YellowHat 2025: A Global Stage for Deep Microsoft Security Insights
May 29, 2025Securing AKS using Palo Alto Networks AI Runtime Security Unified Firewall
May 29, 2025
Azure AD B2C — too many Relying Parties spoil the broth
I have a chain of policies:
Policy B inherits from Policy A.
Policy A includes an RP that has “phoneNumberString” as an output claim.
Policy B includes an RP that does not have “phoneNumberString” as an output claim. There is no mention of this claim in the policy.
Policy B has a user journey called “Some User Journey”.
It is perfectly legal to include an RP in another policy, rather than having it in a separate policy.
In this case, when I tried to upload policy B, I got:
Validation failed: 1 validation error(s) found in policy "B" of tenant
"tenant.onmicrosoft.com".Claim type "phoneNumberString" is the output claim
of the relying party's technical profile, but it is not an output claim in
any of the steps of user journey "Some User Journey".
This isn’t very clear because the RP in Policy B does not have that output claim.
After some experimentation, I fixed the error by moving the RP in Policy A to its own policy file.
It appears that when B2C attempts to upload policies, it utilises the first RP in the chain and disregards any others.
All good!
Azure AD B2C — too many Relying Parties spoil the broth was originally published in The new control plane on Medium, where people are continuing the conversation by highlighting and responding to this story.
