| title | Set up sign-up and sign-in with a Microsoft Account |
|---|---|
| titleSuffix | Azure AD B2C |
| description | Provide sign-up and sign-in to customers with Microsoft Accounts in your applications using Azure Active Directory B2C. |
| author | garrodonnell |
| manager | CelesteDG |
| ms.service | azure-active-directory |
| ms.topic | how-to |
| ms.date | 01/05/2025 |
| ms.author | godonnell |
| ms.subservice | b2c |
| zone_pivot_groups | b2c-policy-type |
[!INCLUDE active-directory-b2c-end-of-sale-notice-b]
[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]
::: zone pivot="b2c-custom-policy"
[!INCLUDE active-directory-b2c-advanced-audience-warning]
::: zone-end
[!INCLUDE active-directory-b2c-customization-prerequisites]
To enable sign-in for users with a Microsoft account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the Azure portal. For more information, see Register an application with the Microsoft identity platform. If you don't already have a Microsoft account, you can get one at https://www.live.com/.
-
Sign in to the Azure portal.
-
If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Microsoft Entra ID tenant from the Directories + subscriptions menu.
-
Choose All services in the top-left corner of the Azure portal, and then search for and select App registrations.
-
Select New registration.
-
Enter a Name for your application. For example, MSAapp1.
-
Under Supported account types, select personal Microsoft accounts (e.g. Skype, Xbox).
For more information on the different account type selections, see Quickstart: Register an application with the Microsoft identity platform.
-
Under Redirect URI (optional), select Web and enter
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. If you use a custom domain, enterhttps://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replaceyour-tenant-namewith the name of your Azure AD B2C tenant, andyour-domain-namewith your custom domain. -
Select Register
-
Record the Application (client) ID shown on the application Overview page. You need the client ID when you configure the identity provider in the next section.
-
Select Certificates & secrets
-
Click New client secret
-
Enter a Description for the secret, for example Application password 1, and then click Add.
-
Record the application password shown in the Value column. You need the client secret when you configure the identity provider in the next section.
::: zone pivot="b2c-user-flow"
- Sign in to the Azure portal with an account that has at least External Identity Provider Administrator privileges.
- If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
- Select Identity providers, then select Microsoft Account.
- Enter a Name. For example, MSA.
- For the Client ID, enter the Application (client) ID of the Microsoft Entra application that you created earlier.
- For the Client secret, enter the client secret that you recorded.
- Select Save.
At this point, the Microsoft identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Microsoft identity provider to a user flow:
- In your Azure AD B2C tenant, select User flows.
- Click the user flow that you want to add the Microsoft identity provider.
- Under the Social identity providers, select Microsoft Account.
- Select Save.
- To test your policy, select Run user flow.
- For Application, select the web application named testapp1 that you previously registered. The Reply URL should show
https://jwt.ms. - Select the Run user flow button.
- From the sign-up or sign-in page, select Microsoft to sign in with Microsoft account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
::: zone-end
::: zone pivot="b2c-custom-policy"
If you want to get the family_name and given_name claims from Microsoft Entra ID, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see How to provide optional claims to your Microsoft Entra app.
- Sign in to the Azure portal. Search for and select Microsoft Entra ID.
- From the Manage section, select App registrations.
- Select the application you want to configure optional claims for in the list.
- From the Manage section, select Token configuration (preview).
- Select Add optional claim.
- Select the token type you want to configure.
- Select the optional claims to add.
- Click Add.
Now that you've created the application in your Microsoft Entra tenant, you need to store that application's client secret in your Azure AD B2C tenant.
- Sign in to the Azure portal.
- If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
- On the Overview page, select Identity Experience Framework.
- Select Policy Keys and then select Add.
- For Options, choose
Manual. - Enter a Name for the policy key. For example,
MSASecret. The prefixB2C_1A_is added automatically to the name of your key. - In Secret, enter the client secret that you recorded in the previous section.
- For Key usage, select
Signature. - Click Create.
To enable users to sign in using a Microsoft account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.
You can define Microsoft Entra ID as a claims provider by adding the ClaimsProvider element in the extension file of your policy.
-
Open the TrustFrameworkExtensions.xml policy file.
-
Find the ClaimsProviders element. If it does not exist, add it under the root element.
-
Add a new ClaimsProvider as follows:
<ClaimsProvider> <Domain>live.com</Domain> <DisplayName>Microsoft Account</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="MSA-MicrosoftAccount-OpenIdConnect"> <DisplayName>Microsoft Account</DisplayName> <Protocol Name="OpenIdConnect" /> <Metadata> <Item Key="ProviderName">https://login.live.com</Item> <Item Key="METADATA">https://login.live.com/.well-known/openid-configuration</Item> <Item Key="response_types">code</Item> <Item Key="response_mode">form_post</Item> <Item Key="scope">openid profile email</Item> <Item Key="HttpBinding">POST</Item> <Item Key="UsePolicyInRedirectUri">false</Item> <Item Key="client_id">Your Microsoft application client ID</Item> </Metadata> <CryptographicKeys> <Key Id="client_secret" StorageReferenceId="B2C_1A_MSASecret" /> </CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid" /> <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /> <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /> <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /> <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" /> <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" /> <OutputClaim ClaimTypeReferenceId="email" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /> <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /> <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /> <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /> </OutputClaimsTransformations> <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" /> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider>
-
Replace the value of client_id with the Microsoft Entra application's Application (client) ID that you recorded earlier.
-
Save the file.
You've now configured your policy so that Azure AD B2C knows how to communicate with your Microsoft account application in Microsoft Entra ID.
[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
...
<ClaimsProviderSelection TargetClaimsExchangeId="MicrosoftAccountExchange" />
</ClaimsProviderSelections>
...
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
...
<ClaimsExchanges>
<ClaimsExchange Id="MicrosoftAccountExchange" TechnicalProfileReferenceId="MSA-MicrosoftAccount-OpenIdConnect" />
</ClaimsExchanges>
</OrchestrationStep>[!INCLUDE active-directory-b2c-configure-relying-party-policy]
- Select your relying party policy, for example
B2C_1A_signup_signin. - For Application, select a web application that you previously registered. The Reply URL should show
https://jwt.ms. - Select the Run now button.
- From the sign-up or sign-in page, select Microsoft to sign in with Microsoft account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
::: zone-end