Skip to content

Instantly share code, notes, and snippets.

@maskati

maskati/#aad-b2c-hash.md

Last active March 20, 2025 08:57
Show Gist options
  • Save maskati/24a395de7d204846980030364ebcaacf to your computer and use it in GitHub Desktop.
Save maskati/24a395de7d204846980030364ebcaacf to your computer and use it in GitHub Desktop.
Download ZIP
Calculate the Azure AD B2C hash claims transformation locally using PowerShell
Raw
#aad-b2c-hash.md

The Azure AD B2C hash claims transformation takes the following form:

<ClaimsTransformation Id="MyHashClaimsTransformation" TransformationMethod="Hash">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="myPlaintext" TransformationClaimType="plaintext" />
    <InputClaim ClaimTypeReferenceId="mySalt" TransformationClaimType="salt" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="randomizerSecret" DataType="string" Value="B2C_1A_MyRandomizerSecret" />
  </InputParameters>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="myHash" TransformationClaimType="hash" />
  </OutputClaims>
</ClaimsTransformation>

Technically the hash claims transformation is the Base64 encoded SHA256 hash of the UTF8 encoded bytes of a string composed of these input claim and parameter components in the form {randomizerSecret}{plaintext}{salt}. You can calculate it locally with PowerShell as follows which results in the hash Sfsxeci8gzm1nbLn4Vl3F/zOoOqRJ1GbQicKTg5v3i0=:

$randomizerSecret = 'randomizerSecret'
$plaintext = 'plaintext'
$salt = 'salt'

[Convert]::ToBase64String([Security.Cryptography.SHA256]::HashData([Text.Encoding]::UTF8.GetBytes("${randomizerSecret}${plaintext}${salt}")))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment