Using Conditional Access (CA) with Azure AD B2C custom policies

🌟 Community Spotlight – Nicola Delfino

July 23, 2025

Capture Java Thread Dump from Kudu console on Windows App Service

July 23, 2025

Published by Rory Braybrook on July 23, 2025

Tags

Image of Open Access — Art designer at PLoS via Wikimedia Commons

The Microsoft Learn links are here and here.

Image of signals / decision / enforcement

The way it works is that CA uses Identity Protection to generate signals based on the type of login and user.

CA then evaluates the signals and passes the required action to B2C, which implements it.

As per the links above, there are some CA templates that you can use:

Image of Template 1: Sign-in risk-based Conditional Access, Template 2: User risk-based Conditional Access, or Template 3: Block locations with Conditional Access

CA generates three signals:

Block
Force MFA
Force password reset

based on the CA configuration below:

You can also enforce IP address ranges based on named locations.

where you can select the countries you want to ban.

(I just used Albania as a random example!).

The sample custom policy is here.

Before you start, you need to tell CA what “AuthenticationMethodUsed” is set to, based on how the user signs in.

This can be:

“Password”
“OneTimePasscode”

You also need to tell CA if the user is registered for MFA based on “IsMfaRegisteredCT” which checks for the presence of one of:

strongAuthenticationPhoneNumber
strongAuthenticationEmailAddress

In the policy, you first call CA to evaluate the login risk:

This returns three possible states in a string collection.

The three states are:

“mfa”
“chg_pwd”
“block”

This collection is then parsed, e.g.:


 GenerateCAClaimFlags
 <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.
      ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, 
      Culture=neutral, PublicKeyToken=null"/>

where e.g. “SetCAChallengeIsMfa” is:

<ClaimsTransformation Id="SetCAChallengeIsMfa" TransformationMethod=
        "StringCollectionContains">
 
  <InputClaim ClaimTypeReferenceId="conditionalAccessClaimCollection" 
        TransformationClaimType="inputClaim"/>
 
 
  
  
 
 
  <OutputClaim ClaimTypeReferenceId="CAChallengeIsMfa" 
        TransformationClaimType="outputClaim"/>

If the string collection contains the “mfa” flag, then set CAChallengeIsMfa to True.

Then, e.g. if CAChallengeIsMfa = True, then invoke MFA:


 <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId=
       "PhoneFactor-InputOrVerify"/>

“Block” invokes a paragraph type page that halts the flow with a message:

"Due to recent activity associated with your account, your login has been 
    temporarily blocked."

“chg_pwd” invokes a change password flow:


 <ClaimsExchange Id="CA_ChangePassword" TechnicalProfileReferenceId=
        "LocalAccountWritePasswordUsingObjectId"/>

with a message:

"Due to recent activity associated with your account, we require you to change
    your password.

Then at the end, you tell CA that the risk has been remediated:

The results can also be seen in the logs.

Image of logs — Anon. IP address / Unfamiliar sign-in properties

All good!

Using Conditional Access (CA) with Azure AD B2C custom policies was originally published in The new control plane on Medium, where people are continuing the conversation by highlighting and responding to this story.

🌟 Community Spotlight – Nicola Delfino

Capture Java Thread Dump from Kudu console on Windows App Service

🌟 Community Spotlight – Nicola Delfino

Capture Java Thread Dump from Kudu console on Windows App Service

Related posts

Unit testing Conditional Access (CA) with Azure AD B2C custom policies

Microsoft Makes Token Protection Available for Entra ID P1 Licenses

MSIX Packaging Tool: Convert EXE & MSI to MSIX