Loading

Configure an Azure AD B2C Authentication Provider

Publish Date: Feb 19, 2026
Description
OpenID Connect (OIDC) Auth Providers in Salesforce require a User Info endpoint, but Azure AD B2C does not provide one by default, so there are certain additional steps to the ones needed to set up an Azure AD Auth Provider.

Note: the Microsoft Auth Provider introduced in Summer '22 cannot be used for Azure AD B2C due to the different expected Authorize/Token Endpoint URLs.
Resolution

Steps to configure an Azure AD BC Auth Provider

a) As the "Example: Configure an Azure AD Authentication Provider" article explains, create an App Registration in the B2C tenant, and an Auth Provider in Salesforce. Set the following parameters:

Consumer Key: Application (client) ID as seen in the Azure AD B2C App Registration detail page
Consumer Secret: Client secret as configured on the Azure AD B2C app registration
Authorize Endpoint URL: https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize
Token Endpoint URL: https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/<policy-name>/oauth2/v2.0/token
Token Issuer: https://yourtenant.b2clogin.com/<Directory (tenant) ID>/v2.0/
Default Scopes: Application (client) ID as seen in the App registration detail page openid offline_access

As an example, if the app ID is 90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6, Default Scopes should be 

90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 openid offline_access

Notice you should be able to see the auth and token endpoint URLs, the Token Issuer and the configured claims at https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration.

b) Update the Redirect URI or Callback URL in you App Registration.

c) Enable the UserInfo endpoint in your Azure AD B2C instance creating a custom policy following the steps mentioned in the UserInfo endpoint article.

Ensure the UserInfoIssuer's InputClaims section uses the following PartnerClaimType values:

  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
    <InputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
    <InputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
    <InputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="full_name" />
    <InputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="preferred_username" />
  </InputClaims>

and the UserInfoAuthorization's OutputClaims section is as follows:

<OutputClaims>
  <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
  <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
  <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
  <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name"/>
  <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
</OutputClaims>

Notice https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration should show a new "userinfo_endpoint" property.

d) Update the User Info Endpoint URL in the Auth Provider.

User Info Endpoint URL:

https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/<policy-name>/openid/v2.0/userinfo

e) Create a registration handler

Notice the createUser() method will be invoked if there is no corresponding ThirdPartyAccountLink (TPAL) record for that user and auth provider combination. Additionally, to accommodate the scenario where the user has been created in Salesforce prior to setting up the authentication provider, ensure the createUser() method returns an existing User record. More information on this scenario can be found here.

f) In an incognito window, test the SSO flow by going to the Auth Provider's Test-Only URL.


Troubleshooting

a) Ensure a user info endpoint is returned by https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration. If not, revisit the steps mentioned here.

b) Get an access token:

b.1) Go to the Auth Provider's Test-Only URL. You'll be redirected to the authorization endpoint.
b.2) Sign into Azure B2C.
b.3) Inspect the HTTP requests and get the authorization code. This will be seen in the response of this GET request:

GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?client_id=<app-id>

b.4) Now, get an access token by sending this POST request:

POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
client_id=<app-id>&
client_secret=<client-secret>&
scope=<app-id> openid offline_access&
code=AwA...&
redirect_uri=<auth-provider-callback-url>

c) Get UserInfo details. Send a GET request to the UserInfo endpoint using the previously obtained access token.

GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/userinfo

Authorization: Bearer <access-token>

d) Debug your registration handler to ensure it correctly compares the OpenId Connect user info claim to the user attributes.

Note:
Because Salesforce validates the state parameter on the callback, Salesforce must initiate the OIDC flow. As a result, you can’t use the Run Me button in Azure, as it doesn't include a Salesforce-generated state value.

Knowledge Article Number

000393769

 
Loading
Salesforce Help | Article