identity-provider-azure-ad-b2c.md

title	Set up sign-up and sign-in with an Azure AD B2C account from another Azure AD B2C tenant
titleSuffix	Azure AD B2C
description	Provide sign-up and sign-in to customers with Azure AD B2C accounts from another tenant in your applications using Azure Active Directory B2C.
author	garrodonnell
manager	CelesteDG
ms.service	azure-active-directory
ms.topic	how-to
ms.date	10/11/2024
ms.author	godonnell
ms.subservice	b2c
zone_pivot_groups	b2c-policy-type
ms.custom	fasttrack-edit sfi-image-nochange

Set up sign-up and sign-in with an Azure AD B2C account from another Azure AD B2C tenant

[!INCLUDE active-directory-b2c-end-of-sale-notice-b]

[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]

::: zone pivot="b2c-custom-policy"

[!INCLUDE active-directory-b2c-advanced-audience-warning]

::: zone-end

Overview

This article describes how to set up a federation with another Azure AD B2C tenant. When your applications are protected with your Azure AD B2C, this allows users from other Azure AD B2C’s to login with their existing accounts. In the following diagram, users are able to sign in to an application protected by Contoso’s Azure AD B2C, with an account managed by Fabrikam’s Azure AD B2C tenant. In this case, user account must be present in Fabrikam’s tenant before an application protected by Contoso’s Azure AD B2C can attempt to sign in.

Prerequisites

[!INCLUDE active-directory-b2c-customization-prerequisites]

Verify the application's publisher domain

As of November 2020, new application registrations show up as unverified in the user consent prompt unless the application's publisher domain is verified and the company’s identity has been verified with the Microsoft Partner Network and associated with the application. (Learn more about this change.) Note that for Azure AD B2C user flows, the publisher’s domain appears only when using a Microsoft account or other Microsoft Entra tenant as the identity provider. To meet these new requirements, do the following:

1. Verify your company identity using your Microsoft Partner Network (MPN) account. This process verifies information about your company and your company’s primary contact.
2. Complete the publisher verification process to associate your MPN account with your app registration using one of the following options:
   • If the app registration for the Microsoft account identity provider is in a Microsoft Entra tenant, verify your app in the App Registration portal.
   • If your app registration for the Microsoft account identity provider is in an Azure AD B2C tenant, mark your app as publisher verified using Microsoft Graph APIs (for example, using Graph Explorer). The UI for setting an app’s verified publisher is currently disabled for Azure AD B2C tenants.

Create an Azure AD B2C application

To enable sign-in for users with an account from another Azure AD B2C tenant (for example, Fabrikam), in your Azure AD B2C (for example, Contoso):

1. Create a user flow, or a custom policy.
2. Then create an application in the Azure AD B2C, as describe in this section.

To create an application.

1. Sign in to the Azure portal.

2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.

3. In the Azure portal, search for and select Azure AD B2C.

4. Select App registrations, and then select New registration.

5. Enter a Name for the application. For example, ContosoApp.

6. Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows).

7. Under Redirect URI, select Web, and then enter the following URL in all lowercase letters, where your-B2C-tenant-name is replaced with the name of your Azure AD B2C tenant (for example, Contoso).

   https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
   

   For example, https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp.

   If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant.

8. Under Permissions, select the Grant admin consent to openid and offline_access permissions check box.

9. Select Register.

10. In the Azure AD B2C - App registrations page, select the application you created, for example ContosoApp.

11. Record the Application (client) ID shown on the application Overview page. You need this when you configure the identity provider in the next section.

12. In the left menu, under Manage, select Certificates & secrets.

13. Select New client secret.

14. Enter a description for the client secret in the Description box. For example, clientsecret1.

15. Under Expires, select a duration for which the secret is valid, and then select Add.

16. Record the secret's Value. You need this when you configure the identity provider in the next section.

::: zone pivot="b2c-user-flow"

Configure Azure AD B2C as an identity provider

1. Sign in to the Azure portal.

2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.

3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.

4. Select Identity providers, and then select New OpenID Connect provider.

5. Enter a Name. For example, enter Fabrikam.

6. For Metadata url, enter the following URL replacing {tenant} with the domain name of your Azure AD B2C tenant (for example, Fabrikam). Replace the {policy} with the policy name you configure in the other tenant:

   https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
   

   For example, https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/B2C_1_susi/v2.0/.well-known/openid-configuration.

7. For Client ID, enter the application ID that you previously recorded.

8. For Client secret, enter the client secret that you previously recorded.

9. For the Scope, enter the openid.

10. Leave the default values for Response type, and Response mode.

11. (Optional) For the Domain hint, enter the domain name you want to use for the direct sign-in. For example, fabrikam.com.

12. Under Identity provider claims mapping, select the following claims:

    • User ID: sub
    • Display name: name
    • Given name: given_name
    • Surname: family_name
    • Email: email

13. Select Save.

Add Azure AD B2C identity provider to a user flow

1. In your Azure AD B2C tenant, select User flows.
2. Click the user flow that you want to add the Azure AD B2C identity provider.
3. Under the Social identity providers, select Fabrikam.
4. Select Save.
5. To test your policy, select Run user flow.
6. For Application, select the web application named testapp1 that you previously registered. The Reply URL should show https://jwt.ms.
7. Select the Run user flow button.
8. From the sign-up or sign-in page, select Fabrikam to sign in with the other Azure AD B2C tenant.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

::: zone-end

::: zone pivot="b2c-custom-policy"

Create a policy key

You need to store the application key that you created earlier in your Azure AD B2C tenant.

1. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
2. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
3. Under Policies, select Identity Experience Framework.
4. Select Policy keys and then select Add.
5. For Options, choose Manual.
6. Enter a Name for the policy key. For example, FabrikamAppSecret. The prefix B2C_1A_ is added automatically to the name of your key when it's created, so its reference in the XML in following section is to B2C_1A_FabrikamAppSecret.
7. In Secret, enter your client secret that you recorded earlier.
8. For Key usage, select Signature.
9. Select Create.

Configure Azure AD B2C as an identity provider

To enable users to sign in using an account from another Azure AD B2C tenant (Fabrikam), you need to define the other Azure AD B2C as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.

You can define Azure AD B2C as a claims provider by adding Azure AD B2C to the ClaimsProvider element in the extension file of your policy.

1. Open the TrustFrameworkExtensions.xml file.

2. Find the ClaimsProviders element. If it does not exist, add it under the root element.

3. Add a new ClaimsProvider as follows:

   <ClaimsProvider>
     <Domain>fabrikam.com</Domain>
     <DisplayName>Federation with Fabrikam tenant</DisplayName>
     <TechnicalProfiles>
       <TechnicalProfile Id="AzureADB2CFabrikam-OpenIdConnect">
       <DisplayName>Fabrikam</DisplayName>
       <Protocol Name="OpenIdConnect"/>
       <Metadata>
         <!-- Update the Client ID below to the Application ID -->
         <Item Key="client_id">00001111-aaaa-2222-bbbb-3333cccc4444</Item>
         <!-- Update the metadata URL with the other Azure AD B2C tenant name and policy name -->
         <Item Key="METADATA">https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration</Item>
         <Item Key="UsePolicyInRedirectUri">false</Item>
         <Item Key="response_types">code</Item>
         <Item Key="scope">openid</Item>
         <Item Key="response_mode">form_post</Item>
         <Item Key="HttpBinding">POST</Item>
       </Metadata>
       <CryptographicKeys>
         <Key Id="client_secret" StorageReferenceId="B2C_1A_FabrikamAppSecret"/>
       </CryptographicKeys>
       <OutputClaims>
         <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
         <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
         <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
         <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
         <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
         <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"  />
         <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
         <OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails"/>    
       </OutputClaims>
       <OutputClaimsTransformations>
         <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
         <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
         <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
       </OutputClaimsTransformations>
       <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
     </TechnicalProfile>
    </TechnicalProfiles>
   </ClaimsProvider>

4. Update the following XML elements with the relevant value:

   XML element	Value
   ClaimsProvider\Domain	The domain name that is used for direct sign-in. Enter the domain name you want to use in the direct sign-in. For example, fabrikam.com.
   TechnicalProfile\DisplayName	This value will be displayed on the sign-in button on your sign-in screen. For example, Fabrikam.
   Metadata\client_id	The application identifier of the identity provider. Update the Client ID with the Application ID you created earlier in the other Azure AD B2C tenant.
   Metadata\METADATA	A URL that points to an OpenID Connect identity provider configuration document, which is also known as OpenID well-known configuration endpoint. Enter the following URL replacing {tenant} with the domain name of the other Azure AD B2C tenant (Fabrikam). Replace the {tenant} with the policy name you configure in the other tenant, and {policy] with the policy name: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration. For example, https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/B2C_1_susi/v2.0/.well-known/openid-configuration.
   CryptographicKeys	Update the value of StorageReferenceId to the name of the policy key that you created earlier. For example, B2C_1A_FabrikamAppSecret.

[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]

<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
  <ClaimsProviderSelections>
    ...
    <ClaimsProviderSelection TargetClaimsExchangeId="AzureADB2CFabrikamExchange" />
  </ClaimsProviderSelections>
  ...
</OrchestrationStep>

<OrchestrationStep Order="2" Type="ClaimsExchange">
  ...
  <ClaimsExchanges>
    <ClaimsExchange Id="AzureADB2CFabrikamExchange" TechnicalProfileReferenceId="AzureADB2CFabrikam-OpenIdConnect" />
  </ClaimsExchanges>
</OrchestrationStep>

[!INCLUDE active-directory-b2c-configure-relying-party-policy]

Test your custom policy

1. Select your relying party policy, for example B2C_1A_signup_signin.
2. For Application, select a web application that you previously registered. The Reply URL should show https://jwt.ms.
3. Select the Run now button.
4. From the sign-up or sign-in page, select Fabrikam to sign in with the other Azure AD B2C tenant.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

::: zone-end

Next steps

Learn how to pass the other Azure AD B2C token to your application.