Using Azure Active Directory B2C with ASP.NET Core

It’s great what’s built-in out of the box with Azure Active Directory and ASP.NET Core. I need a B2C directory where users can register, add some additional information, and use this account with a native app calling an API service. First, let’s start defining the Active Directory B2C and creating the ASP.NET Core Web app where users can register and manage their profile.

50.000 users with 50.000 authentications a month is free with Azure AD.

People Network

Create the Active Directory B2C

In the Azure Portal, clicking on the Create button to create an Azure Active Directory B2C, you have two options – and you need both of them, one after the other. First, you need to create an Azure AD B2C Tenant, and then link this tenant to one of your Azure subscriptions.

Create an Azure Active Directory B2C

Next, you need to configure the AD, defining the organization, domain name, and the country. The country or region where you store your users is important for GDPR requirements.

Configure the Azure Active Directory B2C Tenant

Identity Providers

With Azure AD B2C, you don’t need to store passwords from the users in the Azure AD. You can use the AD to store additional information you need from the user. Selecting the menu Identity Providers, you can chose from a wide range of identity providers covering Microsoft Account, Google, Facebook, LinkedIn, Amazon, and many more – including a custom identity provider with OpenID Connect support.

Select Identity Providers

I’m selecting – in addition to the e-mail identity provider – the Microsoft Account identity provider. For this provider you can get application ids and secrets from the Application Registration Portal. For the Azure Active Directory B2C configuration you need the application id, and also a generated password. These need to be added to the configuration of the Identity Provider in the Azure portal. In addition to that, for using a Website to make this logon, with the Application Registration Portal you need to add a platform for the application. Adding a platform, Web, Native Application, and Web API are offered.

Select the Platform

Adding the Web Platform, the redirect URL{tenant}/oauth2/authresp needs to be configured whereas the tenant needs to be replaced by the tenant link, e.g.

Configure the Web Platform

Extra Information from the User

After configuring the identity providers in the Azure Portal, let’s move on to the users. If you need some information from the user in addition to name, email, address…, you can add extra user attributes. These must be of type String, Boolean, or Int. Opening the Azure B2C configuration, you just need to click on User Attributes, and add the attributes as needed.

Add User Attribute

The following figure shows the list of all the built-in attributes in addition to the just created custom attribute RestaurantName.

User Attributes

Define Policies

With all the attributes in place that you need, you can now define policies. From the Azure Portal, you can create new policies. Creating a new Sign Up or Sign In Policy, you can configure identity providers that should use this policy, sign-up attributes that the user needs to enter on signing up, application claims that are sent to the application via tokens, and also can configure multi-factor authentication, and define a custom user interface. In the following image, just the email and restaurant names are requested from the user.

Sign Up or Sign In Policy Configuration

Be aware that the name you enter for the policy is prefixed in the portal with the prefix B2C_1_. If you name the sign up or sign in policy restaurantsample_susi, the full name of the policy is B2C_1_restaurantsample_susi.

You need to have at least policies for sign up or sign in and password reset. The policy profile editing is optional – this allows the user to update his profile. The password reset policy can only be used with passwords stored within the Active Directory.

Selecting All Policies, you can see the list of all created policies.

All Policies

ASP.NET Core Web Application

With the configuration of the Active Directory B2C in place, you can create the ASP.NET Core Web application. I’m creating an ASP.NET Core 2.1 Web Application using Razor Pages. Before creating the application, the authentication is changed to Individual User Accounts, with the selection Connect to an existing user store in the cloud. This selection needs a configuration for

  • the domain name ({tenant}
  • the application id (take this from the Azure Portal)
  • sign-up or sign-in policy
  • reset password policy
  • edit profile policy

Supplying the edit profile policy is optional.

With the configuration you need the application id. This application id can be taken from the Application configuration in the portal. In case you didn’t create an application yet, do it now, and get the application id from there. The configuration for the reply URL can be copied from visual Studio while changing the configuration. In case you created an application in the Azure AD B2C configuration earlier, update the Reply URL.

Configure Authentication with ASP.NET Core

Configure Application in the Azure Portal

The Startup class of the application contains the authentication configuration for AD B2C:

public void ConfigureServices(IServiceCollection services)
services.Configure<CookiePolicyOptions>(options =>
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));

view raw


hosted with ❤ by GitHub

The configuration for the Azure AD B2C domain is retrieved from the JSON configuration file:

"AzureAdB2C": {
"Instance": "",
"ClientId": "cc2a6f7d-cabc-4fd8-bbf5-54d1f7497c52",
"CallbackPath": "/signin-oidc",
"Domain": "",
"SignUpSignInPolicyId": "B2C_1_restaurantsample_susi",
"ResetPasswordPolicyId": "B2C_1_restaurantsample_reset",
"EditProfilePolicyId": "B2C_1_restaurantsample_profile"
"Logging": {
"LogLevel": {
"Default": "Warning"
"AllowedHosts": "*"

Running the application, user registration is now working out of the box. Enter user information as defined by the policy – including the name of the restaurant. Support to send verification code for the email is built-in with ASP.NET Core 2.1 as well.

The user can enter information to his profile as defined by the profile policy. Here, the profile policy asks for the given name and the country.


With Azure Active Directory B2C you gain infrastructure functionality for the application that you no longer need to build custom, just use it out of the box. Storing user information in a secure way either stored in the Active Directory, or making use of different identity providers. ASP.NET Core offers great integration functionality to Azure Active Directory.

If you found this information valuable and want to help me writing more articles, please buy me a coffee. Coffee helps with writing 🙂

Buy Me A Coffee

More information on ASP.NET Core is in my book Professional C# 7 and .NET Core 2.0, and in my ASP.NET Core trainings.

Enjoy learning and programming!



10 thoughts on “Using Azure Active Directory B2C with ASP.NET Core

  1. Is there going to be a way to set up an AAD B2C, or configure reply URLs for an existing B2C, using powershell or ARM templates? Currently you have to use the portal UI, which causes problems when you try to integrate it into an automatic deployment pipeline. We’re even considering driving the portal with selenium webdriver, which can’t be right.

    Liked by 1 person

  2. Thanx for posting this! I was having a lot of trouble getting an “official” MS example, from github, to work, probably because it was out of date with where AspNet Core 2.1 is. I appreciated you walking through all the steps in a clear manner.

    Liked by 1 person

  3. You’re welcome, Christian.

    BTW, after being relieved at finally getting the login page to finally appear, I ran into some subsequent issues:

    – no signup/login option using a email (i.e., the local email account option) appears, despite it being one of the identity providers for the tenant

    – the Google sign up fails with an “invalid redirect_uri” error, even though it’s configured per the instructions at

    – the Microsoft Account sign up fails with a “we’re experiencing technical difficulties” error…that’s persisted for over 24 hours 🙂

    Any thoughts on what might be causing these errors? It sounds like I’ve misconfigured something in either the tenant or the site.


    1. Alex, thanks for asking. I already have a UWP app accessing ASP.NET Core Web API, and using Azure B2C in production – but it will take some time to write about it. I will make an article describing how this can be done – but not before the Basta! conference in Germany end of September.


Leave a Reply to Alex Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.