This chapter covers Microsoft Entra External ID (formerly Azure AD B2C), a cloud identity service for customer-facing applications. For the AZ-204 exam, this topic falls under Domain 3 (Security) Objective 3.1: Implement authentication and authorization. Approximately 10-15% of exam questions touch on identity management, with a subset specifically on B2C scenarios. You will be tested on configuring user flows, custom policies, token claims, and integrating with applications. This chapter provides the deep technical understanding needed to answer these questions correctly.
Jump to a section
Imagine a large hotel with many different types of guests: transient visitors (customers), corporate event attendees, and long-term residents. The hotel uses a single front desk with a registration clerk. When a guest arrives, the clerk checks their identity (passport or driver's license) and issues a room key card that is valid only for their booked stay duration. The clerk keeps a log of which guest is in which room. For corporate events, the clerk can issue temporary badges that grant access to specific conference rooms and the business center. For long-term residents, the clerk can set up recurring billing and preferences. The clerk does not store the guest's full passport details after check-in, only the room number and a token identifier. If a guest loses their key card, the clerk can revoke the old card and issue a new one without changing the room lock. The hotel's security system allows the clerk to define custom access policies per guest type: e.g., transient guests cannot access the executive lounge, but corporate event attendees can during certain hours. The clerk also integrates with third-party services like taxi booking and restaurant reservations, but only after the guest explicitly consents. In this analogy, the hotel is your application, the guests are users (consumers, partners, employees), the registration clerk is Microsoft Entra External ID (B2C), the room key card is an access token, and the access policies are the custom policies that govern authentication and authorization flows.
What is Microsoft Entra External ID (B2C)?
Microsoft Entra External ID, commonly referred to as Azure AD B2C, is a customer identity and access management (CIAM) solution that handles authentication and authorization for external users—such as customers, partners, or citizens—of your applications. It is built on the same platform as Microsoft Entra ID (formerly Azure AD) but is a separate tenant designed for consumer-scale scenarios. B2C supports multiple identity providers (IdPs), including social accounts (Google, Facebook, Microsoft, Apple), enterprise SAML/WS-Federation IdPs, and local accounts (email/password or phone/OTP).
How It Works Internally
B2C operates on the concept of user flows (built-in) and custom policies (Identity Experience Framework). When a user attempts to sign in to an application, the application initiates an OAuth 2.0 or OpenID Connect (OIDC) request to the B2C tenant's authorization endpoint. B2C then executes a policy (either a user flow or a custom policy) that defines the steps of authentication: collecting credentials, validating them, calling external IdPs, and issuing tokens.
Step-by-step mechanism:
1. The application redirects the user to B2C's authorization endpoint with query parameters including the policy name (e.g., p=B2C_1_signupsignin).
2. B2C loads the policy's orchestration steps. Each step can be a self-asserted page (e.g., collect email and password), a technical profile (e.g., validate against a claims provider), or a redirect to an external IdP.
3. The user interacts with the B2C-hosted pages. For local accounts, B2C validates credentials against its internal directory (which stores user objects with claims). For social IdPs, B2C redirects the user to the social provider, which returns an assertion (ID token) to B2C.
4. B2C processes the assertion, maps claims (e.g., socialIdpUserId to objectId), and may call additional technical profiles (e.g., to read user data from a REST API, write to a database, or check for fraud).
5. After all steps complete, B2C creates a token (ID token, access token, or refresh token) containing claims as defined in the policy's output claims. The token is signed with B2C's private key.
6. The application validates the token (signature, issuer, audience, expiration) and uses it to authorize access to resources.
Key Components, Values, Defaults, and Timers
Tenant: A B2C tenant is a dedicated directory with its own domain (e.g., contoso.b2clogin.com). The default domain is yourtenant.onmicrosoft.com. The B2C tenant's metadata endpoint is at https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=<policy-name>.
User Flows (Built-in): Predefined policies for sign-up/sign-in, profile editing, password reset. They are easy to configure via the Azure portal. Default token lifetime: ID tokens 1 hour, access tokens 1 hour, refresh tokens 24 hours (sliding window). Can be customized from 5 minutes to 24 hours for access tokens, 5 minutes to 14 days for refresh tokens.
Custom Policies (Identity Experience Framework): XML-based policies that define every step. They are more flexible but complex. Used for advanced scenarios like custom claims injection, integration with external systems, or custom UI.
Identity Providers (IdPs): Supported social IdPs: Microsoft Account, Google+, Facebook, Amazon, LinkedIn, Apple (via OpenID Connect), and any OpenID Connect provider. Also supports SAML and WS-Federation enterprise IdPs. For social IdPs, you need to register an application in the IdP's developer portal and obtain client ID and secret.
Token Claims: Default claims include iss (issuer), aud (application ID), sub (subject, the user's object ID), exp, iat, auth_time, idp (identity provider), given_name, family_name, emails. Custom claims can be added via custom policies.
Application Registration: In the B2C tenant, you register your application(s). For a web app, you specify redirect URIs (must be HTTPS). For a single-page app (SPA), you use the authorization code flow with PKCE. For a mobile/native app, you can use authorization code flow with PKCE or implicit flow (deprecated).
User Attributes: Built-in attributes: email, display name, given name, surname, city, country, postal code, job title, etc. Custom attributes can be added via the portal or Graph API (up to 100 per tenant).
Session Management: B2C maintains a session cookie (default: 24 hours, sliding). Single sign-on (SSO) across applications within the same B2C tenant is enabled by default. You can configure session behavior per policy (e.g., keep session alive only for the policy).
Rate Limits: B2C has throttling limits: 1000 requests per minute per tenant for most endpoints, 200 requests per minute for token endpoint. Higher limits available with premium tiers.
Configuration and Verification Commands
Azure CLI commands (az rest with B2C Graph API):
# List B2C tenants
az rest --method get --uri "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.AzureActiveDirectory/b2cDirectories?api-version=2020-05-01-preview"
# Create a B2C tenant (preview)
az rest --method put --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.AzureActiveDirectory/b2cDirectories/{tenantName}?api-version=2020-05-01-preview" --body '{"location": "United States", "properties": {"tenantId": "{tenantId}", "sku": {"name": "PremiumP1", "tier": "A0"}}}'PowerShell (AzureAD module):
# Connect to B2C tenant
Connect-AzureAD -TenantId "yourtenant.onmicrosoft.com"
# Get user flows
Get-AzureADMSIdentityProvider
# Get custom policies (via Graph)
Get-AzureADPolicyVerification of token: Use jwt.ms or a tool like jwt.io to decode token. Check signature using the keys from https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/discovery/v2.0/keys?p=<policy-name>.
Interaction with Related Technologies
Microsoft Entra ID (Azure AD): B2C is separate from Azure AD; they cannot share users natively. However, you can configure B2C to federate with Azure AD as an IdP (for employee/customer scenarios). B2C can also read/write to Azure AD using Graph API (with admin consent).
Microsoft Graph: B2C exposes a subset of Graph API for user management: https://graph.windows.net/yourtenant.onmicrosoft.com/users?api-version=1.6. Note: B2C does not support Microsoft Graph v1.0 for user management; you must use the legacy Azure AD Graph or the B2C-specific Graph API (deprecated). Newer applications should use Microsoft Graph with the b2c-extensions-app.
Azure API Management (APIM): You can validate B2C tokens in APIM policies using validate-jwt.
Azure Functions / Logic Apps: B2C custom policies can call REST APIs (e.g., Azure Functions) to validate or enrich claims.
Azure AD B2C vs. Entra External ID: Entra External ID is the new name for Azure AD B2C. The service is identical; only the branding changed. Exam may still refer to Azure AD B2C.
Register Application in B2C Tenant
First, you must register your application in the B2C tenant. In the Azure portal, navigate to the B2C tenant and select 'App registrations'. Click 'New registration'. Provide a name (e.g., 'MyWebApp'), select supported account types (typically 'Accounts in any identity provider or organizational directory (for authenticating users with user flows)'), and set the redirect URI (e.g., 'https://localhost:44321/signin-oidc' for a web app using OIDC). For single-page apps, use 'Single-page application (SPA)' platform and redirect URI like 'https://localhost:3000'. After registration, note the Application (client) ID. Then, under 'Certificates & secrets', create a client secret (for web apps) or use a certificate. For native apps, no secret is used. This step is crucial because B2C uses the client ID to identify the application and the secret/certificate to authenticate the app when it requests tokens.
Create a User Flow (Sign-Up and Sign-In)
In the B2C tenant, navigate to 'User flows' and click 'New user flow'. Select 'Sign up and sign in' and give it a name like 'B2C_1_signupsignin'. Under 'Identity providers', enable 'Email signup' (local account) and optionally social IdPs like Google or Facebook (you must configure those IdPs separately with their client IDs and secrets). Under 'User attributes', select claims you want to collect during sign-up (e.g., Display Name, Given Name, City). Under 'Application claims', select claims that should appear in the token (e.g., Display Name, Email Addresses). You can also set session behavior (e.g., session lifetime = 24 hours, keep session alive = No). Save the user flow. A user flow is a predefined policy that B2C executes when a user signs up or signs in. The exam tests that you know how to configure user flows for common scenarios.
Configure Your Application to Use B2C
In your application code, you must configure the OIDC middleware to use the B2C authority. For an ASP.NET Core web app, in `appsettings.json`, set `AzureAdB2C` section with `Instance` (e.g., 'https://yourtenant.b2clogin.com'), `Domain` (yourtenant.onmicrosoft.com), `TenantId` (yourtenant.onmicrosoft.com), `ClientId` (from app registration), `ClientSecret` (optional, for confidential clients), `SignUpSignInPolicyId` (e.g., 'B2C_1_signupsignin'). In `Startup.cs`, add `AddMicrosoftIdentityWebAppAuthentication` with the B2C options. The middleware handles redirecting to B2C, receiving the authorization code, exchanging it for tokens, and validating the ID token. For JavaScript SPA, use MSAL.js 2.0 with the authorization code flow + PKCE. The configuration includes `auth.authority` set to `https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/B2C_1_signupsignin` and `auth.clientId`.
User Signs Up or Signs In
When a user clicks 'Sign In' on your app, the middleware redirects the browser to the B2C authorization endpoint: `https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signupsignin&client_id=...&redirect_uri=...&response_type=code&scope=openid%20offline_access`. B2C renders the sign-in page. The user enters their email and password (or clicks a social IdP button). For sign-up, they fill in the required attributes. B2C validates credentials locally or via the social IdP. After successful authentication, B2C redirects the user back to your app's redirect URI with an authorization code (for code flow) or an ID token (for implicit flow, deprecated). The app then exchanges the code for tokens at the token endpoint. The ID token is a JWT containing claims like `sub` (user's object ID), `email`, `name`, `idp`. The app validates the token's signature using B2C's public keys, checks the issuer (`https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/v2.0/`), audience (client ID), and expiration.
Access Protected Resources
After obtaining an access token (if the app requested `scope` for a downstream API), the app uses it to call the API. The API must validate the token similarly. For example, an ASP.NET Core Web API can use `AddMicrosoftIdentityWebApi` middleware. The middleware validates the token's signature, issuer, audience, and optionally checks roles or scopes. B2C access tokens are opaque to the client but are JWTs for validation. The access token contains the `scp` claim (scopes) and `roles` claim (if application roles are defined). The API authorizes based on these claims. B2C also issues refresh tokens (if `offline_access` scope is granted) that can be used to obtain new access tokens without user interaction. Refresh token lifetime is configurable (default 24 hours, sliding). The exam tests that you understand token validation and the difference between ID token and access token.
Enterprise Scenario 1: E-commerce Platform with Social Login
A retail company wants customers to sign in using their Google or Facebook accounts to reduce friction. They deploy B2C with user flows for sign-up/sign-in. They configure Google and Facebook as identity providers by registering apps in those platforms and providing client IDs and secrets to B2C. During sign-up, they collect the user's email and name from the social IdP. The application (a .NET Core web app) uses the OIDC middleware. In production, they face issues with token size when many custom claims are added; they optimize by limiting claims. They also configure session timeout to 8 hours for convenience. A common misconfiguration is not setting the correct redirect URI in the social IdP app registration, causing login failures. They use Azure Monitor to track sign-in failures and set up alerts for sudden spikes.
Enterprise Scenario 2: Multi-Tenant SaaS with Custom Policies
A SaaS provider needs to allow each enterprise customer to bring their own SAML IdP (e.g., Okta, ADFS). They use B2C custom policies to define a SAML technical profile for each customer. The policy includes claims transformation to map SAML attributes to B2C claims. They also integrate with a REST API to check if the user's tenant is active. At scale (millions of users), they notice performance issues due to excessive REST API calls; they implement caching with Azure Redis Cache. They also use Azure Front Door to distribute B2C traffic globally. Misconfiguration of XML in custom policies leads to runtime errors; they use the IEF extension for Visual Studio Code for validation.
Enterprise Scenario 3: Mobile App with Phone OTP
A ride-sharing app uses B2C for phone-based authentication (OTP). They configure a user flow with phone sign-up/sign-in. The user enters their phone number, receives an SMS with a one-time passcode, and enters it in the app. The app uses MSAL for Android/iOS. They set the OTP code length to 6 digits and expiration to 5 minutes. In production, they encounter issues with SMS delivery delays; they implement a fallback to voice call. They also configure B2C to block suspicious sign-ins using risk-based conditional access (premium P2). A common pitfall is not handling the case where the user's phone number changes; they allow profile editing via a separate user flow.
What Goes Wrong When Misconfigured:
- Wrong tenant domain: Using login.microsoftonline.com instead of b2clogin.com causes CORS or token validation errors.
- Missing policy parameter: The p query parameter must match the exact policy name (case-sensitive).
- Incorrect redirect URI: Must be exactly as registered, including trailing slashes. HTTPS is required (except for localhost HTTP).
- Token validation: If the API does not validate the issuer correctly, it may accept tokens from other B2C tenants.
- Custom policy errors: XML syntax errors or missing dependencies cause B2C to return a generic error page.
Objective Codes: AZ-204 Objective 3.1: Implement authentication and authorization. Specifically, the exam tests:
Configure Microsoft Entra External ID for external users.
Implement user flows and custom policies.
Integrate with identity providers (social, SAML, etc.).
Validate tokens and claims.
Common Wrong Answers and Why Candidates Choose Them: 1. Wrong: 'Use Azure AD (not B2C) for customer identities.' Candidates may think Azure AD can handle external users, but Azure AD is designed for employees and guests (B2B). For consumers (B2C), you must use Entra External ID (B2C). 2. Wrong: 'Implicit flow is recommended for SPAs.' Implicit flow is deprecated due to security concerns; the exam expects you to know that authorization code flow with PKCE is the correct approach for SPAs. 3. Wrong: 'Use the same tenant for B2C and Azure AD.' They are separate tenants; you cannot merge them. B2C has its own directory. 4. Wrong: 'Custom policies are always easier than user flows.' Custom policies are more flexible but much more complex. The exam tests that user flows are for standard scenarios; custom policies for advanced scenarios.
Specific Numbers, Values, and Terms:
- Token lifetime defaults: ID token 1 hour, access token 1 hour, refresh token 24 hours (sliding).
- B2C domain: yourtenant.b2clogin.com (not login.microsoftonline.com).
- Policy parameter: p=B2C_1_signupsignin.
- Claim sub is the immutable user object ID.
- Maximum custom attributes: 100 per tenant.
- Supported token formats: JWT (ID and access tokens), opaque (for some scenarios).
Edge Cases and Exceptions:
- B2C does not support device code flow.
- B2C does not support client credentials flow (app-only authentication).
- For B2C, the offline_access scope is required to get refresh tokens.
- B2C tokens are issued by the B2C tenant, not by Microsoft's common endpoint.
- When using custom policies, the policy key must be stored in the B2C tenant's Policy Keys blade.
How to Eliminate Wrong Answers:
- If the scenario involves external customers (consumers), the answer must involve B2C, not Azure AD.
- If the question mentions 'social login', 'custom branding', 'phone sign-up', it's B2C.
- If the question asks about token validation, remember that the issuer is https://yourtenant.b2clogin.com/....
- If the question mentions 'policy', distinguish between user flow (built-in) and custom policy (IEF).
Microsoft Entra External ID (B2C) is a CIAM service for customer-facing applications, separate from Azure AD.
B2C uses user flows (built-in) and custom policies (IEF) to define authentication journeys.
The B2C tenant domain is `yourtenant.b2clogin.com`; tokens are issued by this domain.
Default token lifetimes: ID token 1 hour, access token 1 hour, refresh token 24 hours (sliding).
For SPAs, use authorization code flow with PKCE; implicit flow is deprecated.
B2C supports social IdPs (Google, Facebook, Apple, etc.), SAML, and WS-Federation.
Custom policies are XML-based and allow integration with REST APIs, custom claims, and complex orchestration.
B2C does not support client credentials flow or device code flow.
Token validation must use the B2C metadata endpoint with policy parameter `p=<policy-name>`.
The `sub` claim is the immutable user object ID in the B2C directory.
These come up on the exam all the time. Here's how to tell them apart.
User Flows
Predefined, easy-to-configure via Azure portal.
Suitable for standard sign-up/sign-in, profile editing, password reset.
Limited customization: can select built-in claims, but cannot add custom REST API calls or complex logic.
Faster to deploy and maintain.
Token claims are limited to built-in attributes and a few custom attributes.
Custom Policies
XML-based, fully customizable orchestration steps.
Required for advanced scenarios: custom REST API integration, claims transformation, multi-step MFA, custom IdP federation.
Full control over every step, including error handling and data exchange.
Complex to author and debug; requires understanding of Identity Experience Framework.
Can include any claims from any source (REST, IdP, directory) via claims transformations.
Mistake
Azure AD B2C is the same as Azure AD B2B.
Correct
Azure AD B2C is for consumer identities (external customers), while Azure AD B2B is for business partner identities (guest users in your Azure AD tenant). They use different technologies: B2C uses user flows/custom policies; B2B uses invitation-based redemption.
Mistake
You can use the same Azure AD tenant for both employees and customers.
Correct
Azure AD is for organizational identities. For customers, you must create a separate B2C tenant. They are separate directories and cannot be merged, though you can federate B2C with Azure AD as an identity provider.
Mistake
B2C supports the client credentials flow for daemon apps.
Correct
B2C does not support the OAuth 2.0 client credentials grant. It is designed for interactive user authentication. For daemon apps, use Azure AD.
Mistake
Custom policies are the recommended approach for most scenarios.
Correct
User flows (built-in) are recommended for standard sign-up/sign-in, profile editing, and password reset because they are easier to configure and maintain. Custom policies are only needed for advanced scenarios like custom claims injection, integration with external REST APIs, or custom IdP federation.
Mistake
B2C tokens can be validated using the common Azure AD metadata endpoint.
Correct
B2C tokens must be validated using the B2C-specific metadata endpoint that includes the policy parameter. The issuer is the B2C tenant domain, not `login.microsoftonline.com`. Using the common endpoint will fail validation.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD B2C is for customer identity (consumers) using local accounts or social IdPs, while Azure AD B2B is for business partner identity (guest users) who authenticate with their own Azure AD or SAML IdP. B2C uses a separate tenant; B2B uses the same Azure AD tenant as employees. For AZ-204, if the scenario involves external customers, use B2C; if it involves partner organizations, use B2B.
First, create an application in the Google API Console to obtain a client ID and client secret. Then, in your B2C tenant, go to 'Identity providers' and add Google. Enter the client ID and secret. In your user flow (or custom policy), enable Google as an identity provider. When users sign in, they can choose to authenticate with Google. B2C will redirect to Google, receive the authentication assertion, and map Google's claims to B2C claims.
The `p` parameter specifies the policy to execute. For example, `p=B2C_1_signupsignin` tells B2C to run that specific user flow or custom policy. Each policy defines a different authentication journey. The parameter must match the policy name exactly (case-sensitive). Without it, B2C returns an error.
Yes. For mobile apps, use MSAL (Microsoft Authentication Library) for iOS/Android. MSAL implements the authorization code flow with PKCE. You configure the authority as `https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/<policy-name>`. The app redirects to B2C's hosted pages, and after authentication, B2C returns an authorization code that MSAL exchanges for tokens.
For user flows, you can add built-in user attributes as claims. For custom attributes (up to 100), you define them in 'User attributes' and then select them as 'Application claims' in the user flow. For custom policies, you can define claims transformations and technical profiles that read from REST APIs or the directory to inject any claim. The custom policy must declare the output claim in the relying party section.
Use the Microsoft Identity Web library (for ASP.NET Core) or similar middleware. Configure the API to use B2C as the authority: `https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/v2.0/`. Set the valid issuer to `https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/v2.0/`. The middleware automatically validates the token's signature, issuer, audience, and expiration. You can also validate scopes or roles for authorization.
Yes. Use MSAL.js 2.0 which implements the authorization code flow with PKCE. Configure the authority with the policy parameter. Do NOT use implicit flow as it is deprecated and less secure. The SPA redirects to B2C, receives an authorization code, and MSAL exchanges it for tokens. The access token can be used to call APIs.
You've just covered Microsoft Entra External ID (B2C) — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?