.md) element. If the element doesn't exist, add it.
1. Add the following **UserJourney** to the **UserJourneys** element.
```xml
false
```
This user journey will validate that the refresh token has not been revoked. You can revoke refresh tokens in Azure AD B2C following the Microsoft Graph API [Revoke sign in sessions](/graph/api/user-revokesigninsessions) guidance.
You can add additional steps into this journey to call any other technical profiles, such as to your REST API technical profiles or Azure AD read/write technical profiles.
#### Configure the relying party policy
The relying party file must be configured to point to your custom refresh token journey. This allows Azure AD B2C to reference your refresh token journey when your app makes a refresh token request.
Add an [Endpoint](relyingparty.md#endpoints) with `Id` set to **token** and provide a `UserJourneyReferenceId` referencing the **UserJourney Id** from the prior section. Merge the following XML snippet into your *SignUpOrSignin.xml* file.
```xml
...
```
Repeat this for all Relying party files your application may invoke, such as **ProfileEdit.xml** and **PasswordReset.xml**.
#### Configure refresh token revocation evaluation
The custom refresh token journey can be used to evaluate whether the current refresh token being presented has been revoked. To implement this logic, Azure AD B2C must compare the `refreshTokenIssuedOnDateTime` and the `refreshTokensValidFromDateTime`. Create the claims schema definitions as shown in the below XML snippet in your *TrustFrameworkExtensions.xml*.
1. Open the extensions file of your policy. For example, `SocialAndLocalAccounts/TrustFrameworkExtensions.xml`.
1. Locate the [BuildingBlocks](buildingblocks.md) element. If the element doesn't exist, add it.
1. Locate the [ClaimsSchema](claimsschema.md) element. If the element doesn't exist, add it.
1. Add the following claims to the **ClaimsSchema** element.
```xml
refreshTokenIssuedOnDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
refreshTokensValidFromDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
```
To check whether the refresh token has been revoked, the `refreshTokenIssuedOnDateTime` and the `refreshTokensValidFromDateTime` must be compared. Add the following [`AssertDateTimeIsGreaterThan`](date-transformations.md) **ClaimsTransformation** to your *TrustFrameworkExtensions.xml*.
1. Open the extensions file of your policy. For example, `SocialAndLocalAccounts/TrustFrameworkExtensions.xml`.
1. Locate the [BuildingBlocks](buildingblocks.md) element. If the element doesn't exist, add it.
1. Locate the [ClaimsTransformations](claimstransformations.md) element. If the element doesn't exist, add it.
1. Add the following **ClaimsTransformation** to the **ClaimsTransformations** element.
```xml
```
To invoke the process to evaluate whether the refresh token has been revoked, add the following technical profile to your *TrustFrameworkExtensions.xml*.
1. Open the extensions file of your policy. For example, `SocialAndLocalAccounts/TrustFrameworkExtensions.xml`.
1. Locate the [ClaimsProviders](claimsproviders.md) element. If the element doesn't exist, add it.
1. Add the following **ClaimsProvider** to the **ClaimsProviders** element.
1. Add extra claims collected from previous REST API's and Federated IDP's that have not been persisted in the directory as **OutputClaims** under the **RefreshTokenReadAndSetup** technical profile
```xml
Refresh token journey
Trustframework Policy Engine Refresh Token Setup Technical Profile
```
#### Upload the policies
1. Select the **Identity Experience Framework** menu item in your B2C tenant in the Azure portal.
1. Select **Upload custom policy**
1. Select Overwrite the custom policy if it already exists
1. In this order, upload the policy files:
1. *TrustFrameworkExtensions.xml*
1. *SignUpOrSignin.xml*
### 11 October 2021
With this version the starter pack now contains localization policy file `TrustFrameworkLocalization.xml`. The localization policy allows your policy to accommodate different languages to suit your customer needs. For more information, check the [PR #107](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/pull/107).
The new localization policy is located between the base and the extension policies:
|Policy |Base policy |Notes |
|---------|---------|---------|
| B2C_1A_TrustFrameworkBase| | Contains most of the definitions. To help with troubleshooting and long-term maintenance of your policies, try to minimize the number of changes you make to this file. |
| B2C_1A_TrustFrameworkLocalization | B2C_1A_TrustFrameworkBase | Holds the localization strings. |
|B2C_1A_TrustFrameworkExtensions | B2C_1A_TrustFrameworkLocalization| Holds the unique configuration changes for your tenant. |
| Relying Parties (RP) | B2C_1A_TrustFrameworkExtensions| For example: sign-up, sign-in, password reset, or profile edit. |
### Migrate exiting policy to this version
To migrate from the older version of the starter pack to this version:
1. Download the starter pack and update the tenant name.
1. Upload the newer version of TrustFrameworkBase.xml file.
1. Upload the new TrustFrameworkLocalization.xml file.
1. Update your **existing** TrustFrameworkExtension.xml with the new base policy `B2C_1A_TrustFrameworkLocalization`. The following XML snippet demonstrates the base policy **before** the change:
```xml
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
```
The following XML snippet demonstrates the base policy **after** the change:
```xml
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkLocalization
```
1. Upload the TrustFrameworkExtension.xml policy.
### 15 September 2021
[Update](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/commit/6932a0af299950139da68faac103079406847b4a#diff-6cc2ef5ed426acc5056d6bd1b912ae4cbdeb3a00769252d35d50fb8d821d6342) to the content definition page version. With the new version the starter pack uses the page contract. For more information, see [Migrating to page layout](https://docs.microsoft.com/azure/active-directory-b2c/contentdefinitions#migrating-to-page-layout).
### 20 July 2019
Updated policies to use the new Ocean Blue template
### 29 January 2019
A collection of bugfixes, improvements to code, and additional feature support is included in this starterpack. It is not necessary or encouraged for developers to change policies currently in production or in testing. We do encourage the use of these new versions for all new projects.
### 10 May 2017
Public Preview Release
### 5 May 2017
Added Key definition to the metadata element in all four TrustframeworkBase.xml versions. When this Item Key is set to TRUE, the expiration dates on the token issued by B2C will be presented as JSON Numbers. When set to False (default) they will be presented as strings.
```xml
- true
```
--------------------------------------------
## Important notes
The following Change is incorporated into the latest version of starterpack (01/29/2019) - It remains here for historical purposes.
06/26/2017 - Correction to SocialAndLocalAccountswMFA in TrustFrameworkBase.xml file.
A change to fix a data loss issue related to SSO, the profile edit policy, and MFA. This issue was due to the MFA SSO technical profile not outputting the below claim in the same format that the regular MFA provider does
```XML
Session Mananagement Provider
***OLD:
***CORRECTED:
```
================================================
FILE: SocialAccounts/ProfileEdit.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: SocialAccounts/SignUpOrSignin.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: SocialAccounts/TrustFrameworkBase.xml
================================================
Username
string
TextBox
User's Object's Tenant ID
string
Tenant identifier (ID) of the user object in Azure AD.
User's Object ID
string
Object identifier (ID) of the user object in Azure AD.
Subject
string
AlternativeSecurityId
string
MailNickName
string
Your mail nick name as stored in the Azure Active Directory.
Identity Provider
string
Display Name
string
Your display name.
TextBox
Email Address
string
Email address that can be used to contact you.
TextBox
Alternate Email Addresses
stringCollection
Email addresses that can be used to contact the user.
UserPrincipalName
string
Your user name as stored in the Azure Active Directory.
UPN User Name
string
The user name for creating user principal name.
User is new
boolean
Executed-SelfAsserted-Input
string
A claim that specifies whether attributes were collected from the user.
AuthenticationSource
string
Specifies whether the user was authenticated at Social IDP or local account.
refreshTokenIssuedOnDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
refreshTokensValidFromDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
objectIdFromSession
boolean
Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.
isActiveMFASession
boolean
Parameter provided by the MFA session management to indicate that the user has an active MFA session.
Given Name
string
Your given name (also known as first name).
TextBox
Surname
string
Your surname (also known as family name or last name).
TextBox
LineMarkers, MetaRefresh
~/tenant/templates/AzureBlue/exception.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1
- Error page
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign in
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign up
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5
- Signin and Signup
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
facebook.com
Facebook
Facebook
- facebook
- https://www.facebook.com/dialog/oauth
- https://graph.facebook.com/oauth/access_token
- GET
- 0
- json
Azure Active Directory
Azure Active Directory
false
- Write
- true
false
- Read
- true
- false
- Write
- false
- true
false
- Read
- true
false
Self Asserted
User ID signup
- api.socialccountsignup
User ID signup
- api.selfasserted.profileupdate
false
Session Management
Noop Session Management Provider
Session Mananagement Provider
Session Mananagement Provider
- true
Session Management Provider
Trustframework Policy Engine TechnicalProfiles
Trustframework Policy Engine Default Technical Profile
- {service:te}
Token Issuer
JWT Issuer
JWT
- {service:te}
- objectId
- true
Refresh token journey
Trustframework Policy Engine Refresh Token Setup Technical Profile
objectId
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
false
================================================
FILE: SocialAccounts/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkLocalization
Facebook
- facebook_clientid
- email public_profile
- https://graph.facebook.com/me?fields=id,first_name,last_name,name,email
================================================
FILE: SocialAccounts/TrustFrameworkLocalization.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
en
Email Address
Sign in
Sign in with your social account
Sign in with your {0}
Password
Please enter your password
Please enter your {0}
Please enter a valid {0}
Sign up now
Sign up with {0} or {1}
Sign up with {0}, {1}, or {2}
Forgot your password?
Sign in
OR
Don't have an account?
We are having trouble signing you in. Please try again later.
Facebook
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
Cancel
You are already registered, please press the back button and sign in instead.
Sign in
Local Account Signin
Facebook
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Continue
Cancel
================================================
FILE: SocialAndLocalAccounts/PasswordReset.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: SocialAndLocalAccounts/ProfileEdit.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: SocialAndLocalAccounts/SignUpOrSignin.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: SocialAndLocalAccounts/TrustFrameworkBase.xml
================================================
Username
string
TextBox
User's Object's Tenant ID
string
Tenant identifier (ID) of the user object in Azure AD.
User's Object ID
string
Object identifier (ID) of the user object in Azure AD.
Sign in name
string
TextBox
Email Address
string
Email address to use for signing in.
TextBox
Account Enabled
boolean
Specifies whether the user's account is enabled.
Specifies whether your account is enabled.
Password
string
Enter password
Password
New Password
string
Enter new password
Password
Confirm New Password
string
Confirm new password
Password
Password Policies
string
Password policies used by Azure AD to determine password strength, expiry etc.
client_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
resource_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
Subject
string
AlternativeSecurityId
string
MailNickName
string
Your mail nick name as stored in the Azure Active Directory.
Identity Provider
string
Display Name
string
Your display name.
TextBox
Email Address
string
Email address that can be used to contact you.
TextBox
Alternate Email Addresses
stringCollection
Email addresses that can be used to contact the user.
UserPrincipalName
string
Your user name as stored in the Azure Active Directory.
UPN User Name
string
The user name for creating user principal name.
User is new
boolean
Executed-SelfAsserted-Input
string
A claim that specifies whether attributes were collected from the user.
AuthenticationSource
string
Specifies whether the user was authenticated at Social IDP or local account.
refreshTokenIssuedOnDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
refreshTokensValidFromDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
nca
string
Special parameter passed for local account authentication to login.microsoftonline.com.
grant_type
string
Special parameter passed for local account authentication to login.microsoftonline.com.
scope
string
Special parameter passed for local account authentication to login.microsoftonline.com.
objectIdFromSession
boolean
Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.
isActiveMFASession
boolean
Parameter provided by the MFA session management to indicate that the user has an active MFA session.
Given Name
string
Your given name (also known as first name).
TextBox
Surname
string
Your surname (also known as family name or last name).
TextBox
LineMarkers, MetaRefresh
~/tenant/templates/AzureBlue/exception.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1
- Error page
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign in
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign up
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5
- Signin and Signup
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account sign up page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account change password page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
facebook.com
Facebook
Facebook
- facebook
- https://www.facebook.com/dialog/oauth
- https://graph.facebook.com/oauth/access_token
- GET
- 0
- json
Local Account SignIn
Local Account SignIn
- https://sts.windows.net/
- https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
- https://login.microsoftonline.com/{tenant}/oauth2/token
- id_token
- query
- email openid
- false
- POST
Azure Active Directory
Azure Active Directory
false
- Write
- true
false
- Read
- true
- false
- Write
- true
false
- Read
- true
false
- Write
- true
false
- Write
- false
- true
false
- Read
- true
false
Self Asserted
User ID signup
- api.socialccountsignup
User ID signup
- api.selfasserted.profileupdate
false
Local Account
Email signup
- IpAddress
- api.localaccountsignup
Local Account Signin
- SignUpWithLogonEmailExchange
- Email
- api.localaccountsignin
- true
false
Reset password using email address
- IpAddress
- api.localaccountpasswordreset
false
Change password (username)
- api.localaccountpasswordreset
Session Management
Noop Session Management Provider
Session Mananagement Provider
Session Mananagement Provider
- true
Session Management Provider
Trustframework Policy Engine TechnicalProfiles
Trustframework Policy Engine Default Technical Profile
- {service:te}
Token Issuer
JWT Issuer
JWT
- {service:te}
- objectId
- true
Refresh token journey
Trustframework Policy Engine Refresh Token Setup Technical Profile
objectId
SkipThisOrchestrationStep
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
false
================================================
FILE: SocialAndLocalAccounts/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkLocalization
Facebook
- facebook_clientid
- email public_profile
- https://graph.facebook.com/me?fields=id,first_name,last_name,name,email
Local Account SignIn
- ProxyIdentityExperienceFrameworkAppId
- IdentityExperienceFrameworkAppId
================================================
FILE: SocialAndLocalAccounts/TrustFrameworkLocalization.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
en
Email Address
Sign in
Sign in with your social account
Sign in with your {0}
Password
Please enter your password
Please enter your {0}
Please enter a valid {0}
Sign up now
Sign up with {0} or {1}
Sign up with {0}, {1}, or {2}
Forgot your password?
Sign in
OR
Don't have an account?
We are having trouble signing you in. Please try again later.
Facebook
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
One or more fields are filled out incorrectly. Please check your entries and try again.
The password entry fields do not match. Please enter the same password in both fields and try again.
A required field is missing. Please fill out all required fields and try again.
What is this?
Please provide the following details.
Please wait
This information is required.
Cancel
Change e-mail
Send new code
Send verification code
Verify code
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
We are having trouble verifying your email address. Please enter a valid email address and try again.
There have been too many requests to verify this email address. Please wait a while, then try again.
Verification code has been sent to your inbox. Please copy it to the input box below.
Verification code
Verification is necessary. Please click Send button.
E-mail address verified. You can now continue.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
Cancel
You are already registered, please press the back button and sign in instead.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
The password entry fields do not match. Please enter the same password in both fields and try again.
One or more fields are filled out incorrectly. Please check your entries and try again.
Continue
Cancel
An account could not be found for the provided user ID.
Your account has been locked. Contact your support person to unlock it, then try again.
This information is required.
Change e-mail
Send new code
Send verification code
Verify code
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
We are having trouble verifying your email address. Please enter a valid email address and try again.
There have been too many requests to verify this email address. Please wait a while, then try again.
Verification code has been sent to your inbox. Please copy it to the input box below.
Verification code
Verification is necessary. Please click Send button.
E-mail address verified. You can now continue.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Sign in
Local Account Signin
Facebook
Email Address
Password
Continue
Cancel
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Continue
Cancel
================================================
FILE: SocialAndLocalAccounts/readme.md
================================================
# Local and social accounts sign-up or sign-in user journey overview
This article gives an overview of the **local and social accounts sign-up or sign-in** user journey custom policies. We recommend you to read the [Azure AD B2C custom policy overview](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview) before reading this article.
You will find the user journey and its orchestration steps in the TrustFrameworkBase.xml file, with the Id "SignUpOrSignIn". Each Orchestration step and its referenced technical profile will be explained in detail in the following series.
For a user to be able to Sign in and Sign Up, the following User Experience must be translated into logical steps with a custom policy.
## Logical Steps
Handling Sign In for a Local Account:
1. Display a page where the user can enter their email and password.
1. On the sign in page, display a link to sign up.
1. If the user submits their credentials (signs in), we must validate the credentials.
1. Issue an id token.
Handling Sign In/Up for a SocialAccount:
1. Display a page where the user can select to use their Facebook account.
1. When the user clicks to "Login with Facebook", the user will be redirected to Facebook.
1. When the user returns from Facebook, read the information Facebook provided.
1. Lookup the account in the Azure AD B2C directory to determine if this user has already signed in with Facebook previously.
1. Display a page where the user can modify the data, returned from Facebook about their profile if this is their first time logging in with Facebook.
1. Write the account information to Azure AD B2C if the account was not already present in the directory.
1. Issue an id token.
Handling Sign Up for a Local Account:
1. Display a page that allows users to enter their email, password, and name.
1. Verify their email with a Timed One Time Passcode sent to their email address.
1. When the user completes a sign up, we must create their account.
1. Prevent a user to sign up with an existing email address.
1. Issue an id token.
## Translating this into custom policies
Handling Sign In for a Local Account:
1. This requires a Self-Asserted technical profile. It must present output claims to obtain the email and password claims.
1. Use the combined sign in and sign up content definition, which provides this for us.
1. Run a Validation technical profile to validate the credentials.
1. Read any additional information from the directory user object.
1. Call a technical profile to issue a token.
Handling Sign In/Up for a SocialAccount:
1. Display a page where the user can select to use their Facebook account.
1. When the user clicks to "Login with Facebook", the user will be redirected to Facebook.
1. Lookup the account in the Azure AD B2C directory to determine if this user has already signed in with Facebook previously.
1. Display a page where the user can modify the data, returned from Facebook about their profile if this is their first time logging in with Facebook.
1. Write the account information to Azure AD B2C if the account was not already present in the directory.
1. Issue an id token.
1. Using the combined sign in and sign up page, we must instruct Azure AD B2C that there is a new claims provider - Facebook. This will present a button on the page to "Login with Facebook"
1. An OAuth2 technical profile must be configured to be able to redirect the user to Facebook.
1. Use an Azure Active Directory technical profile to read the directory based off of the user identifier returned from Facebook. Usually the subject claim.
1. Use a Self-Asserted technical profile, which presents the first name and last name retrieved from Facebook in editable text boxes.
1. Use an Azure Active Directory technical profile to write the account data into the Azure AD B2C directory.
1. Call a technical profile to issue a token.
Handling Sign Up for a Local Account:
1. This requires a Self-Asserted technical profile. It must present output claims to obtain the email, password, and name claims.
1. Make use of a special claim which enforced email verification.
1. Use a Validation technical profile to write the account to the directory. This Validation technical profile will be of type Azure Active Directory.
1. As part of writing the account configures the technical profile to throw an error if the account exists.
1. Read any additional information from the directory user object.
1. Call a technical profile to issue a token.
## Understand the SocialAndLocalAccounts starter pack implementation
The SocialAndLocalAccounts starter pack comes prebuilt with a lot of functionality for the various scenarios presented within the starter pack - Sign In, Sign Up, Password Reset and Profile Edit.
When reading the user journey for a social and local account sign up or sign in, a fraction of the foundational elements contained within the files are being used. The following will unpick the elements and describe in detail the operation of a single journey.
### Handling Sign In for a Local Account and Social Account
**Orchestration Step 1**: Provide functionality for a user to Sign in or Sign Up. This is achieved using a Self-Asserted technical profile and connected validation technical profile.
The XML required to generate this step is:
```xml
```
The combined sign in and sign up page is treated specially by Azure AD B2C, since it presents a sign up link that can take the user to the sign up step.
This is achieved with the following two lines:
```xml
```
Since Azure AD B2C understands that this is a Sign In page, you must specify the `ClaimsProviderSelections` element with at least one reference to a `ClaimsProviderSelection`. This `ClaimsProviderSelection` maps to the `ClaimsExchange`. In this case, there are two `ClaimsProviderSelection` elements, such that Azure AD B2C understands that there is a Local Account and Facebook option to present on the page. The Local Account `ClaimsProviderSelection` maps to the `LocalAccountSigninEmailExchange` claims exchange, which will call the `SelfAsserted-LocalAccountSignin-Email` technical profile.
The `SelfAsserted-LocalAccountSignin-Email` technical profile defines the actual page functionality, allowing the user to sign in:
```xml
Local Account Signin
- SignUpWithLogonEmailExchange
- Email
- api.selfasserted
- true
false
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere, in this case from the Orchestration step.|
|DisplayName|Friendly name, which can describe the function of this technical profile.|
|Protocol|The Azure AD B2C technical profile type. In this case, it is Self-Asserted, such that a page is rendered for the user to provide their inputs.|
|Metadata|For a Self-Asserted Combined Sign in and Sign up profile, we provide a SignUpTarget, which points to the Sign Up ClaimsExchange Id in a subsequent orchestrations step.|
|InputClaims|Enables the ability to pre-populate the signInName claim|
|OutputClaims| We require the user to provide their email and password, hence referenced as output claims. There are some claims here, such as objectId, that are not presented on the page since the validation technical profile satisfies this output claim.|
|ValidationTechnicalProfiles|The technical profile to launch to validate the date the user provided, in this case to validate their credentials.|
|UseTechnicalProfileForSessionManagement|TO DO|
To see all the configuration options for a Self-Asserted technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).
By calling this technical profile, we now satisfy the initial logical step for sign in. When the user submits the page, the Validation technical profile will run, called `login-NonInteractive`.
```xml
```
This is a technical profile, which makes an OpenID request using the [Resource Owner Password Credential](https://tools.ietf.org/html/rfc6749#section-4.3) grant flow to validate the user's credentials at the Azure AD authorization server. Essentially this is an API-based logon, which the Azure AD B2C server will complete against the Azure AD authorization server.
```xml
Local Account SignIn
- We can't seem to find your account
- Your password is incorrect
- Looks like you used an old password
- https://sts.windows.net/
- https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
- https://login.microsoftonline.com/{tenant}/oauth2/token
- id_token
- query
- email openid
- false
- POST
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|
|DisplayName|Friendly name, which can describe the function of this technical profile.|
|Protocol|The Azure AD B2C technical profile type. In this case, it is OpenId, such that Azure AD B2C understands to make an OpenId request.|
|Metadata|Various configuration options with which to make a valid OpenId request. This also includes various error handling responses, such as incorrect password.|
|InputClaims|Passes the username and password into the POST body of the OpenId request.|
|OutputClaims| Maps the JWT issued by the authorization server into Azure AD B2C's claim bag. Here we obtain the objectId and authenticationSource, hence it is not shown on the Self-Asserted page explained previously.|
To see all the configuration options for an OpenId Connect technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/openid-connect-technical-profile).
At this point, we have now rendered a sign in page to the user, has the option to Sign In with Facebook, or provide their email and password after which they are verified against the Directory.
**Orchestration Step 2**: Since Orchestration Step 1 provided a `ClaimsProviderSelection` for Facebook, this is satisfied in step 2 as part of a `ClaimsExchange`. Here the `ClaimsProviderSelection` for `FacebookExchange` is satisfied by referencing the `Facebook-OAUTH` technical profile, which provides the necessary means to redirect the user to Facebook for sign in.
```xml
objectId
SkipThisOrchestrationStep
```
The `Facebook-OAUTH` technical profile is as follows in the base file:
```xml
Facebook
- facebook
- https://www.facebook.com/dialog/oauth
- https://graph.facebook.com/oauth/access_token
- GET
- 0
- json
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|
|DisplayName|Friendly name, which can describe the function of this technical profile.|
|Protocol|The Azure AD B2C technical profile type. In this case, it is OAuth2, such that Azure AD B2C understands to make an OAuth2 request.|
|Metadata|Various configuration options with which to make a valid OAuth2 request. Some of these options are specific to Facebook's requirements.|
|InputClaims|There is nothing to send to Facebook, only an OAuth2 request.|
|OutputClaims| Maps the JWT issued by the Facebook authorization server into Azure AD B2C's claim bag. Some claims have default values assigned, hence are not asked from the user.|
|OutputClaimsTransformations| Various claims transformations that are called to manipulate the data returned from the token sent back by Facebook before being added into the Azure AD B2C claims bag.|
And the `Facebook-OAUTH` technical profile has an augmentation in the Extensions file as follows to complete the setup. For administrators integrating Facebook login, these are the only parameters to modify, therefore they are added as augmentations into the Extension file, while the Base technical profile will be static for all environments.
```xml
- facebook_clientid
- email public_profile
- https://graph.facebook.com/me?fields=id,first_name,last_name,name,email
```
Element name |Description |
|---------|---------|
|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere or in this case has the same name as in the Base file to augment it.|
|Metadata|Additional configuration options with which to make a valid OAuth2 request. These are specific to ones own federation with Facebook.|
Here is the breakdown of each claims transformation that is run after the Facebook authentication succeeds and the token is returned back to Azure AD B2C. This applies to all external Identity Provider integration.
These are run such that pre-requisites for creating the account in Azure AD B2C and also for reading the account on subsequent sign in's.
**CreateRandomUPNUserName** - This is required to generate a **prefix** for the userPrincipalName, which will be stored on the user account when created.
```xml
```
This claims transform generates a random string, which is in the format of a GUID and issues it into the claim called `upnUserName`.
**CreateUserPrincipalName** - This creates the final userPrincipalName.
```xml
```
This claims transform uses the `FormatStringClaim` method to create a string value using claims in the Azure AD B2C claim bag. The claim given to this transform is `upnUserName`, which is available from the output of the previous claims transform. Here the transform inserts the first input claim into `{0}` and Azure AD B2C knows the value of `{RelyingPartyTenantId}` already. Then end result is a fully formed userPrincipalName, which is output in the `userPrincipalName` claim: `aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb@something.onmicrosoft.com`.
**CreateAlternativeSecurityId** - This creates a user identifier similar to an objectId, which will be used to map the subject claim (sub) from the Facebook token to the Azure AD B2C user on subsequent logons. The generated identifier is output into the claim called `alternativeSecurityId`.
```xml
```
After this, the Facebook login is complete, and the claims from the token received from Facebook have been transformed into useful entities for Azure AD B2C to use.
**Orchestration Step 3**: Read any additional data from the social account user object.
We need to determine if the social account has already been registered previously with this Azure AD B2C directory, or if this is their first logon via Facebook. Also we maybe storing additional data the user provided or other data on the user object, which allows your application/service to function correctly.
Therefore, we will attempt to read the user object for any desired attributes to add into the Azure AD B2C claims bag. This technical profile is configured such that it does not throw an error if an account is not found.
The following Orchestration step calls a technical profile called `AAD-UserReadUsingAlternativeSecurityId-NoError` which provides this functionality.
The ClaimsExchange Id is a unique name for this claims exchange that you can set.
```xml
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
```
A **precondition** is used such that this step is only run if a Social Account authentication had been completed. This is achieved by checking whether the value of `authenticationSource` claim is equal to `localAccountAuthentication`. If `authenticationSource` does contain the value `localAccountAuthentication`, then this step is skipped, otherwise it is executed.
The referenced technical profile appears as follows:
```xml
- false
```
This technical profile is taking the `AAD-UserReadUsingAlternativeSecurityId` technical profile and applying a modification to it. The modification here is only to prevent an error being raised if the user is not found in the directory. This will provide an indication if this is the first logon via Facebook for this user, or a subsequent logon.
The following implements the `AAD-UserReadUsingAlternativeSecurityId` technical profile.
```xml
- Read
- true
- User does not exist. Please sign up before you can sign in.
```
This technical profile does not state a protocol, therefore is automatically of type `Azure Active Directory`, which provides the ability to read or write to the directory structure.
|Element name |Description |
|---------|---------|
|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|
|Metadata|This is configured to read the directory. And to throw an error if the user is not found. This has been overridden by `AAD-UserReadUsingAlternativeSecurityId-NoError`.|
|InputClaims|This is attempting to find a user account with the `alternativeSecurityId` generated in the claims transform after the Facebook sign in completed. |
|OutputClaims|We are asking to read these claims from the directory. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |
|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|
At this point the Azure AD B2C claims bag will now contain an objectId for the Social Account user who signed in, or not if this user is signing in for the first time.
**Orchestration Step 4**: A Self-Asserted technical profile is used to display a page to the user to see the imported data from Facebook, and have the ability to modify it. This is only presented to a user who has logged in for the first time with Facebook.
```xml
objectId
SkipThisOrchestrationStep
```
This contains a **precondition, which skips this step if an objectId was found, since the presence of an objectId would mean the user has already signed in for the first time.
The technical profile `SelfAsserted-Social` is as follows:
```xml
User ID signup
- api.selfasserted
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|
|Metadata|Provides information about the content definition to reference - which will give the page a customized look and feel.|
|InputClaims|These claims ensure that any values retrieved in the previous steps, in this case Facebook authentication, are prefilled. Note that some of these claims may not have any value, for example, if Facebook did not provide any of these values, or if the claim did not appear in the OutputClaims section of the `Facebook-OAUTH` technical profile. In addition, if a claim is not in the InputClaims section, but it is in the OutputClaims section, then its value will not be prefilled, but the user will still be prompted for it (with an empty value). |
|OutputClaims|These are claims that will be presented to the user on the rendered page, potentially prefilled based on the inputClaims status. Those claims, which cannot be fulfilled by the user, such as objectId and newUser, are not shown on the screen as they are fulfilled by the validation technical profile being referenced.|
|ValidationTechnicalProfile|A validation technical profile is used to write the user account when the user submits the page confirming their information.|
When the user submits the page, the Validation technical profile will run, called `AAD-UserWriteUsingAlternativeSecurityId`. This is called since either the user account can be written successfully based on the information provided, or it cannot be. In this case, the user account should always get written successfully. However, this fits best as a validation technical profile in this case.
```xml
```
This technical profile appears as follows:
```xml
- Write
- true
- You are already registered, please press the back button and sign in instead.
false
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|
|Metadata|This is configured to write to the directory. And to throw an error if the user already exists with an error message.|
|InputClaimsTransformations||
|InputClaims|This is attempting to find a user account with the `alternativeSecurityId` generated in the claims transform after the Facebook sign in completed. |
|PersistedClaims|This section defines which claims are to be written when writing to an account.|
|OutputClaims|We are asking to read these claims from account, which was just written. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |
|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|
**Orchestration Step 5** - Read any additional data from the user object if it is a Local Account.
We maybe storing additional data the user provided or other data on the Local Account user object, which allows your application/service to function correctly.
Therefore, we will read the user object for any desired attributes to add into the Azure AD B2C claims bag.
The following Orchestration step calls a technical profile called `AAD-UserReadUsingObjectId` which provides this functionality.
The ClaimsExchange Id is unique name for this claims exchange that you can set.
```xml
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
```
A **precondition** is used such that this step is skipped if the value of `authenticationSource` is set to `socialIdpAuthentication`. This prevents it being run for Social Accounts, and only runs in the case of a Local Account logon.
The referenced technical profile is as follows:
```xml
- Read
- true
false
```
This technical profile does not state a protocol, therefore is automatically of type Azure Active Directory, which provides the ability to read or write to the directory structure.
|Element name |Description |
|---------|---------|
|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|
|Metadata|This is configured to read the directory. And to throw an error if the user is not found.|
|InputClaims|This is asking to find a user account with the objectId in the Azure AD B2C claims bag. This objectId will have been received via the login-NonInteractive technical profile and output into the claims bag by the SelfAsserted-LocalAccountSignin-Email technical profile. |
|OutputClaims|We are asking to read these claims from the directory. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |
|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|
A special case must be noted for the `signInNames.emailAddress`, this references the attribute `signInNames` which is a collection of key value pairs. In this case, we are reading back the `emailAddress` key within the `signInNames` attribute.
**Orchestration Step 6**: In the case that the Orchestration step 4 was removed, there is a backup option here to write the Social Account into the directory at this point in the journey. In such a case, the objectId would not yet exist in the Azure AD B2C claims bag, therefore a **precondition** is used such that this step is executed if one is still not present.
```xml
objectId
SkipThisOrchestrationStep
```
The functionality of the `AAD-UserWriteUsingAlternativeSecurityId` has already been explored earlier.
**Orchestration Step 7**:- Issue an id token.
In the majority of user journeys, the journey will end by issuing an id token back to the application. This orchestration step looks as follows:
```xml
```
The referenced technical profile is as follows:
```xml
JWT Issuer
JWT
- {service:te}
- objectId
- true
```
This step does not need configuring any further, but find out more [here](https://docs.microsoft.com/azure/active-directory-b2c/jwt-issuer-technical-profile) on available options.
### Handling Local Account Sign Up
To handle up sign, we must have one additional orchestration step, which allows the user to provide their email, new password, and name. And upon validating this information, we must write an account to the directory. the other steps are shared with the orchestration steps explained in `Handling Sign in`.
The additional orchestration step is as follows:
```xml
objectId
SkipThisOrchestrationStep
```
Since orchestration steps run sequentially, we must not run this step if the user is trying to sign in, and only run if the user clicked the sign up link. This is achieved using the **Precondition**. Note, that during the sign in phase, the Azure AD B2C claims bag will have an objectId populated after `login-NonInteractive` has run. Therefore we can use the existence of this claim to skip this step as follows.
```xml
objectId
SkipThisOrchestrationStep
```
When displaying the Combined Sign in and Sign up page, it was mentioned that the metadata of the `SelfAsserted-LocalAccountSignin-Email` technical profile configures an item called `SignUpTarget`. This enables the Sign Up link on the Combined Sign in and Sign up page to call the claims exchange in orchestration Step 2, which consequently executes the `LocalAccountSignUpWithLogonEmail` technical profile.
The technical profile is designed to capture the email, password and name of the user, and then write the account to the directory, as follows:
```xml
Email signup
- IpAddress
- api.localaccountsignup
- Create
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|
|Metadata|This is configured with a reference to a content definition to provide your custom look and feel to this page.|
|InputClaims|This will pre-popualte the email field if the email claim was acquired earlier in the journey. |
|OutputClaims|These are claims that will be presented to the user on the rendered page, potentially prefilled based on the inputClaims status. Those claims, which cannot be fulfilled by the user, such as objectId and newUser, are not shown on the screen as they are fulfilled by the validation technical profile being referenced.|
|ValidationTechnicalProfile|A validation technical profile is used to write the user account when the user submits the page confirming their information.|
To see all the configuration options for a Self-Asserted technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).
Azure AD B2C uses a special partner claim type to enforce email verification on a claim, as seen here:
```xml
```
Here we are forcing the email claim presented on screen to be verified. Azure AD B2C will therefore render the `Verify` button on the page against this text field, and only allow the user to continue if this field was verified by a code sent to the user's inbox. This technique can be used against any claim name presented to the user as an output claim (ClaimTypeReferenceId).
When the user submits the page, the Validation technical profile will run, called `AAD-UserWriteUsingLogonEmail`. This is called since either the user account can be written successfully based on the information provided, or it cannot be. In this case, the user account may not be able to be written if the account exists.
The `AAD-UserWriteUsingLogonEmail` is as follows:
```xml
- Write
- true
false
```
|Element name |Description |
|---------|---------|
|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|
|Metadata|This is configured to write to the directory. And to throw an error if the user already exists with an error message.|
|InputClaims|This is attempting to find a user account with the `email` provided as part of the sign up page - `LocalAccountSignUpWithLogonEmail` technical profile.|
|PersistedClaims|This section defines which claims are to be written to the account. In this case, it will automatically create the account with this information present.|
|OutputClaims|We are asking to read these claims from account, which was just written. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |
|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|
*Orchestration Step 7**:- Issue an id token.
In the majority of user journeys, the journey will end by issuing an id token back to the application. This orchestration step looks as follows:
```xml
```
The referenced technical profile is as follows:
```xml
JWT Issuer
JWT
- {service:te}
- objectId
- true
```
This step does not need configuring any further, but find out more [here](https://docs.microsoft.com/azure/active-directory-b2c/jwt-issuer-technical-profile) on available options.
## Summary
By reducing the user experience to a set of logical steps, we have translated these to a set of Orchestration Steps within an Azure AD B2C policy. These orchestration steps then implement the functionality of each logical step by allowing the user to interact with pages and validate various information. Finally we issue an id token back to the application.
================================================
FILE: SocialAndLocalAccountsWithMfa/PasswordReset.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: SocialAndLocalAccountsWithMfa/ProfileEdit.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: SocialAndLocalAccountsWithMfa/SignUpOrSignin.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: SocialAndLocalAccountsWithMfa/TrustFrameworkBase.xml
================================================
Username
string
TextBox
User's Object's Tenant ID
string
Tenant identifier (ID) of the user object in Azure AD.
User's Object ID
string
Object identifier (ID) of the user object in Azure AD.
Sign in name
string
TextBox
Email Address
string
Email address to use for signing in.
TextBox
Account Enabled
boolean
Specifies whether the user's account is enabled.
Specifies whether your account is enabled.
Password
string
Enter password
Password
New Password
string
Enter new password
Password
Confirm New Password
string
Confirm new password
Password
Password Policies
string
Password policies used by Azure AD to determine password strength, expiry etc.
client_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
resource_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
Subject
string
AlternativeSecurityId
string
MailNickName
string
Your mail nick name as stored in the Azure Active Directory.
Identity Provider
string
Display Name
string
Your display name.
TextBox
Phone Number
string
XXX-XXX-
Your telephone number
Verified Phone Number
string
XXX-XXX-
Your office phone number that has been verified
New Phone Number Entered
boolean
UserId for MFA
string
Email Address
string
Email address that can be used to contact you.
TextBox
Alternate Email Addresses
stringCollection
Email addresses that can be used to contact the user.
UserPrincipalName
string
Your user name as stored in the Azure Active Directory.
UPN User Name
string
The user name for creating user principal name.
User is new
boolean
Executed-SelfAsserted-Input
string
A claim that specifies whether attributes were collected from the user.
AuthenticationSource
string
Specifies whether the user was authenticated at Social IDP or local account.
refreshTokenIssuedOnDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
refreshTokensValidFromDateTime
string
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.
nca
string
Special parameter passed for local account authentication to login.microsoftonline.com.
grant_type
string
Special parameter passed for local account authentication to login.microsoftonline.com.
scope
string
Special parameter passed for local account authentication to login.microsoftonline.com.
objectIdFromSession
boolean
Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.
isActiveMFASession
boolean
Parameter provided by the MFA session management to indicate that the user has an active MFA session.
Given Name
string
Your given name (also known as first name).
TextBox
Surname
string
Your surname (also known as family name or last name).
TextBox
LineMarkers, MetaRefresh
~/tenant/templates/AzureBlue/exception.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1
- Error page
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign in
~/tenant/templates/AzureBlue/idpSelector.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1
- Idp selection page
- Sign up
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5
- Signin and Signup
~/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:multifactor:1.2.5
- Multi-factor authentication page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account sign up page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Local account change password page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7
- Collect information from user page
facebook.com
Facebook
Facebook
- facebook
- https://www.facebook.com/dialog/oauth
- https://graph.facebook.com/oauth/access_token
- GET
- 0
- json
Local Account SignIn
Local Account SignIn
- https://sts.windows.net/
- https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
- https://login.microsoftonline.com/{tenant}/oauth2/token
- id_token
- query
- email openid
- false
- POST
PhoneFactor
PhoneFactor
- api.phonefactor
- true
Azure Active Directory
Azure Active Directory
false
- Write
- true
false
- Read
- true
- false
- Write
- true
false
- Read
- true
false
- Write
- true
false
- Write
- false
- true
false
- Read
- true
false
- Write
- false
- true
false
Self Asserted
User ID signup
- api.socialccountsignup
User ID signup
- api.selfasserted.profileupdate
false
Local Account
Email signup
- IpAddress
- api.localaccountsignup
Local Account Signin
- SignUpWithLogonEmailExchange
- Email
- api.localaccountsignin
- true
false
Reset password using email address
- IpAddress
- api.localaccountpasswordreset
false
Change password (username)
- api.localaccountpasswordreset
Session Management
Noop Session Management Provider
Session Mananagement Provider
Session Mananagement Provider
- true
Session Mananagement Provider
Session Management Provider
Trustframework Policy Engine TechnicalProfiles
Trustframework Policy Engine Default Technical Profile
- {service:te}
Token Issuer
JWT Issuer
JWT
- {service:te}
- objectId
- true
Refresh token journey
Trustframework Policy Engine Refresh Token Setup Technical Profile
objectId
SkipThisOrchestrationStep
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
isActiveMFASession
SkipThisOrchestrationStep
newPhoneNumberEntered
SkipThisOrchestrationStep
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
false
================================================
FILE: SocialAndLocalAccountsWithMfa/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkLocalization
Facebook
- facebook_clientid
- email public_profile
- https://graph.facebook.com/me?fields=id,first_name,last_name,name,email
Local Account SignIn
- ProxyIdentityExperienceFrameworkAppId
- IdentityExperienceFrameworkAppId
================================================
FILE: SocialAndLocalAccountsWithMfa/TrustFrameworkLocalization.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
en
Email Address
Sign in
Sign in with your social account
Sign in with your {0}
Password
Please enter your password
Please enter your {0}
Please enter a valid {0}
Sign up now
Sign up with {0} or {1}
Sign up with {0}, {1}, or {2}
Forgot your password?
Sign in
OR
Don't have an account?
We are having trouble signing you in. Please try again later.
Facebook
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
One or more fields are filled out incorrectly. Please check your entries and try again.
The password entry fields do not match. Please enter the same password in both fields and try again.
A required field is missing. Please fill out all required fields and try again.
What is this?
Please provide the following details.
Please wait
This information is required.
Cancel
Change e-mail
Send new code
Send verification code
Verify code
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
We are having trouble verifying your email address. Please enter a valid email address and try again.
There have been too many requests to verify this email address. Please wait a while, then try again.
Verification code has been sent to your inbox. Please copy it to the input box below.
Verification code
Verification is necessary. Please click Send button.
E-mail address verified. You can now continue.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Create
Cancel
You are already registered, please press the back button and sign in instead.
Email Address
Email address that can be used to contact you.
Please enter a valid email address.
New Password
Enter new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
Confirm New Password
Confirm new password
8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .
The password entry fields do not match. Please enter the same password in both fields and try again.
One or more fields are filled out incorrectly. Please check your entries and try again.
Continue
Cancel
An account could not be found for the provided user ID.
Your account has been locked. Contact your support person to unlock it, then try again.
This information is required.
Change e-mail
Send new code
Send verification code
Verify code
That code is expired. Please request a new code.
You've made too many incorrect attempts. Please try again later.
That code is incorrect. Please try again.
We are having trouble verifying your email address. Please enter a valid email address and try again.
There have been too many requests to verify this email address. Please wait a while, then try again.
Verification code has been sent to your inbox. Please copy it to the input box below.
Verification code
Verification is necessary. Please click Send button.
E-mail address verified. You can now continue.
There are too many requests at this moment. Please wait for some time and try again.
Claim not verified: {0}
A user with the specified ID already exists. Please choose a different one.
Incorrect pattern for: {0}
{0} has invalid input.
Missing required element: {0}
Error in validation by: {0}
Sign in
Local Account Signin
Facebook
Email Address
Password
Continue
Cancel
Your password is incorrect.
Your password is incorrect.
Your password has expired.
We can't seem to find your account.
Looks like you used an old password.
Invalid username or password.
Your account has been locked. Contact your support person to unlock it, then try again.
Your account is temporarily locked to prevent unauthorized use. Try again later.
There are too many requests at this moment. Please wait for some time and try again.
Display Name
Your display name.
Surname
Your surname (also known as family name or last name).
Given Name
Your given name (also known as first name).
Continue
Cancel
Call Me
Country Code
The user has canceled multi-factor authentication
Send a new code
\d{6}
We have the following number on record for you. We can send a code via SMS or phone to authenticate you.
We have the following numbers on record for you. Choose a number that we can phone or send a code via SMS to authenticate you.
Verify Code
Please enter the verification code you received
Please enter the 6-digit code you received
Cancel
Phone number
Retry
I don't have my phone
We have the following numbers on record for you. Choose a number that we can phone to authenticate you.
We have the following number on record for you. We will phone to authenticate you.
Enter your verification code below, or
Enter a number below that we can phone to authenticate you.
Enter a number below that we can send a code via SMS to authenticate you.
Send Code
Please enter a valid phone number
We have the following number on record for you. We will send a code via SMS to authenticate you.
Enter a number below that we can send a code via SMS or phone to authenticate you.
^\+(?:[0-9][\x20-]?){6,14}[0-9]$
We have the following numbers on record for you. Choose a number that we can send a code via SMS to authenticate you.
Please select your country code
Please enter your phone number
Country or region
Phone Number
The phone number you provided is busy or unavailable. Please check the number and try again.
You hit the limit on the number of text messages. Try again shortly.
You hit the limit on the number of call attempts. Try again shortly.
You hit the limit on the number of verification attempts. Try again shortly.
The verification code you have entered does not match our records. Please try again, or request a new code.
{"DEFAULT":"Country/Region","AF":"Afghanistan","AX":"Åland Islands","AL":"Albania","DZ":"Algeria","AS":"American Samoa","AD":"Andorra","AO":"Angola","AI":"Anguilla","AQ":"Antarctica","AG":"Antigua and Barbuda","AR":"Argentina","AM":"Armenia","AW":"Aruba","AU":"Australia","AT":"Austria","AZ":"Azerbaijan","BS":"Bahamas","BH":"Bahrain","BD":"Bangladesh","BB":"Barbados","BY":"Belarus","BE":"Belgium","BZ":"Belize","BJ":"Benin","BM":"Bermuda","BT":"Bhutan","BO":"Bolivia","BQ":"Bonaire","BA":"Bosnia and Herzegovina","BW":"Botswana","BV":"Bouvet Island","BR":"Brazil","IO":"British Indian Ocean Territory","VG":"British Virgin Islands","BN":"Brunei","BG":"Bulgaria","BF":"Burkina Faso","BI":"Burundi","CV":"Cabo Verde","KH":"Cambodia","CM":"Cameroon","CA":"Canada","KY":"Cayman Islands","CF":"Central African Republic","TD":"Chad","CL":"Chile","CN":"China","CX":"Christmas Island","CC":"Cocos (Keeling) Islands","CO":"Colombia","KM":"Comoros","CG":"Congo","CD":"Congo (DRC)","CK":"Cook Islands","CR":"Costa Rica","CI":"Côte d'Ivoire","HR":"Croatia","CU":"Cuba","CW":"Curaçao","CY":"Cyprus","CZ":"Czech Republic","DK":"Denmark","DJ":"Djibouti","DM":"Dominica","DO":"Dominican Republic","EC":"Ecuador","EG":"Egypt","SV":"El Salvador","GQ":"Equatorial Guinea","ER":"Eritrea","EE":"Estonia","ET":"Ethiopia","FK":"Falkland Islands","FO":"Faroe Islands","FJ":"Fiji","FI":"Finland","FR":"France","GF":"French Guiana","PF":"French Polynesia","TF":"French Southern Territories","GA":"Gabon","GM":"Gambia","GE":"Georgia","DE":"Germany","GH":"Ghana","GI":"Gibraltar","GR":"Greece","GL":"Greenland","GD":"Grenada","GP":"Guadeloupe","GU":"Guam","GT":"Guatemala","GG":"Guernsey","GN":"Guinea","GW":"Guinea-Bissau","GY":"Guyana","HT":"Haiti","HM":"Heard Island and McDonald Islands","HN":"Honduras","HK":"Hong Kong SAR","HU":"Hungary","IS":"Iceland","IN":"India","ID":"Indonesia","IR":"Iran","IQ":"Iraq","IE":"Ireland","IM":"Isle of Man","IL":"Israel","IT":"Italy","JM":"Jamaica","JP":"Japan","JE":"Jersey","JO":"Jordan","KZ":"Kazakhstan","KE":"Kenya","KI":"Kiribati","KR":"Korea","KW":"Kuwait","KG":"Kyrgyzstan","LA":"Laos","LV":"Latvia","LB":"Lebanon","LS":"Lesotho","LR":"Liberia","LY":"Libya","LI":"Liechtenstein","LT":"Lithuania","LU":"Luxembourg","MO":"Macao SAR","MK":"North Macedonia","MG":"Madagascar","MW":"Malawi","MY":"Malaysia","MV":"Maldives","ML":"Mali","MT":"Malta","MH":"Marshall Islands","MQ":"Martinique","MR":"Mauritania","MU":"Mauritius","YT":"Mayotte","MX":"Mexico","FM":"Micronesia","MD":"Moldova","MC":"Monaco","MN":"Mongolia","ME":"Montenegro","MS":"Montserrat","MA":"Morocco","MZ":"Mozambique","MM":"Myanmar","NA":"Namibia","NR":"Nauru","NP":"Nepal","NL":"Netherlands","NC":"New Caledonia","NZ":"New Zealand","NI":"Nicaragua","NE":"Niger","NG":"Nigeria","NU":"Niue","NF":"Norfolk Island","KP":"North Korea","MP":"Northern Mariana Islands","NO":"Norway","OM":"Oman","PK":"Pakistan","PW":"Palau","PS":"Palestinian Authority","PA":"Panama","PG":"Papua New Guinea","PY":"Paraguay","PE":"Peru","PH":"Philippines","PN":"Pitcairn Islands","PL":"Poland","PT":"Portugal","PR":"Puerto Rico","QA":"Qatar","RE":"Réunion","RO":"Romania","RU":"Russia","RW":"Rwanda","BL":"Saint Barthélemy","KN":"Saint Kitts and Nevis","LC":"Saint Lucia","MF":"Saint Martin","PM":"Saint Pierre and Miquelon","VC":"Saint Vincent and the Grenadines","WS":"Samoa","SM":"San Marino","ST":"São Tomé and Príncipe","SA":"Saudi Arabia","SN":"Senegal","RS":"Serbia","SC":"Seychelles","SL":"Sierra Leone","SG":"Singapore","SX":"Sint Maarten","SK":"Slovakia","SI":"Slovenia","SB":"Solomon Islands","SO":"Somalia","ZA":"South Africa","GS":"South Georgia and South Sandwich Islands","SS":"South Sudan","ES":"Spain","LK":"Sri Lanka","SH":"St Helena, Ascension, Tristan da Cunha","SD":"Sudan","SR":"Suriname","SJ":"Svalbard","SZ":"Swaziland","SE":"Sweden","CH":"Switzerland","SY":"Syria","TW":"Taiwan","TJ":"Tajikistan","TZ":"Tanzania","TH":"Thailand","TL":"Timor-Leste","TG":"Togo","TK":"Tokelau","TO":"Tonga","TT":"Trinidad and Tobago","TN":"Tunisia","TR":"Turkey","TM":"Turkmenistan","TC":"Turks and Caicos Islands","TV":"Tuvalu","UM":"U.S. Outlying Islands","VI":"U.S. Virgin Islands","UG":"Uganda","UA":"Ukraine","AE":"United Arab Emirates","GB":"United Kingdom","US":"United States","UY":"Uruguay","UZ":"Uzbekistan","VU":"Vanuatu","VA":"Vatican City","VE":"Venezuela","VN":"Vietnam","WF":"Wallis and Futuna","YE":"Yemen","ZM":"Zambia","ZW":"Zimbabwe"}
The phone number you provided is unreachable.
User has exceeded the number of retry attempts.
Verification code
Phone Number
================================================
FILE: SocialAndLocalAccountsWithMfa/readme.md
================================================
# Local and social accounts sign-up or sign-in and MFA user journey overview
Azure Active Directory B2C (Azure AD B2C) integrates directly with Azure AD Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your applications. For more information, see [Enable multi-factor authentication in Azure Active Directory B2C](https://docs.microsoft.com/azure/active-directory-b2c/multi-factor-authentication?pivots=b2c-custom-policy)
This article gives an overview of the **local and social accounts sign-up or sign-in with MFA** user journey custom policies. We recommend you to check out the [Local and social accounts sign-up or sign-in user journey](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/SocialAndLocalAccounts) before reading this article.
The _SocialAndLocalAccountsWithMfa_ starter pack relies on the [SocialAndLocalAccounts](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/SocialAndLocalAccounts). The following are the elements that you have to add to your policy to support MFA.
## Claim types
A claim provides a temporary storage of data during an Azure AD B2C policy execution. The [claims schema](https://docs.microsoft.com/azure/active-directory-b2c/claimsschema) is the place where you declare your claims. The following elements are used to define the claim:
```xml
Phone Number
string
XXX-XXX-
Your telephone number
Verified Phone Number
string
XXX-XXX-
Your office phone number that has been verified
New Phone Number Entered
boolean
UserId for MFA
string
```
## Claims transformation
The _CreateUserIdForMFA_ claims transformation creates a unique identifier for the user. The identifier is used when Azure AD B2C sends and verifies the code.
```xml
```
### Content definitions
The following [content definition](https://docs.microsoft.com/azure/active-directory-b2c/contentdefinitions) is used to render the MFA registration and verification.
```xml
~/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:multifactor:1.2.5
- Multi-factor authentication page
```
## Technical profiles
The following technical profiles in used to support MFA.
|Technical profile |Type |Description |Changes from the SocialAndLocalAccounts |
|---------|---------|---------|---------|
|PhoneFactor-InputOrVerify | [Phone Factor](https://docs.microsoft.com/azure/active-directory-b2c/phone-factor-technical-profile) | Provides a user interface to interact with the user to verify, or enroll a phone number.| New |
|AAD-UserReadUsingAlternativeSecurityId | [AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | | |
|AAD-UserWriteUsingLogonEmail |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | | Persists the phone number to the user profile. |
|AAD-UserReadUsingEmailAddress |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | | Returns the phone number to the user profile.|
|AAD-UserWritePasswordUsingObjectId |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | Update user's password | Persists the phone number to the user profile.|
|AAD-UserWriteProfileUsingObjectId |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | Update user's profile | Persists the phone number to the user profile. |
|AAD-UserReadUsingObjectId |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | Read user profile by user object ID| Returns the phone number to the user profile. |
|AAD-UserWritePhoneNumberUsingObjectId |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | Persists the phone number to the user profile. | New |
|LocalAccountDiscoveryUsingEmailAddress | [SelfAsserted](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile) | Password reset flow | Returns the phone number to the user profile. |
|LocalAccountWritePasswordUsingObjectId |[SelfAsserted](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile) | | Input claim |
|SM-MFA |[SSO](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-reference-sso) | MFA session manager | New |
```xml
PhoneFactor
PhoneFactor
- api.phonefactor
- true
Azure Active Directory
- Write
- false
- true
false
Local Account
Session Management
Session Mananagement Provider
```
## User journeys
The following are the required orchestration steps required for MFA. The _PhoneFactor-Verify_ registers (if the phone number claim is empty), or verifies (if the phone number is stored in the directory).
```xml
...
isActiveMFASession
SkipThisOrchestrationStep
newPhoneNumberEntered
SkipThisOrchestrationStep
...
...
...
...
...
```
================================================
FILE: TrustFrameworkPolicy_0.3.0.0.xsd
================================================
The root element within which a Trust Framework Policy is defined.
This section contains the policy constraints controlling which tenants and policies
can inherit from it.
Contains a list of contacts who can be communicated with for notifications and issues regarding the Policy.
Contains a list of references to documents for the Policy.
This section contains the Claims Providers and their Technical Profiles that may be used in the various User Journeys.
The User Journeys through which a user is taken to retrieve the claims that are to be presented to the relying party.
The SubJourneys that are components of UserJourneys and are executed as part of a User Journey.
An identifier of the User Journey which the orchestration engine will begin with. A merged trust framework policy
can contain multiple user journeys and relying parties select one of them as the starting point.
Defines different endpoints exposed by the policy and maps to UserJourneys to invoke.
Controls the scope of various user journey behaviors.
Controls the scope of the single sign on behavior of a user journey.
Controls the whether the session is rolling or absolute.
Controls the time of the session expiry in seconds.
DEPRECATED - Use JourneyInsights indicating ApplicationInsights as the telemetry engine.
Specifies the details required for journey insights.
Specifies the a list of key value pairs to be appended to the content definition load uri.
Specifies whether journey framing is enabled and for what sources.
Controls the whether script execution is allowed for the journey.
Specifies the error handling behavior of a journey.
Determines the schema version published by Microsoft using which this Policy is to be executed.
The unique identifier of the tenant to which this policy belongs.
The unique identifier of the object ID of the Azure tenant.
The unique identifier of this policy.
The URI for the policy which is an appropriate name of the policy outside of the CPIM system.
The name of the StateTable that should execute this policy.
The mode under which the policy should be deployed.
The Url in the format http://{host}?stream={guid} (where the braces are omitted)
of a service able to receive http posts documenting user journey progress
This section defines the base policy from which this Policy is derived.
The identifier of the tenant that published the base policy. The base policy is looked up inside the tenant
specified here.
The identifier of the base policy. The policy is looked up using this identifier within the tenant specified
by the preceding element.
This section defines the constraints for policies inheriting from this policy.
A list of tenant references used when the inheritance rule is an allow or deny list.
A handler implementing the IConstraintHandler interface for applying more complex inheritance rules.
This section defines policy rerouting rules.
A list of reroute rules
This section defines details of a rerouting rule
The unique identifier of this policy.
The weight for a policy in case of A/B testing.
Defines an attribute that can be passed into the query string, that will match the policy to be redirected to.
This section defines the constraints for policies inheriting from this policy.
A machine understandable identifier that is used to uniquely identify this particular constraint handler.
A fully-qualified name of the assembly that will be used by CPIM to determine the constraint handler.
Every Claims Provider must have one or more Technical Profiles which determines the end points and the protocols needed
to communicate with that Claims Provider. In fact, in CPIM, it is the Technical Profile that is referenced elsewhere for
communication with a particular Claims Provider.
A Claims Provider can have multiple Technical Profiles for various reasons. For example, multiple Technical Profiles may
be defined because the Claims Provider supports multiple protocols, various endpoints with different capabilities, or
releases different claims at different assurance levels. It may be acceptable to release
sensitive claims in one User Journey, but not in another one. A Technical Profile is usually certified for
a Level of Assurance and thus one Claims Provider may have multiple Technical Profiles for different Levels of Assurance.
The human understandable domain names for the technical profile.
The human understandable domain name for the technical profile.
The human understandable domain name for the technical profile.
The human understandable name of the Technical Profile that can be displayed to the users.
Provides detailed user understandable text to explain the Technical Profile.
The protocol used for federation.
Name of the protocol used by CPIM for claims exchange with the claims provider.
A fully-qualified name of the assembly that will be used by CPIM to determine the protocol handler if the protocol
name is "Proprietary". It is invalid to provide this attribute with any other protocol name.
Format of the input token
Format of the output token
Lists the assurance level of the claims that are retrieved from the Technical Profile.
Lists the assurance levels that a claim must have in order for it to be used as an input claim to the Technical Profile.
Requirements regarding the conscious and active participation of the subject in authentication
The maximum number of minutes cached credentials can be used following an active authentication by the subject.
Default is False. If True then whenever a token is issued
(even using a cached credential) the expiry time is set to the current time plus the TimeToLive
This is the data utilized by the protocol for communicating with the endpoint.
A list of cryptographic keys used in this technical profile.
A list of suppressions supported by the protocol.
If the protocol supports multiple bindings, this represents binding preferred by the protocol, for example HTTP POST or HTTP GET
in the case of SAML.
A value indicating whether usage of this technical profile should apply
single-signon behavior for the session and instead require explicit interaction
CPIM can send the original token from one claims provider to another claims provider. InputTokenSources are
the list of technical profiles of the claims providers from which the original tokens are to be sent.
ClaimsTransformations can be used to modify existing ClaimsSchema claims or generate new ones. This element contains the
list of references to ClaimsTransformations that should be executed before any claims are sent to the claims provider or the
relying party.
A list of the ClaimsSchema claim types that are sent as input to the claims provider or the relying party.
Defines a list of display claims for user interface controls.
A list of the ClaimsSchema claim types that are persisted by the claims provider.
A list of the ClaimsSchema claim types that are received as output from the claims provider.
ClaimsTransformations can be used to modify existing ClaimsSchema claims or generate new ones. This element contains the
list of references to ClaimsTransformations that should be executed after claims are received from the claims provider.
A TechnicalProfile can have a set of other TechnicalProfiles that it uses for validation purposes. This section lists all
such technical profiles.
The technical profile to be used for validating some or all of the output claims of the referencing technical profile.
Therefore, all the input claims of the referenced technical profile must appear in the output claims of the
referencing technical profile.
A list of preconditions that must be satisfied for the validation technical profile to execute.
A boolean indicating whether validation of any subsequent validation profiles should continue if this
profile succeeds. The default is true, meaning that the processing of further validation profiles will continue.
A boolean indicating whether validation of any subsequent validation profiles should continue if this
profile errors. The default is false, meaning that processing of further validation profiles will stop and
an error returned.
Information that controls production of the subject name in tokens (e.g. SAML) where subject name is specified separately
from claims.
An element for including additional information specific to a particular technical profile
A id of different technical profile. All input and output claims from referenced technical profile will be
added to this technical profile. Referenced technical profile must be defined in the same trust framework policy.
A id of different technical profile. All data from referenced technical profile will be
added to this technical profile. Referenced technical profile must exists in trust framework policy.
An id of a technical profile to be used for session managemetn.
Error handlers to take action based on different error responses.
Format of error response. Used to indicate the reader of the error response for path matching. Default is json.
Match path for the response to trigger the action. JSONPath is used for json response. XPath is used for XML response.
Action to perform when the error response matches the pattern.
Additional query string to send for reauthentication action.
A boolean indicating if the technical provile should be used within a user journey, this includes ClaimProviderSelections.
If this value is set to true, it will disable the selection.
A machine understandable identifier that is used to uniquely identify this particular TechnicalProfile,
and reference it from other sections of the document, for example OrchestrationSteps and InputTokenSources.
A User Journey defines all the constructs necessary for a complete user flow.
Specifies a measurement of identity assurance when the claims are presented to the Relying
Party at the conclusion of the orchestration steps contained in the User Journey.
Claims are presented to the Relying Party Application in a token generated by CPIM. However, a Technical
Policy may state, using a true or a false for this element, that the original assertion which was returned from
the Claims Provider(s) must also be preserved so that if needed, it can be looked at by Relying Party for auditing
or diagnostic purposes.
Specifies relevent information required for the Authorization elements of a UserJourney. This can point to other
element references in policy for validating information about the request in order to assert the request is allowed.
A TechnicalProfile can be used to extract information from a request and perform authorization of the request. This section lists all
such technical profiles.
The technical profile to be used for validating/authorizing incoming data to assert the information is valid for the UserJourney. If
the information is invalid, the UserJourney will not execute and the request is Forbidden.
This section lists the orchestration sequence that must be followed through for a successful transaction (i.e. a
complete user flow). Thus, every User Journey consists of an ordered list of Orchestration Steps (OS) that are
executed in sequence. If any step fails, the transaction fails.
References settings definition section that determines the client behavior.
The identifier of the policy to use.
A list of cryptographic keys used in this User Journey.
A machine understandable identifier that is used to uniquely identify this particular User Journey.
A boolean that is used to indicate whether this particular User Journey is non interactive.
The default Issuer TechnicalProfileId of the claims provider that will mint the token for the relyingParty.
If absent then CpimIssuerTechicalProfileReferenceId from first SendClaims step would be considered as default.
A SubJourney describes a part of the User Journey
This section lists the orchestration sequence that must be followed through for a successful transaction (i.e. a
complete user flow). Thus, every SubJourney consists of an ordered list of Orchestration Steps (OS) that are
executed in sequence. If any step fails, the transaction fails.
A machine understandable identifier that is used to uniquely identify this particular SubJourney.
The type of the SubJourney that governs how it is executed in the context of the policy.
An Endpoint that describes what UserJourney should be invoked when a user agent lands on the endpoint.
A machine understandable identifier that is used to uniquely identify this particular Endpoint.
The unique identifier of the UserJourney to be executed on invoking the endpoint.
This section contains all the definitions that are used by the Technical Policies.
This section defines all the claim types that can be referenced from other sections of the document.
This section defines all the predicates that are used to validate input strings.
This section defines input validations that combine predicates to create a string validation logic.
This section defines predicate validations that combine predicates to create a string validation logic.
Contains a list of claims transforms that can be used in Technical Policies.
ClientDefinitions specify various properties specific to the end-user device for which the policy is being executed.
Content definitions contain URLs to external content (for example, URLs to pages used in claims providers such as Phone Factor).
Defines the supported cultures and contains strings and collections in those cultures.
Defines all the cultures that are supported by this policy.
Contains all the translated strings for a specific culture.
If set to true, the Localization section is used for rendering the strings and collections in appropriate languages, otherwise
this section is not used.
This section defines all display controls associated with user interface controls.
Defines the display control associated with user interface control.
Represents the set of supported language including the default language.
Represents one supported language
This is the default language that the customer will see user journeys in, if he doesnt specify any other supported culture.
This is the the language the default values in the policy are written in.
Specifies how the enumeration values will be merged together with any ClaimType present in a parent policy
with the same identifier.
A collection can have different number of items, and different strings for various cultures. This element
allows defining the entire collections in various cultures. Examples of collections include the enumerations
that appear in claim types, e.g. country/region list, and are shown to the user in a drop down list.
This section is used to define all the strings, except those that appear in collections, in various cultures.
Defines whether content journey framing is supported and the the corresponding
domains allowed to frame.
Attribute indicating whether journey framing is enabled.
A space seperated list of sources used to populate the CSP frame-ancestors directive
and the X-Frame-Options headers. In the case if X-Frame-Options if more than one
source is specified only the first source is included for X-Frame-Options and must
be an absolute URL.
Defines whether errors should be returned to the requestor or displayed in service.
Attribute the error handling mode.
Defines the behavior of the single sign-on functionality for this application policy
Defines the scope of the single sign-on behavior.
Defines the number of days to keep the session alive for when a user selects to be remembered.
Attribute indicating whether the presence of the id_token_hint parameter is required for OIDC logout.
DEPRECATED - Use JourneyInsights indicating ApplicationInsights as the telemetry engine.
Defines the instrumentation key for the application insights element.
Defines the Azure Applications Insight element which includes the application insights script in the user journeys.
Defines the instrumentation key for the application insights element.
Values indicating which telemetry engine to use.
Values indicating whether the aplication insights should operate in developer mode. Default if not specified is false.
Values indicating whether the aplication insights should be run on the client via JavaScript. Default if not specified is false.
Values indicating whether the server-side journey recording is enabled. Default if not specified is false.
Values indicating whether the version of journey telemetry to use. If not specified the lastest version is used.
Defines a list of key value pairs to be appended to the query string of the content definition load uris.
Defines a key value pair that is to be appended to the query string of content definition load uri.
Transforms take a set of claims, process them, and output another set of claims.
A list of the Claim Types that are taken as input to the Claims Transformation. Each of these elements contains reference
to a ClaimType already defined in the ClaimsSchema section.
A list of the parameters that are provided as input to the Claims Transformation. Each of these elements contains a value that is passed
verbatim to the transformation.
A list of the Claim Types that are taken as input to the Claims Transformation. Each of these elements contains reference
to a ClaimType already defined in the ClaimsSchema section.
The Claim Type that is outputted by the Claims Transformation. This element contains reference to a ClaimType already defined
in the ClaimsSchema section.
A machine understandable identifier that is used to uniquely identify this particular Claims Transform, and reference it
from other sections of the document.
A machine understandable identifier to reference the published transformation method to be used.
Metadata section that can be used to override API settings and content
Contains a list of references to localized resources. The reference can be of the form of URL or a machine understandable identifier
that is used to uniquely identify the specific localized resource in the policy.
Specifies how the enumeration values will be merged together with any ClaimType present in a parent policy
with the same identifier.
A machine understandable identifier that is used to uniquely identify this particular Content Definition, and reference it
from other sections of the document.
The url to a localized resource hosted on a CORS enabled endpoint. This resource will be fetched by the clientside code.
A machine understandable identifier that is used to uniquely identify this particular Localized Resource, and reference it
from other sections of the document.
Contains settings for a User Journey on a client.
These flags are used for indicate the client's UI behavior.
A unique identifier that allows this client definition to be referenced from a User Journey.
Represents a Claims Provider, along with its technical profiles.
Domain names for the claim provider.
The human understandable domain name for the claim provider.
The human understandable domain name for the claim provider.
The human understandable name of the claims provider that can be displayed to the users.
List of Technical Profiles for exchanging claims with this claims provider.
A collection of Precondition elements.
Represents a conditional check should is performed to determine if an OrchestrationStep or a validation technical profile should be executed.
The data that is used by the check. For example, if the Type of this check is "ClaimsExist", this field
will specify a ClaimTypeReferenceId to query for.
Specifies the action that should be taken if the Precondition check is true, such as "SkipThisOrchestrationStep" and "SkipThisValidationTechnicalProfile"
The type of check to perform.
Specifies if the actions in this precondition should be performed if the test is true or false.
A reference to a predicate element.
A machine readable identifier that references a predicate in the policy.
A combination of predicate groups and predicates that will define how to validate an input.
A machine readable identifier that can be used to reference the input validation in the policy.
A set of predicates.
A machine readable identifier for the pattern group that cannot be refrenced.
The help text shown for the predicate group in case of an error.
The least number of predicates that must match for the prediate group to take effect.
The least number of predicates that must match for the prediate group to take effect.
Represents a single parameter that will be passed to a predicate method.
The value of the parameter.
The name of the parameter.
A collection of Parameters passed to a predicate.
Defines a single predicate that will be used to create an input validation.
A description of the predicate that can be helpful for the users to know what password they should type.
A machine understandable identifier that is used to uniquely identify this particular Predicate, and reference it
from other sections of the document.
The method that will be called to validate this predicate, it takes as input the param elements and a string value and returns a boolean.
The help text that will be shown to the user if the input validation that the predicate is in fails.
A set of predicate group.
A reference to a predicate element.
A description of the predicate that can be helpful for the users to know what password they should type.
A machine readable identifier that can be used to indicate the name of predicate group, it can not be referenced.
A combination of predicate groups and predicates that will define how to validate an input.
A machine readable identifier that can be used to reference the predicate validation in the policy.
A reference to an predicate validation element.
A machine readable identifier that references a predicate validation in the policy.
A collection of ClaimsProviderSelection elements.
Shows options for the selection between various claims providers in a given step (such as Google/Facebook/Microsoft Account).
A collection of ClaimsExchange elements.
Depending on the Technical Profile being used, a Claims Exchange either redirects the user’s client corresponding to the
ClaimsProviderSelection that the user may have selected, or makes a server call to exchange claims.
A machine understandable identifier that is used to uniquely identify this particular Claims Exchange step, and reference
it from a ClaimsProviderSelection step.
The unique identifier of the Technical Profile which is used for claims exchange.
A list of SubJourneys that are able to be executed during an Orchestration Step
A candidate is a single journey type that can be invoked on it's own during an Orchestration Step
The unique identifier for the SubJourney that can be executed
ClaimsTransformations may be used in a TechnicalProfile for transforming claims when they are sent to and received from a claims
provider. A ClaimsTransformation must be defined in this section before it can be referenced in a TechnicalProfile.
A reference to an input validation element.
A machine readable identifier that references a predicate in the policy.
Defines a single claim type.
The human understandable name of the claim type that is displayed to the users on various screens.
The type of data stored in the claim type, such as String, Boolean, Int or DateTime. This type may be used by
claims transforms and may thus participate in comparison or arithmetic operations. Associating an appropriate type
ensures that these operations are performed correctly by the transforms.
If a partner claim type is not provided in a claim mapping, then these partner claim types are used for
the specified protocol.
The list of technical profiles that is allowed to be used against a claims provider selection.
An optional string of masking characters that can be applied to the claim when displaying the claim for example phone number
324-232-4343 masked as XXX-XXX-4343
A description of the claim type that can be helpful for the administrators to understand the purpose and/or usage of
the claim type.
A description of the claim type that can be helpful for the users to understand the purpose and/or usage of the claim type.
The type of input control that should be available to the user when manually entering claim data for this claim type.
The value restrictions for this claim, such as a regular expression or a list of acceptable values.
A machine understandable identifier that is used to uniquely identify this particular Claim Type, and reference it
from other sections of the document.
The type of statement the claim type represents, such as Attribute, Authentication or Subject, the default being Attribute. This type may be used by
claims transforms and may thus participate in comparison or arithmetic operations. Associating an appropriate type
ensures that these operations are performed correctly by the transforms.
The display name.
The telephone number.
The email address.
The role of the contact.
A machine understandable identifier that is used to uniquely identify this particular Contact.
Certain documents, such as terms of use or privacy policy, may be made available to the Relying Parties or even the
users before they sign up to the use one of the services provided by CPIM. The RPs may use these documents to determine
whether the TF is appropriate for the purposes it intends to use it for. The users may view these documents to look at
the parameters within which RPs and the TF will operate and determine whether they want to participate or not.
The display name of the document.
The url where the document is located.
Specifies the orchestration step.
A list of preconditions that must be satisfied for the step to execute.
A list of Claims Provider Selection options for the Orchestration Step.
A list of Claims Exchanges for the Orchestration Step.
A list of available journeys that can be invoked by the Orchestration Step.
The order of the Orchestration Step. Orchestration Steps must appear in increasing order, in which they are executed.
The type of the Orchestration Step.
A reference to the Content that the Orchestration Step can display to the user.
Used on SendClaims steps to define the TechnicalProfileId of the claims provider
that will mint the token for the relyingParty. If absent no RP token will be created.
A list of sources for that can be the input assertions for the current technical profile.
A machine understandable identifier that is used to uniquely identify this particular technical policy.
Represents the CryptographicKeys that are used within the Policy. Since these are sensitive secrets, the actual cryptographic
keys are stored outside of the Trust Framework Policy and would generally reside in a system deemed secure for
cryptographic storage, such as in a hardware security module (HSM) or a key management service (KMS).
A machine understandable identifier that is used to uniquely identify this particular Cryptographic Key.
An identifier that references the key in the underlying key storage.
Defines the element for the protocol provider metadata.
Defines a single metadata item for the protocol provider metadata.
Defines a group of items of key/value pairs.
Defines a single key/value pair item.
A key that uniquely identifies the item.
The value to hold in the item.
The claim type in the normalized schema that is sent to the claims provider. The claim mappings are used to determine the
provider claim type before sending to the claims provider.
Identifies a Claim Type specified in the Claims Schema.
Identifies the claim type of the external partner that the specified policy claim type maps to. If the PartnerClaimType attribute
is not specified, then the specified policy claim type is mapped to the partner claim type of the same name.
If the claim indicated by ClaimTypeReferenceId does not exist, then the DefaultValue is used to create one so it can be used as an
input claim by the technical profile.
Provides an optional property to the claims provider indicating whether the claim can be overwritten in the claims providers
records if the claim provider supports overwriting.
Provides an optional property indicating whether the default claim value should always for the value of the claim.
A group of display elements in self asserted page that allows special interaction with the back-end.
A list of input claims that indicate the prefilled values for user interface controls.
The input claim that indicates the prefilled value for user interface control.
A list of display claims to be displayed as user interface controls.
The display claim to be displayed as user interface control.
A list of output claims to be used by the relying technical profile.
The output claim to be used by the replying technical profile.
A list of actions corresponding to front-end user control scenarios.
The display control action corresponding to a front-end user control scenario.
The identifier of the display control.
Type of user interface control that allows users to enter and verify claims.
A list of technical profiles to execute sequentially when the action is invoked.
The technical profile reference to execute when action is invoked.
A list of preconditions that must be satisfied for the validation technical profile to execute.
An identifier that is a reference to a Technical Profile specified in the one of the Claims Providers.
A boolean indicating whether validation of any subsequent validation profiles should continue if this
profile succeeds. The default is true, meaning that the processing of further validation profiles will continue.
A boolean indicating whether validation of any subsequent validation profiles should continue if this
profile errors. The default is false, meaning that processing of further validation profiles will stop and
an error returned.
The identifier of the display control action associated with a user interface scenario.
An identifier that is a reference to a ClaimType specified in the ClaimsSchema.
An identifier that is a reference to a defined DisplayControl.
Identifies whether or not the user input is required for further actions.
An identifier that is a reference to a ClaimType specified in the ClaimsSchema.
Identifies whether or not the claim is required for this technical profile. If this property is not specified, false is assumed,
meaning that the given claim may be utilized if available, but its absence does not indicate an error. For claims that are user
asserted, this property controls whether or not the user is required to fill out the associated field before continuing.
If the claim indicated by ClaimTypeReferenceId does not exist, then the DefaultValue is used to create one so it can be used as an
input claim by the technical profile.
Provides an optional property indicating whether the default claim value should always for the value of the claim.
An identifier that is a reference to a ClaimType specified in the ClaimsSchema.
Identifies the control type of the display control that is mapped to the specified policy claim type.
Identifies whether or not the user input is required for further actions.
A reference to a Technical Profile which constrains the source of the claim to one or more
technical profiles. If no from is specified then the claim can be sourced from any technical
profile.
An identifier that is a reference to a ClaimType specified in the ClaimsSchema.
Identifies the claim type of the external partner that is mapped to the specified policy claim type. If the PartnerClaimType
attribute is not specified, then the partner claim type of the same name as the specified policy claim type is mapped instead.
Identifies whether or not the claim is required for this technical profile. If this property is not specified, false is assumed,
meaning that the given claim may be utilized if available, but its absence does not indicate an error. For claims that are user
asserted, this property controls whether or not the user is required to fill out the associated field before continuing.
If the claim indicated by ClaimTypeReferenceId does not exist, then the DefaultValue is used to create one so it can be used as an
input claim by the technical profile.
Provides an optional property indicating whether the default claim value should always for the value of the claim.
An identifier that is a reference to a ClaimType specified in the ClaimsSchema.
Identifies the claim type of the transformation that is mapped to the specified policy claim type. If the TransformationClaimType
attribute is not specified, then the transformation claim type of the same name as the specified policy claim type is mapped instead.
An identifier that is a reference to a Technical Profile specified in the one of the Claims Providers.
An optional string for masking a claim when displaying the claim for example phone number
324-232-4343 masked as XXX-XXX-4343. Can either be a simple substitution mask or a regular
expression which uses named groups
Defines an available option for the user to select for a claim in the UI, such as a value in a dropdown.
The user-friendly display string that should be shown to the user in the UI for this option.
The claim value associated with selecting this option.
A value indicating whether or not this option should be selected by default in the UI.
Defines a pattern restriction, such as a regular expression, to be placed on values for a specific claim type.
A regular expression that claims of this type must match in order to be valid.
A string that can describe the pattern/regular expression for this claim to the user.
Defines the element for specifying value restrictions for a claim, such as regular expressions or a list of acceptable values.
Specifies how the enumeration values will be merged together with any ClaimType present in a parent policy
with the same identifier. If no value is given for this we use replaceAll by default.
A list of tenant references used when the inheritance rule is an allow or deny list.
A list of tenant references used when the inheritance rule is an allow or deny list.
The type of pattern constraint to apply to the policy id.
The actual pattern to be applied to the policy id.
Defines a reference to a tenant using the tenant guid as the reference id.
The unique identifier of the object ID of the Azure tenant.
An identifier that is a reference to a parameter of the TransformationMethod.
The type of data of the parameter, such as String, Boolean, Int or DateTime. This type is used to perform arithmetic
operations correctly.
The value that is to be provided to the TransformationMethod when invoked.
An extension point for elements that allows any xml from any namespace outside of
the document namespaces to be included in the element
Specifies to format type of error response
Specifies how journey errors are to be communicated to the user/requestor.
Error is returned to the requestor using protocol semantics.
Display the error message in the service.
Specifies to handle error responses.
Ask the user to reauthenticate for a specific error case
Display the message indicating client key/secret is not configured properly
Specifies how the contents of the node will be merged together with data from parent policies
with the same unique identifer.
Specifies that the collection of data present should be appended to the end of the
collection specified in the parent policy.
Specifies that the collection of data present should be added before the
collection specified in the parent policy.
Specifies that the collection of data specified in the parent policy should be ignored,
using instead the data specified in the current policy.
The types of claim masks
1. Simple, a simple text mask that is
applied to the leading portion of a string claim.
2. A regular expression that can be applied
to the string claim as whole
The names of the valid protocols supported by CPIM.
The list of acceptable values for "EnabledForUserJourneys" property: true and Always will execute the technical profile, false and Never will
always skip it, and OnClaimsExistence will only execute the technical profile if the claim specified in the technical profile's metadata is
present in the user journey storage.
The list of acceptable values for how the claims provider selection page should be displayed
The token formats supported by CPIM.
Describes the supported script execution modes.
Script execution is not allowed on the client and any 3rd party content containing script will be blocked.
Script execution is permitted
Specifies the type of the Orchestration Step.
Indicates that the Orchestration Step presents text to the user to which the user must consent.
Indicates that the Orchestration Step presents various Claims Providers to the user for the user to select one.
Indicates that the Orchestration Step presents a combined social provider signin and local account signup page.
Indicates that the Orchestration Step exchanges Claims with a Claims Provider.
Indicates that the Orchestration Step presents a review screen for the user to review the claims which the user
must accept.
Indicates that the Orchestration Step sends the claims to the Relying Party.
Indicates that the Orchestration Step processes claim data sent to the service from the relying party.
Indicates that the Orchestration Step presents a user dialog to the user for the capturing of information.
Indicates that the Orchestration Step has the ability to invoke one or more SubJourneys.
Indicates that the Orchestration Step does nothing and is included to cope with errors in layering.
Defines the scope of single sign-on behavior in the user journey.
Indicates that the behavior is suppressed. For exmaple in the case of SSO no session is maintained for the user and the user will always
be prompted for identity provider selection.
Indicates that the behavior is applied for all policies in the trust framework. For example a user being put through two policy journeys
for a given trust framework will not be prompted for identity provider selection.
Indicates that the behavior is applied for all policies in the tenant. For example a user being put through two policy journeys
for a given tenant will not be prompted for identity provider selection.
Indicates that the behavior is applied for all policies for the application making the request. For example a user being put through two policy journeys
for a given application will not be prompted for identity provider selection.
Indicates that the behavior only applies to a policy. For example a user being put through two policy journeys
for a given trust framework will be prompted for identity provider selection when switching between policies.
Specifies the type of query that is being performed for this precondition.
Specifies that the actions should be performed if the specified Claims exist in the
user's current Claim set.
Specifies that the actions should be performed if the specified Claim exists and its
values is equal to the specified value.
Specifies the action that should be taken if the Precondition check within
an OrchestrationStep is true.
Specifies that the associated OrchestrationStep should not be executed.
Specifies that the associated validation technical profile should not be executed.
The supported data types that the claims or parameters can have. These types are a subset of the types specified by
W3C XML Schema documentation, which can be found at http://www.w3.org/TR/xmlschema-2.
Represents the type of input controls that should be available to the user when manually entering claim data.
Represents the type of input controls that should be available to the user when manually entering claim data. This is successor of "UserInputType".
Represents the telemetry engines that can be used as part of journey insights.
Describes the category of statement that the claim belongs to, used for comapring authentication contexts
and issuing tokens
A general claim about the authenticated individual
A claim providing information about how the individual
was authenticated
A claim providing a means of identifying an individual
Represents a culture for displaying content.
Represents a tenant id.
Represents the object id of an Azure tenant.
Represents the instrumentation key for an Azure Application insights instance.
Represents the pattern to which a policyId must conform.
Represents a pattern that can be used to construct a valid policyId. This field supports dynamic parameters.
Represents weight of a policy.
Defines an attribute that can be passed into the query string, that will match the policy to be redirected to.
Represents a four part version number in the format 9.9.9.9.
Represents a three part version number in the format 9.9.9.
Contains an enumeration of the key types supported by CPIM.
A U-Prove Key.
A X-509 Certificate.
A secret key.
Type that restricts a string to either an absolute or
relative URL. Matches https://domain/path, http://domain/path
and ~/path
Type that restricts a string to either an absolute https URL. Matches https://domain/path.
The names of the valid values for a policy's DeploymentMode attribute.
The names of the valid values the single sign on session type.
Represents the type of deriving policies that can be specified for policy inheritance.
Any policy can inherit from this policy.
Only policies in the same tenant can inherit from this policy. The default.
Only tenants explicitly listed in the tenants list can inherit from this policy.
Only tenants explicitly listed in the tenants list are blocked from inheriting from this policy. Anyone else can.
The types of pattern constraints that can be used when
constraining policies.
Specifies that a policy id needs to start with the specified prefix.
Represents the types of SubJourneys that can be constructed in policy.
Represents a type of SubJourney that transfer control from the current execution context, either a SubJourney or UserJourney, into a new SubJourney execution context.
Represents a type of SubJourney that is executed inside of the current User Journey. The invoked SubJourney yields control back to the original User Journey or SubJourney upon completion
Represents a string which cannot be empty.
================================================
FILE: scenarios/linkedin-identity-provider/SignUpOrSignin.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: scenarios/linkedin-identity-provider/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
Identity Provider Access Token
string
Stores the access token of the identity provider.
nullClaim
string
A policy claim to store unuseful output values from ClaimsTransformations. This claim should not be used in a TechnicalProfiles.
A policy claim to store unuseful output values from ClaimsTransformations. This claim should not be used in a TechnicalProfiles.
linkedin.com
LinkedIn
LinkedIn
- linkedin
- https://www.linkedin.com/oauth/v2/authorization
- https://www.linkedin.com/oauth/v2/accessToken
- https://api.linkedin.com/v2/me
- r_emailaddress r_liteprofile
- POST
- id
- AuthorizationHeader
- true
- 0
- LinkedIn client_id
REST APIs
Get LinkedIn email
- https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))
- Bearer
- identityProviderAccessToken
- Url
- true
Local Account SignIn
- ProxyIdentityExperienceFrameworkAppId
- IdentityExperienceFrameworkAppId
objectId
SkipThisOrchestrationStep
identityProvider
SkipThisOrchestrationStep
identityProvider
linkedin.com
SkipThisOrchestrationStep
authenticationSource
localAccountAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
authenticationSource
socialIdpAuthentication
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
================================================
FILE: scenarios/password-change/PasswordChange.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkExtensions
PolicyProfile
================================================
FILE: scenarios/password-change/TrustFrameworkExtensions.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_TrustFrameworkBase
Old Password
string
Enter password
Password
Local Account SignIn
Local Account SignIn
Local Account Password Change
Change password (username)
- api.selfasserted
================================================
FILE: scenarios/phone-number-passwordless/ChangePhoneNumber.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_Phone_Email_Base
PolicyProfile
================================================
FILE: scenarios/phone-number-passwordless/PasswordResetEmail.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_Phone_Email_Base
PolicyProfile
================================================
FILE: scenarios/phone-number-passwordless/Phone_Email_Base.xml
================================================
User's Object's Tenant ID
string
Tenant identifier (ID) of the user object in Azure AD.
User's Object ID
string
Object identifier (ID) of the user object in Azure AD.
phoneNumber
Email Address
string
Email address of the user
Email address that can be used to contact you.
Readonly
string
Phone Number
string
Enter Phone Number
TextBox
Phone Number
string
Enter National Phone Number
TextBox
Phone Number or Email Address
string
Please enter a valid phone number or email address.
TextBox
Email Address
string
Email address of the user
Email address that can be used to contact you.
EmailBox
boolean
boolean
boolean
string
Paragraph
Country
string
Enter Country
DropdownSingleSelect
Verification Code
string
Enter your verification code
TextBox
Password
string
Enter password
Password
New Password
string
Enter new password
Password
Confirm New Password
string
Confirm new password
Password
Password Policies
string
Password policies used by Azure AD to determine password strength, expiry etc.
client_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
resource_id
string
Special parameter passed to EvoSTS.
Special parameter passed to EvoSTS.
Subject
string
Display Name
string
Your display name.
TextBox
boolean
boolean
nca
string
Special parameter passed for local account authentication to login.microsoftonline.com.
grant_type
string
Special parameter passed for local account authentication to login.microsoftonline.com.
scope
string
Special parameter passed for local account authentication to login.microsoftonline.com.
objectIdFromSession
boolean
Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.
UPN User Name
string
The user name for creating user principal name.
The user name for creating user principal name.
UserPrincipalName
string
The user name as stored in the Azure Active Directory.
Your user name as stored in the Azure Active Directory.
Given Name
string
Your given name (also known as first name).
TextBox
Surname
string
Your surname (also known as family name or last name).
TextBox
Please enter a valid email address.
^[a-zA-Z0-9!#$%&'+^_`{}~-]+(?:\.[a-zA-Z0-9!#$%&'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$
The value entered needs to be a phone number.
^\+?(?:[-()\s]*\d[-()\s]*){4,16}$
The national number should not include a country code.
^[^\\+]+$
Please enter a valid email address or phone number.
Please enter a valid phone number.
LineMarkers, MetaRefresh
~/tenant/templates/AzureBlue/exception.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1
- Error page
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Enter phone number to continue
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Verify new phone number
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Verify phone to sign in
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Verify phone to sign up
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Verify email address
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Collect email address during phone sign up
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Use email to sign in
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Verify email to sign up
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Verify email address
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.1
- Signin and Signup using phone
- ChangePhoneNumber
~/tenant/templates/AzureBlue/unified.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.1
- Signin and Signup using phone or email
- ChangePhoneNumber
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Change password for email account
~/tenant/templates/AzureBlue/selfAsserted.cshtml
~/common/default_page_error.html
urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1
- Update profile
Sign in with your existing account
Continue
Sign in with your existing account
Continue
Create
Please verify your country code and phone number
By providing your phone number, you consent to receiving a one-time passcode sent by text message to help you sign into {insert your application name}. Standard messsage and data rates may apply.
Privacy Statement
{insert your privacy statement URL}
Terms and Conditions
{insert your terms and conditions URL}
Please verify your country code and phone number
By providing your phone number, you consent to receiving a one-time passcode sent by text message to help you sign into {insert your application name}. Standard messsage and data rates may apply.
Privacy Statement
{insert your privacy statement URL}
Terms and Conditions
{insert your terms and conditions URL}
Please enter your old country code and phone number
Old phone number
New phone number
Continue
We need to verify the email address you used to sign up with
Create
Add a recovery email now so you can recover your account if your phone number changes. Note that this email address is for recovery purposes and not for signing in.
Azure Active Directory
Azure Active Directory
false
- Read
- true
- Read
- false
- true
- That phone number doesn't exist in our system. Please try signing up with the number.
false
- true
- false
- You are already registered, please press the back button and sign in instead.
- Write
- true
- false
- You are already registered, please press the back button and sign in instead.
- Write
- false
- true
- Write
- true
- false
- You are already registered, please press the back button and sign in instead.
- Read
- false
- true
- An account could not be found for the provided email address.
false
- Write
- false
- true
- Write
- false
- true
- Write
- false
- true
Azure MFA
Send Sms
- OneWaySMS
Verify Sms
- Verify
Local Account Sign Up With Phone
Phone
- newPhoneNumber
- Please enter a valid phone number and country code.
Phone
- phoneSignUp
- TextLink
- Please enter a valid phone number and country code.
Phone
- phoneSignUpCollectEmailAddress
Phone
- changePhoneNumberVerifyEmailAddress
Local Account Sign Up With Email
Email
- IpAddress
- emailSignUp
- TextLink
Local Account Sign In With Phone
Local Account Signin Using Phone Only
- Username
- false
Local Account Signin Using Phone Email
- Username
- Please enter a valid phone number or email address.
- true
- false
Phone
- phoneInput
- We don't have a recovery email address listed under the phone number you entered. Contact your organization's IT administrator to change your phone number.
Phone
Change Phone Number
- TextLink
Phone
- phoneSignIn
Phone
- phoneSignIn
Reset password using email address
- IpAddress
- emailDiscovery
false
Change password (username)
- resetemailpassword
Local Account Signin
- Email
- emailSignIn
- Please enter a valid email address.
false
Local Account Signin
- emailSignIn
Local Account SignIn
- ProxyIdentityExperienceFrameworkAppId
- IdentityExperienceFrameworkAppId
- We can't seem to find your account
- Your password is incorrect
- Looks like you used an old password
- Invalid email or password
- https://sts.windows.net/
- https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
- https://login.microsoftonline.com/{tenant}/oauth2/token
- id_token
- query
- email openid
- false
- POST
User ID signup
- profileUpdate
- true
false
Claims Transformation
Validate UserName Type
Combine country code and national number
Does recovery email exist
Session Management
Noop Session Management Provider
Session Mananagement Provider
Session Management Provider
Trustframework Policy Engine TechnicalProfiles
Trustframework Policy Engine Default Technical Profile
- {service:te}
Token Issuer
JWT Issuer
JWT
- {service:te}
- objectId
- true
isLocalAccountSignIn
SkipThisOrchestrationStep
isLocalAccountSignIn
SkipThisOrchestrationStep
isChangePhoneNumber
SkipThisOrchestrationStep
isLocalAccountSignIn
SkipThisOrchestrationStep
isChangePhoneNumber
SkipThisOrchestrationStep
hasFullProfile
SkipThisOrchestrationStep
isLocalAccountSignIn
SkipThisOrchestrationStep
objectId
SkipThisOrchestrationStep
isLocalAccountSignIn
SkipThisOrchestrationStep
isEmailSignUp
SkipThisOrchestrationStep
isChangePhoneNumber
SkipThisOrchestrationStep
isLocalAccountSignIn
SkipThisOrchestrationStep
isChangePhoneNumber
SkipThisOrchestrationStep
hasFullProfile
SkipThisOrchestrationStep
strongAuthenticationEmailAddress
SkipThisOrchestrationStep
hasFullProfile
SkipThisOrchestrationStep
email
SkipThisOrchestrationStep
phoneNumber
SkipThisOrchestrationStep
hasFullProfile
SkipThisOrchestrationStep
hasFullProfile
SkipThisOrchestrationStep
email
SkipThisOrchestrationStep
phoneNumber
SkipThisOrchestrationStep
phoneNumber
SkipThisOrchestrationStep
strongAuthenticationEmailAddress
SkipThisOrchestrationStep
phoneNumber
SkipThisOrchestrationStep
strongAuthenticationEmailAddress
SkipThisOrchestrationStep
================================================
FILE: scenarios/phone-number-passwordless/ProfileEditPhoneEmail.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_Phone_Email_Base
PolicyProfile
================================================
FILE: scenarios/phone-number-passwordless/ProfileEditPhoneOnly.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_Phone_Email_Base
PolicyProfile
================================================
FILE: scenarios/phone-number-passwordless/README.md
================================================
# Password-less Sign-up or sign-in with phone number and/or email
## Instructions
* In all policies, replace instances of ```yourtenant.onmicrosoft.com``` with your tenant.
* In Phone_Email_Base, replace instances of ```ProxyIdentityExperienceFrameworkAppId``` and ```IdentityExperienceFrameworkAppId``` with the appropriate application IDs.
* In Phone_Email_Base, replace ```{insert your privacy statement URL}``` and ```{insert your terms and conditions URL}``` with the appropriate URLs. Alternatively, delete the lines containing this text if you do not want these links shown on your phone signup/signin pages.
* For policies in China, in Phone_Email_Base, replace occurrences of ```sts.windows.net``` with ```sts.chinacloudapi.cn``` and ```login.microsoftonline.com``` with ```login.chinacloudapi.cn```
## Contributing
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
================================================
FILE: scenarios/phone-number-passwordless/SignUpOrSignInWithPhone.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_Phone_Email_Base
PolicyProfile
================================================
FILE: scenarios/phone-number-passwordless/SignUpOrSignInWithPhoneOrEmail.xml
================================================
yourtenant.onmicrosoft.com
B2C_1A_Phone_Email_Base
PolicyProfile