You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/add-captcha.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ ms.author: kengaderdus
11
11
ms.subservice: b2c
12
12
zone_pivot_groups: b2c-policy-type
13
13
14
-
#Customer intent: As a developer, I want to enable CAPTCHA in consumer-facing application that is secured by Azure Active Directory B2C, so that I can protect my sign-in and sign-up flows from automated attacks.
14
+
#Customer intent: As a developer, I want to enable CAPTCHA in a consumer-facing application that is secured by Azure Active Directory B2C, so that I can protect my sign-in and sign-up flows from automated attacks.
Azure Active Directory B2C (Azure AD B2C) allows you to enable CAPTCHA to prevent automated attacks on your consumer-facing applications. Azure AD B2C’s CAPTCHA supports both audio and visual CAPTCHA challenges. You can enable this security feature in both sign-up and sign-in flows for your local accounts. CAPTCHA isn't applicable for social identity providers' sign-in.
24
+
Azure Active Directory B2C (Azure AD B2C) allows you to enable CAPTCHA to prevent automated attacks on your consumer-facing applications. Azure AD B2C CAPTCHA supports both audio and visual challenges. You can enable this security feature in both sign-up and sign-in flows for your local accounts. CAPTCHA isn't applicable for social identity providers' sign-in.
25
25
26
26
> [!NOTE]
27
27
> This feature is in public preview
@@ -52,7 +52,7 @@ Azure Active Directory B2C (Azure AD B2C) allows you to enable CAPTCHA to preven
52
52
53
53
## Test the user flow
54
54
55
-
Use the steps in [Test the user flow](tutorial-create-user-flows.md?pivots=b2c-user-flow#test-the-user-flow-1) to test and confirm that CAPTCHA is enabled for your chosen flow. You should be prompted to enter the characters you see or hear depending on the CAPTCHA type, visual, or audio, you choose.
55
+
Use the steps in [Test the user flow](tutorial-create-user-flows.md?pivots=b2c-user-flow#test-the-user-flow-1) to test and confirm that CAPTCHA is enabled for your chosen flow. You should be prompted to enter the characters you see or hear depending on the CAPTCHA type (visual or audio) that you choose.
56
56
57
57
::: zone-end
58
58
@@ -395,7 +395,7 @@ Use the steps in [Test the custom policy](tutorial-create-user-flows.md?pivots=b
395
395
396
396
> [!NOTE]
397
397
> - You can't add CAPTCHA to an MFA step in a sign-up only user flow.
398
-
> - In an MFA flow, CAPTCHA is applicable where the MFA method you select is SMS or phone call, SMS only or Phone call only.
398
+
> - In an MFA flow, CAPTCHA is applicable where the MFA method you select is SMS or phone call, SMS only, or phone call only.
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/add-password-reset-policy.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.subservice: b2c
12
12
zone_pivot_groups: b2c-policy-type
13
13
ms.custom: sfi-image-nochange
14
14
15
-
#Customer Intent: As an Azure AD B2C administrator, I want to set up a password reset flow for local accounts, so that users can reset their passwords if they forget them.
15
+
#Customer Intent: As an Azure AD B2C administrator, I want to set up a password reset flow for local accounts, so that users can reset their passwords if they forget them.
16
16
---
17
17
18
18
# Set up a password reset flow in Azure Active Directory B2C
@@ -43,7 +43,7 @@ The default name of the **Change email** button in *selfAsserted.html* is **chan
- The B2C Users need to have an authentication method specified for self-service password reset. Select the B2C User, in the left menu under **Manage**, select **Authentication methods**. Ensure **Authentication contact info** is set. B2C users created via a Sign-up flow has this set by default. For users created via Azure Portal or by Graph API, you need to set **Authentication contact info** for SSPR to work.
46
+
- The B2C users need to have an authentication method specified for self-service password reset. Select the B2C User, in the left menu under **Manage**, select **Authentication methods**. Ensure **Authentication contact info** is set. B2C users created via a Sign-up flow has this set by default. For users created via Azure Portal or by Graph API, you need to set **Authentication contact info** for SSPR to work.
47
47
48
48
49
49
## Self-service password reset (recommended)
@@ -52,7 +52,7 @@ The new password reset experience is now part of the sign-up or sign-in policy.
52
52
53
53
::: zone pivot="b2c-user-flow"
54
54
55
-
The self-service password reset experience can be configured for the Sign in (Recommended) or Sign up and sign in (Recommended) user flows. If you don't have one of these user flows setup, create a [sign-up or sign-in](add-sign-up-and-sign-in-policy.md) user flow.
55
+
The self-service password reset experience can be configured for the Sign in (Recommended) or Sign up and sign in (Recommended) user flows. If you don't have one of these user flows set up, create a [sign-up or sign-in](add-sign-up-and-sign-in-policy.md) user flow.
56
56
57
57
To set up self-service password reset for the sign-up or sign-in user flow:
| redirect_uri |Required |The redirect URI of your app, where authentication responses are sent and received by your app. It must exactly match one of the redirect URIs that you registered in the portal, except that it must be URL-encoded. |
70
70
| scope |Required |A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application needs a *refresh token* for extended access to resources. The client-id indicates the token issued are intended for use by Azure AD B2C registered client. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). |
71
71
| response_mode |Recommended |The method that you use to send the resulting authorization code back to your app. It can be `query`, `form_post`, or `fragment`. |
72
-
| state |Recommended |A value included in the request that can be a string of any content that you want to use. Usually, a randomly generated unique value is used, to prevent cross-site request forgery attacks. The state also is used to encode information about the user's state in the app before the authentication request occurred. For example, the page the user was on, or the user flow that was being executed. |
73
72
| prompt |Optional |The type of user interaction that is required. Currently, the only valid value is `login`, which forces the user to enter their credentials on that request. Single sign-on won't take effect. |
74
73
| code_challenge | recommended / required | Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). Required if `code_challenge_method` is included. You need to add logic in your application to generate the `code_verifier` and `code_challenge`. The `code_challenge` is a Base64 URL-encoded SHA256 hash of the `code_verifier`. You store the `code_verifier` in your application for later use, and send the `code_challenge` along with the authorization request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This is now recommended for all application types - native apps, SPAs, and confidential clients like web apps. |
75
74
|`code_challenge_method`| recommended / required | The method used to encode the `code_verifier` for the `code_challenge` parameter. This *SHOULD* be `S256`, but the spec allows the use of `plain` if for some reason the client can't support SHA256. <br/><br/>If you exclude the `code_challenge_method`, but still include the `code_challenge`, then the `code_challenge` is assumed to be plaintext. Microsoft identity platform supports both `plain` and `S256`. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This is required for [single page apps using the authorization code flow](tutorial-register-spa.md).|
76
75
| login_hint | No| Can be used to prefill the sign-in name field of the sign-in page. For more information, see [Prepopulate the sign-in name](direct-signin.md#prepopulate-the-sign-in-name). |
77
76
| domain_hint | No| Provides a hint to Azure AD B2C about the social identity provider that should be used for sign-in. If a valid value is included, the user goes directly to the identity provider sign-in page. For more information, see [Redirect sign-in to a social provider](direct-signin.md#redirect-sign-in-to-a-social-provider). |
78
77
| Custom parameters | No| Custom parameters that can be used with [custom policies](custom-policy-overview.md). For example, [dynamic custom page content URI](customize-ui-with-html.md?pivots=b2c-custom-policy#configure-dynamic-custom-page-content-uri), or [key-value claim resolvers](claim-resolver-overview.md#oauth2-key-value-parameters). |
78
+
| state |Recommended |A value included in the request that can be a string of any content that you want to use. Usually, a randomly generated unique value is used, to prevent cross-site request forgery attacks. The state also is used to encode information about the user's state in the app before the authentication request occurred. For example, the page the user was on, or the user flow that was being executed. |
79
+
80
+
> [!IMPORTANT]
81
+
> For security and privacy, do not put URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage, such as localStorage or sessionStorage. This approach lets your app securely reference the necessary data after authentication.
79
82
80
83
At this point, the user is asked to complete the user flow's workflow. This might involve the user entering their username and password, signing in with a social identity, signing up for the directory, or any other number of steps. User actions depend on how the user flow is defined.
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/phone-based-mfa.md
+14-10Lines changed: 14 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,13 @@
1
1
---
2
-
title: Securing phone-based MFA in Azure AD B2C
2
+
title: Secure phone-based MFA in Azure AD B2C
3
3
titleSuffix: Azure AD B2C
4
4
description: Learn tips for securing phone-based multifactor authentication in your Azure AD B2C tenant by using Azure Monitor Log Analytics reports and alerts. Use our workbook to identify fraudulent phone authentications and mitigate fraudulent sign-ups. =
5
5
6
6
author: kengaderdus
7
7
manager: CelesteDG
8
8
ms.service: azure-active-directory
9
9
ms.topic: how-to
10
-
ms.date: 11/05/2025
10
+
ms.date: 02/03/2026
11
11
ms.author: kengaderdus
12
12
ms.subservice: b2c
13
13
ms.custom: sfi-image-nochange
@@ -17,7 +17,7 @@ ms.custom: sfi-image-nochange
17
17
#Customer intent: As an Azure AD B2C administrator, I want to monitor phone authentication failures and mitigate fraudulent sign-ups, so that I can protect against malicious use of the telephony service and ensure a secure authentication process.
With Microsoft Entra multifactor authentication, users can choose to receive an automated voice call at a phone number they register for verification. Malicious users could take advantage of this method by creating multiple accounts and placing phone calls without completing the MFA registration process. These numerous failed sign-ups could exhaust the allowed sign-up attempts, preventing other users from signing up for new accounts in your Azure AD B2C tenant. To help protect against these attacks, you can use Azure Monitor to monitor phone authentication failures and mitigate fraudulent sign-ups.
@@ -123,22 +123,29 @@ To help prevent fraudulent sign-ups, remove any country/region codes that do not
<!-- Add this BuildingBlocks section to the relying party policy. -->
133
138
<BuildingBlocks>
134
-
<!-- Add the XML code outlined in Step 2 if this section. -->
139
+
<!-- Add the XML code outlined in Step 2 in this section. -->
135
140
</BuildingBlocks>
136
141
137
142
<RelyingParty>
138
143
...
139
144
</RelyingParty>
140
145
</TrustFrameworkPolicy>
141
146
```
147
+
> [!IMPORTANT]
148
+
>Add the code in step 2 to the _relying party policy_ to enforce country/region code restrictions on the server side. You must not define these elements only in parent policies; put them in the relying party policy.
142
149
143
150
1. In the `BuildingBlocks` section of this policy file, add the following code. Make sure to include only the country/region codes relevant to your organization:
144
151
@@ -178,11 +185,8 @@ To help prevent fraudulent sign-ups, remove any country/region codes that do not
178
185
179
186
The countryList acts as an allow list. Only the countries/regions you specify in this list (for example, Japan, Bulgaria, and the United States) are permitted to use MFA. All other countries/regions are blocked.
180
187
181
-
> [!IMPORTANT]
182
-
> This code must be added to the relying party policy to ensure the country/region code restrictions are properly enforced on the server side.
188
+
183
189
184
190
## Related content
185
191
186
192
- Learn about [Identity Protection and Conditional Access for Azure AD B2C](conditional-access-identity-protection-overview.md)
187
-
188
-
- Apply [Conditional Access to user flows in Azure Active Directory B2C](conditional-access-user-flow.md)
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/service-limits.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ manager: CelesteDG
8
8
ms.service: azure-active-directory
9
9
10
10
ms.topic: reference
11
-
ms.date: 01/08/2026
11
+
ms.date: 01/22/2026
12
12
ms.subservice: b2c
13
13
zone_pivot_groups: b2c-policy-type
14
14
@@ -186,7 +186,7 @@ The following table lists the administrative configuration limits in the Azure A
186
186
187
187
## Region specific service limits
188
188
189
-
As a protection for our customers, Microsoft places some restrictions on telephony verification for certain region codes. The following table lists the region codes and their corresponding limits. These limits apply to both SMS and Voice verification.
189
+
As a protection for our customers, Microsoft places some restrictions on telephony verification for certain region codes. The following table lists the region codes and their corresponding limits. Only SMS verification is subject to these limits.
190
190
191
191
| Region Code | Region Name | Limit per tenant per 60 minutes | Limit per tenant per 24 hours |
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/whats-new-docs.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: "What's new in Azure Active Directory business-to-customer (B2C)"
3
3
description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)."
4
-
ms.date: 11/13/2025
4
+
ms.date: 02/03/2026
5
5
ms.service: azure-active-directory
6
6
ms.subservice: b2c
7
7
ms.topic: whats-new
@@ -19,6 +19,14 @@ ms.custom: sfi-ropc-nochange
19
19
20
20
Welcome to what's new in Azure Active Directory B2C documentation. This article lists new and significantly updated docs from the past three months. To learn what's new with the B2C service, see [What's new in Microsoft Entra ID](../active-directory/fundamentals/whats-new.md), [Azure AD B2C developer release notes](custom-policy-developer-notes.md) and [What's new in Microsoft Entra External ID](/entra/external-id/whats-new-docs).
21
21
22
+
## January 2026
23
+
24
+
### Updated articles
25
+
26
+
-[OAuth 2.0 authorization code flow in Azure Active Directory B2C](authorization-code-flow.md) - Added security guidance on using the `state` parameter
27
+
-[Azure Active Directory B2C service limits and restrictions](service-limits.md) - Updated region specific service limits
28
+
-[Securing phone-based multifactor authentication](phone-based-mfa.md) - Updated the XML code snippets
29
+
22
30
## October 2025
23
31
24
32
### Updated articles
@@ -33,9 +41,3 @@ Welcome to what's new in Azure Active Directory B2C documentation. This article
33
41
34
42
-[Azure Active Directory B2C service limits and restrictions](service-limits.md) - Added new object limits
35
43
-[StringCollection claims transformations](stringcollection-transformations.md) - Updated claim type information
36
-
37
-
## July 2025
38
-
39
-
### Updated articles
40
-
41
-
-[Azure Active Directory B2C service limits and restrictions](service-limits.md) - Added new region limits
0 commit comments