Created
August 14, 2025 15:48
-
-
Save rbrayb/847be01d7f2c532d66cf07ad84d6466d to your computer and use it in GitHub Desktop.
Some notes on migrating from Azure AD B2C to Entra External ID (EEID) (Part 2)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_OrchestrateToCiam_PwdMigrate_Hybrid" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_OrchestrateToCiam_PwdMigrate_Hybrid" | |
| DeploymentMode="Development" | |
| UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"> | |
| <!-- | |
| Please modify policyId to save the policy. | |
| Please find the schema reference at | |
| https://docs.microsoft.com/en-us/azure/active-directory-b2c/trustframeworkpolicy. | |
| --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_AUG_MFA_TRUSTFRAMEWORKEXTENSIONS</PolicyId> | |
| </BasePolicy> | |
| <!-- ngrok http 7257 --> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="groups"> | |
| <DisplayName>groups</DisplayName> | |
| <DataType>stringCollection</DataType> | |
| <UserHelpText /> | |
| </ClaimType> | |
| <ClaimType Id="roles"> | |
| <DisplayName>roles</DisplayName> | |
| <DataType>stringCollection</DataType> | |
| <UserHelpText /> | |
| </ClaimType> | |
| <ClaimType Id="newlyEnrolled"> | |
| <DisplayName>newlyEnrolled</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText /> | |
| </ClaimType> | |
| <ClaimType Id="graph_bearerToken"> | |
| <DisplayName>Bearer token</DisplayName> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="method"> | |
| <DisplayName>api method</DisplayName> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="errorMessage"> | |
| <DisplayName>Error Message</DisplayName> | |
| <DataType>string</DataType> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="ropc_grant_type"> | |
| <DisplayName>ropc_grant_type</DisplayName> | |
| <DataType>string</DataType> | |
| <AdminHelpText>ropc_grant_type</AdminHelpText> | |
| <UserHelpText>ropc_grant_type</UserHelpText> | |
| </ClaimType> | |
| <ClaimType Id="ciam_client_id"> | |
| <DisplayName>ciam_client_id</DisplayName> | |
| <DataType>string</DataType> | |
| <AdminHelpText>ciam_client_id</AdminHelpText> | |
| <UserHelpText>ciam_client_id</UserHelpText> | |
| </ClaimType> | |
| <ClaimType Id="verificationCode"> | |
| <DisplayName>Verification Code</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>Enter your verification code</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <!-- Migration --> | |
| <ClaimType Id="extension_requiresMigration"> | |
| <DisplayName>Indicates whether the user requires to be migrated</DisplayName> | |
| <DataType>boolean</DataType> | |
| </ClaimType> | |
| <ClaimType Id="savePassword"> | |
| <DisplayName>Saved password</DisplayName> | |
| <DataType>string</DataType> | |
| <AdminHelpText></AdminHelpText> | |
| </ClaimType> | |
| <ClaimType Id="CIAM-objectId"> | |
| <DisplayName>CIAM user's Object ID</DisplayName> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| <Predicates> | |
| <Predicate Id="email" Method="MatchesRegex"> | |
| <UserHelpText>Please enter a valid email address.</UserHelpText> | |
| <Parameters> | |
| <!-- | |
| This regex is constructed mostly from RFC 5322 for email, with intentional omissions based on | |
| discovery of characters that don't work for other services we use | |
| # the below two lines cover the local part of the email, before the '@' sign | |
| [a-zA-Z0-9!#$%&'+^_`{}~-]+ # matches lower or upper case letters, digits, and certain special | |
| characters | |
| (?:\.[a-zA-Z0-9!#$%&'+^_`{}~-]+)* # same list as above, but including an optional '.' character | |
| at the beginning, repeated | |
| # together, the above two lines prevent the '.' character from appearing at the start, end, or | |
| twice in a row in the local part | |
| @ # the '@' symbol appears exactly once, seperating the local and domain sections | |
| (?:[a-zA-Z0-9] # matches lower and uppercase letters and digits | |
| (?:[a-zA-Z0-9-]* # same as above, but also allowing '-' | |
| [a-zA-Z0-9]) # only lower and uppercase letters and digits again | |
| ?\.)+ # allows for a '.' character to terminate a section | |
| # the above lines mean that '.' can create segments, and segments can't begin or end with a '-'. | |
| Also, no repeating '.' chars | |
| [a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$ | |
| # the above line is the essentially same as the previous section, but forces the email to not end | |
| with a '.' | |
| --> | |
| <Parameter Id="RegularExpression">^[a-zA-Z0-9!#$%&'+^_`{}~-]+(?:\.[a-zA-Z0-9!#$%&'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$</Parameter> | |
| </Parameters> | |
| </Predicate> | |
| <Predicate Id="internationalOrNationalPhoneNumber" Method="MatchesRegex"> | |
| <UserHelpText>The value entered needs to be a phone number.</UserHelpText> | |
| <Parameters> | |
| <!-- | |
| This regex will match a string with an optional leading "+", 4 to 16 digits, and any number of | |
| dashes, parentheses, and spaces, in any order. | |
| It is intentionally overinclusive to allow the user to continue their journey with any input that | |
| might be an international or national phone number | |
| in any country with any customary punctuation/formatting. In this policy, the | |
| ConvertStringToPhoneNumberClaim claims converter will do the the final | |
| validation, | |
| ignoring the dashes, parentheses, and spaces. | |
| --> | |
| <Parameter Id="RegularExpression">^\+?(?:[-()\s]*\d[-()\s]*){4,16}$</Parameter> | |
| </Parameters> | |
| </Predicate> | |
| <Predicate Id="noLeadingPlus" Method="MatchesRegex"> | |
| <UserHelpText>The national number should not include a country code.</UserHelpText> | |
| <Parameters> | |
| <!-- Combine this with the predicate above to match only a national phone number --> | |
| <Parameter Id="RegularExpression">^[^\\+]+$</Parameter> | |
| </Parameters> | |
| </Predicate> | |
| </Predicates> | |
| <PredicateValidations> | |
| <PredicateValidation Id="nationalNumber"> | |
| <PredicateGroups> | |
| <PredicateGroup Id="internationalOrNationalPhoneNumber"> | |
| <PredicateReferences> | |
| <PredicateReference Id="internationalOrNationalPhoneNumber" /> | |
| </PredicateReferences> | |
| </PredicateGroup> | |
| <PredicateGroup Id="noLeadingPlus"> | |
| <PredicateReferences> | |
| <PredicateReference Id="noLeadingPlus" /> | |
| </PredicateReferences> | |
| </PredicateGroup> | |
| </PredicateGroups> | |
| </PredicateValidation> | |
| <PredicateValidation Id="internationalOrNationalPhoneNumber"> | |
| <PredicateGroups> | |
| <PredicateGroup Id="internationalOrNationalPhoneNumber"> | |
| <UserHelpText>Please enter a valid phone number.</UserHelpText> | |
| <PredicateReferences> | |
| <PredicateReference Id="internationalOrNationalPhoneNumber" /> | |
| </PredicateReferences> | |
| </PredicateGroup> | |
| </PredicateGroups> | |
| </PredicateValidation> | |
| </PredicateValidations> | |
| <ClaimsTransformations> | |
| <ClaimsTransformation Id="CopyPassword" TransformationMethod="CopyClaim"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="password" TransformationClaimType="inputClaim" /> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="savePassword" | |
| TransformationClaimType="outputClaim" /> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| </ClaimsTransformations> | |
| <ContentDefinitions> | |
| <ContentDefinition Id="api.error"> | |
| <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.0</DataUri> | |
| </ContentDefinition> | |
| <ContentDefinition Id="api.idpselections"> | |
| <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.0</DataUri> | |
| </ContentDefinition> | |
| <ContentDefinition Id="api.idpselections.signup"> | |
| <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.0</DataUri> | |
| </ContentDefinition> | |
| <ContentDefinition Id="api.signuporsignin"> | |
| <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.2</DataUri> | |
| </ContentDefinition> | |
| <ContentDefinition Id="api.selfasserted"> | |
| <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.2.0</DataUri> | |
| </ContentDefinition> | |
| <ContentDefinition Id="api.selfasserted.profileupdate"> | |
| <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.2.0</DataUri> | |
| </ContentDefinition> | |
| <ContentDefinition Id="api.localaccountsignup"> | |
| <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.2.0</DataUri> | |
| </ContentDefinition> | |
| <ContentDefinition Id="api.localaccountpasswordreset"> | |
| <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.2.0</DataUri> | |
| </ContentDefinition> | |
| <ContentDefinition Id="api.phonefactor"> | |
| <LoadUri>~/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml</LoadUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:multifactor:1.2.0</DataUri> | |
| </ContentDefinition> | |
| <ContentDefinition Id="newPhoneNumber"> | |
| <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri> | |
| <RecoveryUri>~/common/default_page_error.html</RecoveryUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri> | |
| <Metadata> | |
| <Item Key="DisplayName">Verify new phone number</Item> | |
| </Metadata> | |
| </ContentDefinition> | |
| </ContentDefinitions> | |
| </BuildingBlocks> | |
| <!-- | |
| CIAM-SignUpWithLogonEmail - LocalAccountSignUpWithLogonEmail | |
| CIAM-SelfAsserted-LocalAccountSignin-Email - SelfAsserted-LocalAccountSignin-Email | |
| CIAM-SelfAsserted-SocialLogin-Email - SelfAsserted-SocialLogin-Email | |
| CIAM-UserReadUsingUserIdentity-NoError - AAD-UserReadUsingUserIdentity-NoError | |
| REST-CIAM-UserWriteUsingLogonEmail - AAD-UserWriteUsingLogonEmail | |
| REST-login-NonInteractive-CIAM - login-NonInteractive | |
| REST-fetchUserProfile-CIAM | |
| REST-CIAM-UserUpdatePhoneNumberUsingObjectId - AAD-UserWritePhoneNumberUsingObjectId | |
| REST-CIAM-UserReadUsingObjectIdOrEmail - AAD-UserReadUsingObjectId | |
| REST-CIAM-UserReadUsingAlternativeSecurityId - AAD-UserReadUsingAlternativeSecurityId | |
| REST-CIAM-UserWriteUsingAlternativeSecurityId - AAD-UserWriteUsingAlternativeSecurityId | |
| --> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>Local Account Sign Up and Sign in APIs</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="CIAM-LocalAccountWritePasswordUsingObjectId"> | |
| <DisplayName>Change password (username)</DisplayName> | |
| <Protocol Name="Proprietary" | |
| Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item> | |
| </Metadata> | |
| <CryptographicKeys> | |
| <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" /> | |
| </CryptographicKeys> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="objectId" /> | |
| <InputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" /> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" /> | |
| <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" /> | |
| </OutputClaims> | |
| <ValidationTechnicalProfiles> | |
| <ValidationTechnicalProfile | |
| ReferenceId="REST-CIAM-UserWritePasswordUsingObjectId" /> | |
| </ValidationTechnicalProfiles> | |
| </TechnicalProfile> | |
| <!-- Adding the required session manager --> | |
| <TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId"> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" /> | |
| </TechnicalProfile> | |
| <!-- Migration --> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="extension_requiresMigration" /> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName" /> | |
| <OutputClaim ClaimTypeReferenceId="signInName" /> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId"> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="extension_requiresMigration" | |
| DefaultValue="false" AlwaysUseDefaultValue="true" /> | |
| </PersistedClaims> | |
| <IncludeTechnicalProfile ReferenceId="AAD-Common" /> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="savePassword" /> | |
| </OutputClaims> | |
| <ValidationTechnicalProfiles> | |
| <ValidationTechnicalProfile ReferenceId="Copy-Password" /> | |
| </ValidationTechnicalProfiles> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="Copy-Password"> | |
| <DisplayName>Unlink Facebook</DisplayName> | |
| <Protocol Name="Proprietary" | |
| Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="password" /> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="savePassword" /> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CopyPassword" /> | |
| </OutputClaimsTransformations> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> | |
| </TechnicalProfile> | |
| <!-- REST API --> | |
| <TechnicalProfile Id="REST-CIAM-UserReadUsingEmail"> | |
| <DisplayName>Write user into CIAM tenant</DisplayName> | |
| <Protocol Name="Proprietary" | |
| Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> | |
| <Metadata> | |
| <!-- Set the ServiceUrl with your own REST API endpoint --> | |
| <Item Key="ServiceUrl">https://c3101515984d.ngrok-free.app/api/ciamhelper</Item> | |
| <Item Key="SendClaimsIn">Body</Item> | |
| <!-- Set AuthenticationType to Basic or ClientCertificate in production | |
| environments --> | |
| <Item Key="AuthenticationType">None</Item> | |
| <!-- REMOVE the following line in production environments --> | |
| <Item Key="AllowInsecureAuthInProduction">true</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <!-- Claims sent to your REST API --> | |
| <!-- <InputClaim ClaimTypeReferenceId="objectId" /> --> | |
| <InputClaim ClaimTypeReferenceId="signInNames.emailAddress" | |
| PartnerClaimType="email" /> | |
| <InputClaim ClaimTypeReferenceId="method" AlwaysUseDefaultValue="true" | |
| DefaultValue="read" /> | |
| </InputClaims> | |
| <OutputClaims> | |
| <!-- Claims parsed from your REST API --> | |
| <OutputClaim ClaimTypeReferenceId="CIAM-objectId" PartnerClaimType="Id" /> | |
| <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" | |
| PartnerClaimType="identities.0.issuerAssignedId" /> | |
| <OutputClaim ClaimTypeReferenceId="displayName" | |
| PartnerClaimType="DisplayName" /> | |
| <OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="otherMails" /> | |
| <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="GivenName" /> | |
| <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="Surname" /> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName" | |
| PartnerClaimType="UserPrincipalName" /> | |
| <OutputClaim ClaimTypeReferenceId="extension_requiresMigration" /> | |
| </OutputClaims> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| <ClaimsProvider> | |
| <DisplayName>Local Account MFA APIs</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="REST-CIAM-UserWritePasswordUsingObjectId"> | |
| <DisplayName>Write user phoneMethod</DisplayName> | |
| <Protocol Name="Proprietary" | |
| Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> | |
| <Metadata> | |
| <!-- Set the ServiceUrl with your own REST API endpoint --> | |
| <Item Key="ServiceUrl">https://c3101515984d.ngrok-free.app/api/ciamhelper</Item> | |
| <Item Key="SendClaimsIn">Body</Item> | |
| <!-- Set AuthenticationType to Basic or ClientCertificate in production | |
| environments --> | |
| <Item Key="AuthenticationType">None</Item> | |
| <!-- REMOVE the following line in production environments --> | |
| <Item Key="AllowInsecureAuthInProduction">true</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <!-- Claims sent to your REST API --> | |
| <InputClaim ClaimTypeReferenceId="CIAM-objectId" PartnerClaimType="objectId" /> | |
| <InputClaim ClaimTypeReferenceId="savePassword" PartnerClaimType="password" /> | |
| <InputClaim ClaimTypeReferenceId="method" AlwaysUseDefaultValue="true" | |
| DefaultValue="resetPassword" /> | |
| </InputClaims> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn-PwdMigrate" | |
| DefaultCpimIssuerTechnicalProfileReferenceId="JwtIssuer"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" | |
| ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection | |
| ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" /> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" | |
| TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" /> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" | |
| TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" /> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when | |
| authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" | |
| TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when | |
| authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>extension_requiresMigration</Value> | |
| <Value>False</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="CIAMUserReadWithObjectId" | |
| TechnicalProfileReferenceId="REST-CIAM-UserReadUsingEmail" /> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when | |
| authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>extension_requiresMigration</Value> | |
| <Value>False</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="CIAMUserWritePassword" | |
| TechnicalProfileReferenceId="REST-CIAM-UserWritePasswordUsingObjectId" /> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>extension_requiresMigration</Value> | |
| <Value>False</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="Clear-Migration-Flag" | |
| TechnicalProfileReferenceId="AAD-UserWriteProfileUsingObjectId" /> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="7" Type="SendClaims" | |
| CpimIssuerTechnicalProfileReferenceId="JwtIssuer" /> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb" /> | |
| </UserJourney> | |
| </UserJourneys> | |
| <RelyingParty> | |
| <DefaultUserJourney ReferenceId="SignUpOrSignIn-PwdMigrate" /> | |
| <UserJourneyBehaviors> | |
| <JourneyInsights TelemetryEngine="ApplicationInsights" | |
| InstrumentationKey="41...d0" DeveloperMode="true" | |
| ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" /> | |
| </UserJourneyBehaviors> | |
| <TechnicalProfile Id="PolicyProfile"> | |
| <DisplayName>PolicyProfile</DisplayName> | |
| <Protocol Name="OpenIdConnect" /> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="displayName" /> | |
| <OutputClaim ClaimTypeReferenceId="givenName" /> | |
| <OutputClaim ClaimTypeReferenceId="surname" /> | |
| <OutputClaim ClaimTypeReferenceId="email" /> | |
| <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" /> | |
| <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" | |
| DefaultValue="{Policy:TenantObjectId}" /> | |
| <OutputClaim ClaimTypeReferenceId="groups" DefaultValue="null" /> | |
| <OutputClaim ClaimTypeReferenceId="roles" DefaultValue="null" /> | |
| </OutputClaims> | |
| <SubjectNamingInfo ClaimType="sub" /> | |
| </TechnicalProfile> | |
| </RelyingParty> | |
| </TrustFrameworkPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://medium.com/the-new-control-plane/some-notes-on-migrating-from-azure-ad-b2c-to-entra-external-id-eeid-part-2-464eb5f08fa5