Custom B2C policy for "Pwned passwords"

TrustFrameworkExtension.xml

<ClaimsProvider>
  <DisplayName>REST APIs</DisplayName>
    <TechnicalProfiles>
	<!-- Custom Restful service -->
	<TechnicalProfile Id="REST-API-PwnedPassword">
	<DisplayName>Validate user's password</DisplayName>
	<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
	<Metadata>
	  <Item Key="ServiceUrl">https://mywebapplication.azurewebsites.net/api/Identity/CheckPassword</Item>
	  <Item Key="AuthenticationType">None</Item>
	  <Item Key="SendClaimsIn">QueryString</Item>
	  <Item Key="AllowInsecureAuthInProduction">true</Item>
	</Metadata>
	<InputClaims>
	  <InputClaim ClaimTypeReferenceId="NewPassword" PartnerClaimType="password" />        
	</InputClaims>
	<OutputClaims>
	  <OutputClaim ClaimTypeReferenceId="pwnedPasswordResult" />
	</OutputClaims>
	<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
  </TechnicalProfile>

  <!-- Change LocalAccountSignUpWithLogonEmail technical profile to support your validation technical profile -->
  <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
    <OutputClaims>
       <OutputClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="newPassword" />
    </OutputClaims>
    <ValidationTechnicalProfiles>
       <ValidationTechnicalProfile ReferenceId="REST-API-PwnedPassword" />
    </ValidationTechnicalProfiles>
  </TechnicalProfile>
 </TechnicalProfiles>
</ClaimsProvider>

https://medium.com/the-new-control-plane/validating-the-user-password-selection-in-azure-ad-b2c-by-invoking-troy-hunts-pwned-passwords-fbb044b26698