Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: Set up sign-up and sign-in with a Microsoft Account titleSuffix: Azure AD B2C description: Provide sign-up and sign-in to customers with Microsoft Accounts in your applications using Azure Active Directory B2C. author: garrodonnell manager: CelesteDG ms.service: azure-active-directory ms.topic: how-to ms.date: 01/05/2025 ms.author: godonnell ms.subservice: b2c zone_pivot_groups: b2c-policy-type #Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-up and sign-in with a Microsoft account, so that users can authenticate using their Microsoft account credentials. --- # Set up sign-up and sign-in with a Microsoft account using Azure Active Directory B2C [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)] [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)] ::: zone pivot="b2c-custom-policy" [!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)] ::: zone-end ## Prerequisites [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)] ## Create a Microsoft account application To enable sign-in for users with a Microsoft account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). If you don't already have a Microsoft account, you can get one at [https://www.live.com/](https://www.live.com/). 1. Sign in to the [Azure portal](https://portal.azure.com). 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Microsoft Entra ID tenant from the **Directories + subscriptions** menu. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**. 1. Select **New registration**. 1. Enter a **Name** for your application. For example, *MSAapp1*. 1. Under **Supported account types**, select **personal Microsoft accounts (e.g. Skype, Xbox)**. For more information on the different account type selections, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). 1. Under **Redirect URI (optional)**, select **Web** and enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp`. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your Azure AD B2C tenant, and `your-domain-name` with your custom domain. 1. Select **Register** 1. Record the **Application (client) ID** shown on the application Overview page. You need the client ID when you configure the identity provider in the next section. 1. Select **Certificates & secrets** 1. Click **New client secret** 1. Enter a **Description** for the secret, for example *Application password 1*, and then click **Add**. 1. Record the application password shown in the **Value** column. You need the client secret when you configure the identity provider in the next section. ::: zone pivot="b2c-user-flow" ## Configure Microsoft as an identity provider 1. Sign in to the [Azure portal](https://portal.azure.com/) with an account that has at least [External Identity Provider Administrator](/entra/identity/role-based-access-control/permissions-reference#external-identity-provider-administrator) privileges. 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu. 1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**. 1. Select **Identity providers**, then select **Microsoft Account**. 1. Enter a **Name**. For example, *MSA*. 1. For the **Client ID**, enter the Application (client) ID of the Microsoft Entra application that you created earlier. 1. For the **Client secret**, enter the client secret that you recorded. 1. Select **Save**. ## Add Microsoft identity provider to a user flow At this point, the Microsoft identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Microsoft identity provider to a user flow: 1. In your Azure AD B2C tenant, select **User flows**. 1. Click the user flow that you want to add the Microsoft identity provider. 1. Under the **Social identity providers**, select **Microsoft Account**. 1. Select **Save**. 1. To test your policy, select **Run user flow**. 1. For **Application**, select the web application named *testapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`. 1. Select the **Run user flow** button. 1. From the sign-up or sign-in page, select **Microsoft** to sign in with Microsoft account. If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C. ::: zone-end ::: zone pivot="b2c-custom-policy" ## Configuring optional claims If you want to get the `family_name` and `given_name` claims from Microsoft Entra ID, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Microsoft Entra app](../active-directory/develop/optional-claims.md). 1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Microsoft Entra ID**. 1. From the **Manage** section, select **App registrations**. 1. Select the application you want to configure optional claims for in the list. 1. From the **Manage** section, select **Token configuration (preview)**. 1. Select **Add optional claim**. 1. Select the token type you want to configure. 1. Select the optional claims to add. 1. Click **Add**. ## Create a policy key Now that you've created the application in your Microsoft Entra tenant, you need to store that application's client secret in your Azure AD B2C tenant. 1. Sign in to the [Azure portal](https://portal.azure.com). 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**. 1. On the Overview page, select **Identity Experience Framework**. 1. Select **Policy Keys** and then select **Add**. 1. For **Options**, choose `Manual`. 1. Enter a **Name** for the policy key. For example, `MSASecret`. The prefix `B2C_1A_` is added automatically to the name of your key. 1. In **Secret**, enter the client secret that you recorded in the previous section. 1. For **Key usage**, select `Signature`. 1. Click **Create**. ## Configure Microsoft as an identity provider To enable users to sign in using a Microsoft account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated. You can define Microsoft Entra ID as a claims provider by adding the **ClaimsProvider** element in the extension file of your policy. 1. Open the *TrustFrameworkExtensions.xml* policy file. 1. Find the **ClaimsProviders** element. If it does not exist, add it under the root element. 1. Add a new **ClaimsProvider** as follows: ```xml <ClaimsProvider> <Domain>live.com</Domain> <DisplayName>Microsoft Account</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="MSA-MicrosoftAccount-OpenIdConnect"> <DisplayName>Microsoft Account</DisplayName> <Protocol Name="OpenIdConnect" /> <Metadata> <Item Key="ProviderName">https://login.live.com</Item> <Item Key="METADATA">https://login.live.com/.well-known/openid-configuration</Item> <Item Key="response_types">code</Item> <Item Key="response_mode">form_post</Item> <Item Key="scope">openid profile email</Item> <Item Key="HttpBinding">POST</Item> <Item Key="UsePolicyInRedirectUri">false</Item> <Item Key="client_id">Your Microsoft application client ID</Item> </Metadata> <CryptographicKeys> <Key Id="client_secret" StorageReferenceId="B2C_1A_MSASecret" /> </CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid" /> <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /> <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /> <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /> <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" /> <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" /> <OutputClaim ClaimTypeReferenceId="email" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /> <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /> <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /> <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /> </OutputClaimsTransformations> <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" /> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider> ``` 1. Replace the value of **client_id** with the Microsoft Entra application's *Application (client) ID* that you recorded earlier. 1. Save the file. You've now configured your policy so that Azure AD B2C knows how to communicate with your Microsoft account application in Microsoft Entra ID. [!INCLUDE [active-directory-b2c-add-identity-provider-to-user-journey](../../includes/active-directory-b2c-add-identity-provider-to-user-journey.md)] ```xml <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> <ClaimsProviderSelections> ... <ClaimsProviderSelection TargetClaimsExchangeId="MicrosoftAccountExchange" /> </ClaimsProviderSelections> ... </OrchestrationStep> <OrchestrationStep Order="2" Type="ClaimsExchange"> ... <ClaimsExchanges> <ClaimsExchange Id="MicrosoftAccountExchange" TechnicalProfileReferenceId="MSA-MicrosoftAccount-OpenIdConnect" /> </ClaimsExchanges> </OrchestrationStep> ``` [!INCLUDE [active-directory-b2c-configure-relying-party-policy](../../includes/active-directory-b2c-configure-relying-party-policy-user-journey.md)] ## Test your custom policy 1. Select your relying party policy, for example `B2C_1A_signup_signin`. 1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`. 1. Select the **Run now** button. 1. From the sign-up or sign-in page, select **Microsoft** to sign in with Microsoft account. If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C. ::: zone-end