azure-b2c

links

• Graph Explorer
• Short link: https://aka.ms/ge

open with a specific tenant

Add ?tenant=yourtenant.onmicrosoft.com to the URL to open with a specific tenant, eg: https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=yourtenant.onmicrosoft.com

in a pipeline with ieftool:

• Azure DevOps
• Github Actions

locally with ieftool:

• ieftool (node)
• go-ieftool (go)

locally with powershell:

$tenant = "yourtenant.onmicrosoft.com"

# Connect to graph
Connect-MgGraph -Tenant $tenant -Scopes "Policy.Read.All", "Policy.ReadWrite.TrustFramework" -NoWelcome

$files = @(
    , "B2C_1A_TRUSTFRAMEWORKBASE.xml"
    , "B2C_1A_TRUSTFRAMEWORKLOCALIZATION.xml"
    , "B2C_1A_TRUSTFRAMEWORKEXTENSIONS.xml"
    , "B2C_1A_SIGNIN_SIGNOUT.xml"
)

# Upload files
foreach ($file in $files) {
    $policy = Get-Content -Path $file -Raw
    Write-Host "Uploading policy $policyPath, of length $($policy.Length) bytes"
    Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/trustFramework/policies" -Body $policy -ContentType "application/xml" -OutputFilePath out.xml
}

• sign in with custom mfa
  • uses Restful Technical Profile
• sign in with mfa method
  • uses Phone factor Technical Profile
  • cannot access strongAuthenticationPhoneNumber via Microsoft Graph

• Microsft Graph Identity provider service limits: 200 requests per 1 minute
• Number of policies per Azure AD B2C tenant (user flows + custom policies): 200 policies
• Number of SMS per MFA auth request: Not disclosed