This is an example of Azure AD B2C custom policy with SAML2 token and custom claims. The custom policy is based on the starter pack SocialAndLocalAccounts and the custom policy is extended to include SAML2 token and custom claim.

1. Added custom claim loyaltyId
2. Forgot password link is working (Sign-up and Sign-in with embedded password reset).
3. Added forceChangePasswordNextLogin support (Configure a force password reset flow in Azure AD B2C - Azure AD B2C).
4. Customized UI for Sign-in and Password reset pages (Customize the user interface with HTML templates in Azure Active Directory B2C).

In the html_templates folder are the final HTML templates. In order to use them, following placeholders in HTML files needs to be replaced with actual values:

• https://login.microsoftonline.com/ needs to be replaced with your actual hosting URL (e.g. https://yourstorageaccount.blob.core.windows.net/yourcontainer/). The URL must be publicly available and CORS support must be enabled.

Afterwards upload customized HTML template to your publicly available server with CORS support (e.g. Host Azure B2C Templates in Azure Blob Storage).

To create the custom policy, you need to follow the steps below:

1. Register a SAML application in Azure AD B2C
2. Add custom claims and customize user input
3. Enable custom claims by enabling Azure AD B2C extensions app

In the policy folder are the final custom policy files created following the steps above. In order to use them, following placeholders needs to be replaced with actual values:

• yourtenant.onmicrosoft.com needs to be replaced with your actual tenant name
• B2CExtensionsAppAppId and B2CExtensionsAppObjectId with values of b2c-extensions-app from App Registrations in Azure AD B2C
• ProxyIdentityExperienceFrameworkAppId and IdentityExperienceFrameworkAppId with application ids of IdentityExperienceFramework and ProxyIdentityExperienceFramework applications from App Registrations in Azure AD B2C
• https://login.microsoftonline.com/ needs to be replaced with your actual hosting URL (e.g. https://yourstorageaccount.blob.core.windows.net/yourcontainer/). The URL must be publicly available and CORS support must be enabled.

After custom policy was deployed, you can test the custom policy with the SAML Test Service.

Note: Custom claim (a.k.a. extension attribute) is not created in the directory when it is defined. The first time the AAD technical profile persists the claim to the directory, it checks whether the custom claim exists. If it doesn't, it creates the custom claim.

Note: Custom claims (a.k.a. extension attributes) are not visible within user properties in Azure AD B2C in Azure Portal. You can use Microsoft Graph or .NET Core console app to manage custom claims.

Note: Existing user profile attributes (e.g. city) can be used only if they are listed in the documentation. Other attributes (e.g. employeeId) visible in user properties in Azure AD B2C user blade but not listen in documentation are not supported.

To get user custom claims with Microsoft Graph, you can use the following endpoint:

GET https://graph.microsoft.com/beta/users/{id | userPrincipalName}

To modify user custom claims with Microsoft Graph, you can use the following endpoint:

PATCH https://graph.microsoft.com/beta/users/{id | userPrincipalName}

where body is following JSON:

{
	"extension_{appId}_customClaim": "value"
}

Note: Replace {appId} with the application id of the b2c-extensions-app from App Registrations in Azure AD B2C. Application id must not contain - in extension name.

To get user forceChangePasswordNextSignIn property with Microsoft Graph, you can use the following endpoint:

GET https://graph.microsoft.com/beta/users/{id | userPrincipalName}

and the forceChangePasswordNextSignIn property is in the response:

{
	"passwordProfile": {
		"forceChangePasswordNextSignIn": true
	}
}

To modify user custom claims with Microsoft Graph, you can use the following endpoint:

PATCH https://graph.microsoft.com/beta/users/{id | userPrincipalName}

where body is following JSON:

{
    "passwordProfile": {
      "forceChangePasswordNextSignIn": true
    }
}

• SAML Test Service
• Claim names for different protocols
• Manage Azure AD B2C with Microsoft Graph
• Azure AD B2C user account management with .NET Core and Microsoft Graph
• Azure AD B2C User profile attributes
• Sign-up and Sign-in with embedded password reset
• Configure a force password reset flow in Azure AD B2C - Azure AD B2C
• Customize the user interface with HTML templates in Azure Active Directory B2C

Distributed under MIT License. See LICENSE for more details.