On the overview page, under 'Policies', select 'Identity Experience Framework'
Select 'Policy Keys' and then select 'Add'.
For Options, choose 'Generate'.
In Name, enter 'TokenSigningKeyContainer'. The prefix B2C_1A_ might be added automatically.
For 'Key type', select 'RSA'.
For 'Key usage', select 'Signature'.
Select 'Create'.
2b) Create the encryption key
Select 'Policy Keys' and then select 'Add'.
For 'Options', choose 'Generate'.
In 'Name', enter 'TokenEncryptionKeyContainer'. The prefix B2C_1A_ might be added automatically.
For 'Key type', select 'RSA'.
For 'Key usage', select 'Encryption'.
Select 'Create'.
2c) Register the IdentityExperienceFramework application
Search for or go back to 'Azure AD B2C'
Select 'App registrations', and then select '+ New registration.'
For 'Name', enter 'IdentityExperienceFramework'.
Under 'Supported account types', select 'Accounts in this organizational directory only.'
Under 'Redirect URI', select 'Web', and then enter 'https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com', where your-tenant-name is your Azure AD B2C tenant domain name.
Under 'Permissions', select the 'Grant admin consent to openid and offline_access permissions' check box.
Select 'Register'.
Record the Application (client) ID for use in a later step.
Next, expose the API by adding a scope:
In the left menu, under 'Manage', select 'Expose an API'.
Select 'Add a scope', then select 'Save' and continue to accept the default application ID URI.
Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant:
Admin consent description: Allow the application to access IdentityExperienceFramework on behalf of the signed-in user.
Select 'Add scope'
2d) Register the ProxyIdentityExperienceFramework application
Select 'App registrations', and then select '+ New registration.'
For 'Name', enter 'ProxyIdentityExperienceFramework'.
Under 'Supported account types', select 'Accounts in this organizational directory only.'
Under 'Redirect URI', use the drop-down to select 'Public client/native (mobile & desktop).'
For Redirect URI, enter: 'myapp://auth'
Under 'Permissions', select the 'Grant admin consent to openid and offline_access permissions' check box.
Select 'Register'.
Record the Application (client) ID for use in a later step.
Next, specify that the application should be treated as a public client:
In the left menu, under 'Manage', select 'Authentication'.
Under 'Advanced settings', in the 'Allow public client flows' section, set 'Enable the following mobile and desktop flows' to 'Yes'.
Select 'Save'.
Now, grant permissions to the API scope you exposed earlier in the IdentityExperienceFramework registration:
In the left menu, under 'Manage', select 'API permissions'.
Under Configured permissions, select 'Add a permission'.
Select the 'APIs my organization uses' tab, then select the 'IdentityExperienceFramework' application.
Under 'Permission', select the 'user_impersonation' scope that you defined earlier.
Select 'Add permissions'.
Select 'Grant admin consent for tenant name'.
Select 'Yes'.
Select 'Refresh', and then verify that 'Granted for ...' appears under Status for the scope.
Step 3 - Upload custom policies
Microsoft provide sample custom policies for several scenarios, which can be found here. For this tutorial we will be using
the 'LocalAccounts' provided sample files.
Once you've downloaded, the relevant folder/files - in the LocalAccounts directory, replace the string yourtenant with the name of your Azure AD B2C tenant.
For example, if the name of your B2C tenant is apps365org, all instances of yourtenant.onmicrosoft.com become apps365org.onmicrosoft.com.
Open the extensions file 'TrustFrameworkExtensions.xml.'
Find the element:
<TechnicalProfileId="login-NonInteractive">.
Replace both instances of 'IdentityExperienceFrameworkAppId' with the application ID of the 'IdentityExperienceFramework' application that you created earlier in Step 2c.
Replace both instances of 'ProxyIdentityExperienceFrameworkAppId' with the application ID of the 'ProxyIdentityExperienceFramework' application that you created earlier in Step 2d.
Save the file.
Navigate back to your Azure AD B2C tenant and search for 'Azure AD B2C'
Click on 'Identity Experience Framework'_
Select Upload custom policy.
In this order, upload the policy files:
TrustFrameworkBase.xml
TrustFrameworkLocalization.xml
TrustFrameworkExtensions.xml
SignUpOrSignin.xml
ProfileEdit.xml
PasswordReset.xml
As you upload the files, Azure adds the prefix B2C_1A_ to each.
Step 4 - Test the custom policy
Under Custom policies, select 'B2C_1A_signup_signin.' (this may be a different name if you changed this)
For Select application on the overview page of the custom policy, select the web application you wish to test, such as the one we registered in Step 1
Make sure that the Reply URL is 'https://jwt.ms'.
Select 'Run now'.
Sign up using an email address.
Select 'Run now again'.
Sign in with the same account to confirm that you have the correct configuration.