Skip to content

How to call Azure Active Directory B2C

The demo App demonstrates the usage of Azure B2C in an Angular SPA:
But the best and surely up to date information you get directly at the Azure Active Directory B2C documentation


To integrate the Sign-in with Azure AD B2C an Application registration is needed. This can't be done in the developer portal. Please contact us via and we'll create the Application registration for you.

User flows

We support the following flows.

purpose name remark
sign up - sign in B2C_1A_signup_signin 1 flow for login and register as a new guest.
Usually the only one you need to work with.
sign in B2C_1A_signin A flow that provides only login but no sign-up. Will return an error if an user tries to login with a social account which does not exists already with an error message that the user needs to sign up first.
reset password B2C_1A_PasswordReset Reset the password in case the user registered with username/password.
This is offered inside the sign-in process so you do not need to place it explicitly.
edit profile B2C_1A_ProfileEdit_dev With the edit profile flow only the correspondence mail address can be changed. All other profile data must be edited using our profile service


For the test environment flows add _test to the name of all available flows.
B2C_1A_signup_signin_test, B2C_1A_signin_test

To call it you need the

  • flow name (see above)
  • client-Id (you get it when we register your application)
  • redirect url (we can register several for the application, so you must choose one of the registered ones)
  • (optional) partnerAcronym: If you specify the partnerAcronym then your partner logo will be loaded. You need to provide it us.
  • (optional) logo: If you specify the logo query parameter then the specific logo will be loaded instead of the partner logo. You need to provide the logo to us.

example url{flow-name}&client_id={clientId}&nonce=defaultNonce&redirect_uri={redirect-url}&scope=openid&response_type=id_token&prompt=login

UI customization

On the top bar on the left side, your logo can be placed. You need to provide us the logo.

The logo will be loaded in the following priority:

  1. logo query parameter
  2. partnerAcronym query parameter


GET{sign up-sign in flow name}/oauth2/v2.0//logout?post_logout_redirect_uri={redirect-url}

With calling the logout from Azure B2C the client gets logged out on the Identity provider. If you do not call this, the user is automatically logged in again when the sign-in flow is called before the session on Azure B2C times out. Therefore to allow to switch users you must call the logout on your application logout.

more information: Send a sign-out request

Password reset

If an user clicks on forgot password in the sign in / sign up flow then the flow will fail with the error code "AADB2C90118". This message needs to be handled in the client application and the user should be forwarded to the passwort reset flow.


Available languages:

  • de
  • en
  • fr
  • it

How the language is determined

  • ui_locales query parameter: If the query option ui_locales the language can be specified e.g. "ui_locales=de"
  • Browser-requested language: If no ui_locales parameter was specified, your user flow is translated to the browser-requested language, if the language is supported.
  • Policy default language: If the browser doesn't specify a language, or it specifies one that is not supported, the user flow is translated to the user flow default language.

Attributes / user data

We only collect few information on the sign up process. We do have the possibility to collect different information in each partner's sign up process

  • Email address
  • Correspondence email address
  • Given name
  • Surname
  • Displayname: Will be automatically set by joining the given name and surname
  • Terms & Conditions

Supported Identity Providers

  • username / password (local account)
  • Microsoft
  • Google
  • Apple ID
  • Facebook (not setup yet)
  • almost any identity provider is possible - leave a request with us

Local account password policy

The password for a local account has the following requirements:

  • The password must be between 8 and 64 characters.
  • The password must have at least 3 of the following:
    • A lowercase letter
    • An uppercase letter
    • A digit
    • A symbol

Local account prefill sign up fields

The Email address, surname and given name can be passed to the sign up flow by setting them in specific query parameters. This should be done if this information is already collected from the user so that the user doesn't need to provide the same information again in the sign up process.

property query parameter
email address prefillEmail
given name prefillGivenName
surname prefillFamilyName


Provided claims which can be used. Your app should not rely on other claims.

claim description
name Display name
given_name Users given name
family_name Users family name
correspondenceMail Mail address which can be used to contact the user per mail. The same address is set in the email property of the user profile which can be retrieved with the Profile Service.
acr Name of the B2C policy which was used to issue the token
oid The unique Azure B2C user object id
ds_roles Contains a list of roles separated by comma
    "acr": "b2c_1a_signup_signin",
    "name": "Corinne Eiger",
    "given_name": "Corinne",
    "family_name": "Eiger",
    "oid": "9749fccb-00cc-4d91-b9ea-fbee8c37de09",
    "correspondenceMail": "",
    "ds_roles": [

Verification of Authorization tokens

In case you need to verify the token when accessing your own API (authorization):

Server side

The authorization token is a standard JWT and validation can be done with all JWT libraries. Important to know is that the used keys change regularly. There are libraries from Microsoft and the handling of the key is already built in.

This article is helpful (see Validation): Overview of tokens in Azure Active Directory B2C

And this is the url to get the keys:
(where the name of the flow - p - should be the one you use to authenticate)

The JSON document located at this URL contains all the public key information in use at a particular moment. Your app can use the kid claim in the JWT header to select the public key in the JSON document that is used to sign a particular token. It can then perform signature validation by using the correct public key and the indicated algorithm.

Here you can download all links and resources (including the one above).

Last update: October 8, 2021 07:51:16