Skip to content

Instantly share code, notes, and snippets.

@rbrayb

rbrayb/B2C_1A_Extension_OrchestrateToCiam_FullMigrate_Hybrid.xml

Created July 16, 2025 05:15
Show Gist options
  • Save rbrayb/c530672b70291ebdc9e314e61601a3bf to your computer and use it in GitHub Desktop.
Save rbrayb/c530672b70291ebdc9e314e61601a3bf to your computer and use it in GitHub Desktop.
Download ZIP
Some notes on migrating from Azure AD B2C to Entra External ID (EEID) (Part 1)
Raw
B2C_1A_Extension_OrchestrateToCiam_FullMigrate_Hybrid.xml
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0"
TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_OrchestrateToCiamV_FullMigrate_Hybrid"
PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_OrchestrateToCiamV_FullMigrate_Hybrid"
DeploymentMode="Development"
UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights">
<!--
Please modify policyId to save the policy.
Please find the schema reference at
https://docs.microsoft.com/en-us/azure/active-directory-b2c/trustframeworkpolicy.
-->
<BasePolicy>
<TenantId>tenant.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_AUG_MFA_TRUSTFRAMEWORKEXTENSIONS</PolicyId>
</BasePolicy>
<!-- ngrok http 7257 -->
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="signInNames.phoneNumber">
<DataType>phoneNumber</DataType>
</ClaimType>
<ClaimType Id="phoneNumberString">
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="groups">
<DisplayName>groups</DisplayName>
<DataType>stringCollection</DataType>
<UserHelpText />
</ClaimType>
<ClaimType Id="roles">
<DisplayName>roles</DisplayName>
<DataType>stringCollection</DataType>
<UserHelpText />
</ClaimType>
<ClaimType Id="newlyEnrolled">
<DisplayName>newlyEnrolled</DisplayName>
<DataType>string</DataType>
<UserHelpText />
</ClaimType>
<ClaimType Id="graph_bearerToken">
<DisplayName>Bearer token</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="method">
<DisplayName>api method</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="errorMessage">
<DisplayName>Error Message</DisplayName>
<DataType>string</DataType>
<UserInputType>TextBox</UserInputType>
</ClaimType>
<ClaimType Id="ropc_grant_type">
<DisplayName>ropc_grant_type</DisplayName>
<DataType>string</DataType>
<AdminHelpText>ropc_grant_type</AdminHelpText>
<UserHelpText>ropc_grant_type</UserHelpText>
</ClaimType>
<ClaimType Id="ciam_client_id">
<DisplayName>ciam_client_id</DisplayName>
<DataType>string</DataType>
<AdminHelpText>ciam_client_id</AdminHelpText>
<UserHelpText>ciam_client_id</UserHelpText>
</ClaimType>
<ClaimType Id="readOnlystrongAuthenticationPhoneNumber">
<DisplayName>Phone number</DisplayName>
<DataType>string</DataType>
<Mask Type="Simple">XXX-XXX-</Mask>
<UserHelpText>Your telephone number</UserHelpText>
<UserInputType>Readonly</UserInputType>
</ClaimType>
<ClaimType Id="countryCode">
<DisplayName>Country</DisplayName>
<DataType>string</DataType>
<UserHelpText>Enter Country</UserHelpText>
<UserInputType>DropdownSingleSelect</UserInputType>
<Restriction>
<Enumeration Text="New Zealand(+64)" Value="NZ" />
<Enumeration Text="Ireland(+353)" Value="IE" />
<Enumeration Text="Sweden(+46)" Value="SE" />
<Enumeration Text="Switzerland(+41)" Value="CH" />
<Enumeration Text="United Kingdom(+44)" Value="GB" />
<Enumeration Text="United States(+1)" Value="US" />
</Restriction>
</ClaimType>
<ClaimType Id="nationalNumber">
<DisplayName>Phone Number</DisplayName>
<DataType>string</DataType>
<UserHelpText>Enter National Phone Number</UserHelpText>
<UserInputType>TextBox</UserInputType>
<PredicateValidationReference Id="nationalNumber" />
</ClaimType>
<ClaimType Id="verificationCode">
<DisplayName>Verification Code</DisplayName>
<DataType>string</DataType>
<UserHelpText>Enter your verification code</UserHelpText>
<UserInputType>TextBox</UserInputType>
</ClaimType>
<ClaimType Id="isForgotPassword">
<DisplayName>Indicates whether the user selected Forgot Password</DisplayName>
<DataType>boolean</DataType>
<AdminHelpText></AdminHelpText>
</ClaimType>
<!-- Migration -->
<ClaimType Id="extension_requiresMigration">
<DisplayName>Indicates whether the user requires to be migrated</DisplayName>
<DataType>boolean</DataType>
</ClaimType>
<ClaimType Id="savePassword">
<DisplayName>Saved password</DisplayName>
<DataType>string</DataType>
<AdminHelpText></AdminHelpText>
</ClaimType>
<ClaimType Id="CIAM-objectId">
<DisplayName>CIAM object ID</DisplayName>
<DataType>string</DataType>
</ClaimType>
</ClaimsSchema>
<Predicates>
<Predicate Id="email" Method="MatchesRegex">
<UserHelpText>Please enter a valid email address.</UserHelpText>
<Parameters>
<!--
This regex is constructed mostly from RFC 5322 for email, with intentional omissions based on
discovery of characters that don't work for other services we use
# the below two lines cover the local part of the email, before the '@' sign
[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+ # matches lower or upper case letters, digits, and certain special
characters
(?:\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)* # same list as above, but including an optional '.' character
at the beginning, repeated
# together, the above two lines prevent the '.' character from appearing at the start, end, or
twice in a row in the local part
@ # the '@' symbol appears exactly once, seperating the local and domain sections
(?:[a-zA-Z0-9] # matches lower and uppercase letters and digits
(?:[a-zA-Z0-9-]* # same as above, but also allowing '-'
[a-zA-Z0-9]) # only lower and uppercase letters and digits again
?\.)+ # allows for a '.' character to terminate a section
# the above lines mean that '.' can create segments, and segments can't begin or end with a '-'.
Also, no repeating '.' chars
[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$
# the above line is the essentially same as the previous section, but forces the email to not end
with a '.'
-->
<Parameter Id="RegularExpression">^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$</Parameter>
</Parameters>
</Predicate>
<Predicate Id="internationalOrNationalPhoneNumber" Method="MatchesRegex">
<UserHelpText>The value entered needs to be a phone number.</UserHelpText>
<Parameters>
<!--
This regex will match a string with an optional leading "+", 4 to 16 digits, and any number of
dashes, parentheses, and spaces, in any order.
It is intentionally overinclusive to allow the user to continue their journey with any input that
might be an international or national phone number
in any country with any customary punctuation/formatting. In this policy, the
ConvertStringToPhoneNumberClaim claims converter will do the the final
validation,
ignoring the dashes, parentheses, and spaces.
-->
<Parameter Id="RegularExpression">^\+?(?:[-()\s]*\d[-()\s]*){4,16}$</Parameter>
</Parameters>
</Predicate>
<Predicate Id="noLeadingPlus" Method="MatchesRegex">
<UserHelpText>The national number should not include a country code.</UserHelpText>
<Parameters>
<!-- Combine this with the predicate above to match only a national phone number -->
<Parameter Id="RegularExpression">^[^\\+]+$</Parameter>
</Parameters>
</Predicate>
</Predicates>
<PredicateValidations>
<PredicateValidation Id="nationalNumber">
<PredicateGroups>
<PredicateGroup Id="internationalOrNationalPhoneNumber">
<PredicateReferences>
<PredicateReference Id="internationalOrNationalPhoneNumber" />
</PredicateReferences>
</PredicateGroup>
<PredicateGroup Id="noLeadingPlus">
<PredicateReferences>
<PredicateReference Id="noLeadingPlus" />
</PredicateReferences>
</PredicateGroup>
</PredicateGroups>
</PredicateValidation>
<PredicateValidation Id="internationalOrNationalPhoneNumber">
<PredicateGroups>
<PredicateGroup Id="internationalOrNationalPhoneNumber">
<UserHelpText>Please enter a valid phone number.</UserHelpText>
<PredicateReferences>
<PredicateReference Id="internationalOrNationalPhoneNumber" />
</PredicateReferences>
</PredicateGroup>
</PredicateGroups>
</PredicateValidation>
</PredicateValidations>
<ClaimsTransformations>
<ClaimsTransformation Id="CopyPhoneToReadOnly" TransformationMethod="FormatStringClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="phoneNumberString"
TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="stringFormat" DataType="string" Value="{0}" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="readOnlystrongAuthenticationPhoneNumber"
TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="PhoneNumberToString"
TransformationMethod="ConvertPhoneNumberClaimToString">
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInNames.phoneNumber"
TransformationClaimType="phoneNumber" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="phoneNumberString"
TransformationClaimType="phoneNumberString" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="ConvertStringToPhoneNumber"
TransformationMethod="ConvertStringToPhoneNumberClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="countryCode" TransformationClaimType="country" />
<InputClaim ClaimTypeReferenceId="nationalNumber"
TransformationClaimType="phoneNumberString" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber"
TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="CIAM-CreateUserPrincipalName"
TransformationMethod="FormatStringClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="upnUserName"
TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="stringFormat" DataType="string"
Value="cpim_{0}@externaltenant.onmicrosoft.com" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="userPrincipalName"
TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="CopyPassword" TransformationMethod="CopyClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="password" TransformationClaimType="inputClaim" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="savePassword"
TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
</ClaimsTransformations>
<ContentDefinitions>
<ContentDefinition Id="api.error">
<LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.0</DataUri>
</ContentDefinition>
<ContentDefinition Id="api.idpselections">
<LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.0</DataUri>
</ContentDefinition>
<ContentDefinition Id="api.idpselections.signup">
<LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.0</DataUri>
</ContentDefinition>
<ContentDefinition Id="api.signuporsignin">
<LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.2</DataUri>
</ContentDefinition>
<ContentDefinition Id="api.selfasserted">
<LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.2.0</DataUri>
</ContentDefinition>
<ContentDefinition Id="api.selfasserted.profileupdate">
<LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.2.0</DataUri>
</ContentDefinition>
<ContentDefinition Id="api.localaccountsignup">
<LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.2.0</DataUri>
</ContentDefinition>
<ContentDefinition Id="api.localaccountpasswordreset">
<LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.2.0</DataUri>
</ContentDefinition>
<ContentDefinition Id="api.phonefactor">
<LoadUri>~/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml</LoadUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:multifactor:1.2.0</DataUri>
</ContentDefinition>
<ContentDefinition Id="newPhoneNumber">
<LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>
<Metadata>
<Item Key="DisplayName">Verify new phone number</Item>
</Metadata>
</ContentDefinition>
</ContentDefinitions>
<DisplayControls>
<DisplayControl Id="phoneVerificationControl"
UserInterfaceControlType="VerificationControl">
<InputClaims>
<InputClaim ClaimTypeReferenceId="nationalNumber" />
<InputClaim ClaimTypeReferenceId="countryCode" />
</InputClaims>
<DisplayClaims>
<DisplayClaim ClaimTypeReferenceId="countryCode" ControlClaimType="CountryCode"
Required="true" />
<DisplayClaim ClaimTypeReferenceId="nationalNumber" ControlClaimType="Phone"
Required="true" />
<DisplayClaim ClaimTypeReferenceId="verificationCode"
ControlClaimType="VerificationCode" Required="true" />
</DisplayClaims>
<Actions>
<Action Id="SendCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile
TechnicalProfileReferenceId="CombineCountryCodeAndNationalNumber" />
<ValidationClaimsExchangeTechnicalProfile
TechnicalProfileReferenceId="AzureMfa-SendSms" />
</ValidationClaimsExchange>
</Action>
<Action Id="VerifyCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile
TechnicalProfileReferenceId="CombineCountryCodeAndNationalNumber" />
<ValidationClaimsExchangeTechnicalProfile
TechnicalProfileReferenceId="AzureMfa-VerifySms" />
</ValidationClaimsExchange>
</Action>
</Actions>
</DisplayControl>
<DisplayControl Id="phoneVerificationControl-readOnly"
UserInterfaceControlType="VerificationControl">
<InputClaims>
<InputClaim ClaimTypeReferenceId="readOnlystrongAuthenticationPhoneNumber" />
</InputClaims>
<DisplayClaims>
<DisplayClaim ClaimTypeReferenceId="readOnlystrongAuthenticationPhoneNumber"
Required="true" />
<DisplayClaim ClaimTypeReferenceId="verificationCode"
ControlClaimType="VerificationCode" Required="true" />
</DisplayClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="phoneNumberString" />
</OutputClaims>
<Actions>
<Action Id="SendCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile
TechnicalProfileReferenceId="AzureMfa-SendSms-RO" />
</ValidationClaimsExchange>
</Action>
<Action Id="VerifyCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile
TechnicalProfileReferenceId="AzureMfa-VerifySms-RO" />
</ValidationClaimsExchange>
</Action>
</Actions>
</DisplayControl>
</DisplayControls>
</BuildingBlocks>
<!--
CIAM-SignUpWithLogonEmail - LocalAccountSignUpWithLogonEmail
CIAM-SelfAsserted-LocalAccountSignin-Email - SelfAsserted-LocalAccountSignin-Email
CIAM-SelfAsserted-SocialLogin-Email - SelfAsserted-SocialLogin-Email
CIAM-UserReadUsingUserIdentity-NoError - AAD-UserReadUsingUserIdentity-NoError
REST-CIAM-UserWriteUsingLogonEmail - AAD-UserWriteUsingLogonEmail
REST-login-NonInteractive-CIAM - login-NonInteractive
REST-fetchUserProfile-CIAM
REST-CIAM-UserUpdatePhoneNumberUsingObjectId - AAD-UserWritePhoneNumberUsingObjectId
REST-CIAM-UserReadUsingObjectIdOrEmail - AAD-UserReadUsingObjectId
REST-CIAM-UserReadUsingAlternativeSecurityId - AAD-UserReadUsingAlternativeSecurityId
REST-CIAM-UserWriteUsingAlternativeSecurityId - AAD-UserWriteUsingAlternativeSecurityId
-->
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Local Account Sign Up and Sign in MFA controls</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-MFA-Challenge">
<DisplayName>Phone</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">newPhoneNumber</Item>
<Item Key="UserMessageIfClaimsTransformationInvalidPhoneNumber">Please enter a valid phone number and country code.</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<InputClaimsTransformations>
<!--<InputClaimsTransformation
ReferenceId="PhoneNumberToString" />-->
<InputClaimsTransformation ReferenceId="CopyPhoneToReadOnly" />
</InputClaimsTransformations>
<DisplayClaims>
<DisplayClaim DisplayControlReferenceId="phoneVerificationControl-ReadOnly" />
</DisplayClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surName" />
<OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA" />
</TechnicalProfile>
<TechnicalProfile Id="SM-MFA">
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
</PersistedClaims>
</TechnicalProfile>
<TechnicalProfile Id="CombineCountryCodeAndNationalNumber">
<DisplayName>Combine country code and national number</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="ConvertStringToPhoneNumber" />
</InputClaimsTransformations>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
<TechnicalProfile Id="AzureMfa-SendSms-RO">
<DisplayName>Send Sms</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="Operation">OneWaySMS</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="userPrincipalName"
DefaultValue="[email protected]" />
<InputClaim ClaimTypeReferenceId="readOnlystrongAuthenticationPhoneNumber"
PartnerClaimType="phoneNumber" />
</InputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AzureMfa-VerifySms-RO">
<DisplayName>Verify Sms</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="Operation">Verify</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="verificationCode" />
<InputClaim ClaimTypeReferenceId="readOnlystrongAuthenticationPhoneNumber"
PartnerClaimType="phoneNumber" />
</InputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AzureMfa-SendSms">
<DisplayName>Send Sms</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="Operation">OneWaySMS</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="userPrincipalName"
DefaultValue="[email protected]" />
<InputClaim ClaimTypeReferenceId="signInNames.phoneNumber"
PartnerClaimType="phoneNumber" />
</InputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AzureMfa-VerifySms">
<DisplayName>Verify Sms</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="Operation">Verify</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="verificationCode" />
<InputClaim ClaimTypeReferenceId="signInNames.phoneNumber"
PartnerClaimType="phoneNumber" />
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Local Account Sign Up and Sign in APIs</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-Error-MFA">
<DisplayName>Error message</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
<Item Key="setting.showContinueButton">false</Item>
<Item Key="setting.showCancelButton">false</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="errorMessage"
DefaultValue="You need to proof up - contact support"
AlwaysUseDefaultValue="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="errorMessage" />
</OutputClaims>
</TechnicalProfile>
<!-- Migration -->
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_requiresMigration" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="signInName" />
</OutputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId">
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="extension_requiresMigration"
DefaultValue="false" AlwaysUseDefaultValue="true" />
</PersistedClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="savePassword" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="Copy-Password" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
<TechnicalProfile Id="Copy-Password">
<DisplayName>Unlink Facebook</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<InputClaims>
<InputClaim ClaimTypeReferenceId="password" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="savePassword" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CopyPassword" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
<!-- REST API -->
<TechnicalProfile Id="REST-CIAM-UserMigrateUsingLogonEmail">
<DisplayName>Write user into CIAM tenant</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<!-- Set the ServiceUrl with your own REST API endpoint -->
<Item Key="ServiceUrl">https://06b0e244f5d9.ngrok-free.app/api/ciamhelper</Item>
<Item Key="SendClaimsIn">Body</Item>
<!-- Set AuthenticationType to Basic or ClientCertificate in production
environments -->
<Item Key="AuthenticationType">None</Item>
<!-- REMOVE the following line in production environments -->
<Item Key="AllowInsecureAuthInProduction">true</Item>
</Metadata>
<InputClaims>
<!-- Claims sent to your REST API -->
<InputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
<InputClaim ClaimTypeReferenceId="savePassword" PartnerClaimType="password" />
<InputClaim ClaimTypeReferenceId="displayName" />
<InputClaim ClaimTypeReferenceId="givenName" />
<InputClaim ClaimTypeReferenceId="surName" />
<InputClaim ClaimTypeReferenceId="method" AlwaysUseDefaultValue="true"
DefaultValue="createUser" />
</InputClaims>
<OutputClaims>
<!-- Claims parsed from your REST API -->
<OutputClaim ClaimTypeReferenceId="CIAM-objectId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surName" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="CIAM-SignUpOrSignIn-Migrate">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp"
ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection
ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange"
TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- This step reads any user attributes that we may not have received when
authenticating using ESTS so they can be sent
in the token. -->
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId"
TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should
be removed.
This step checks whether there's a phone number on record, for the user. If found, then the user is
challenged to verify it. -->
<OrchestrationStep Order="3" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>isActiveMFASession</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="PhoneFactor-Verify"
TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Save MFA phone number: The precondition verifies whether the user provided a
new number in the
previous step. If so, then the phone number is stored in the directory for future authentication
requests. -->
<OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>newPhoneNumberEntered</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWriteWithObjectId"
TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>extension_requiresMigration</Value>
<Value>False</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="Migrate-User-Using-LogonEmail"
TechnicalProfileReferenceId="REST-CIAM-UserMigrateUsingLogonEmail" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="6" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>extension_requiresMigration</Value>
<Value>False</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="Clear-Migration-Flag"
TechnicalProfileReferenceId="AAD-UserWriteProfileUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="7" Type="SendClaims"
CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
</UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId="CIAM-SignUpOrSignIn-Migrate" />
<UserJourneyBehaviors>
<JourneyInsights TelemetryEngine="ApplicationInsights"
InstrumentationKey="41...d0" DeveloperMode="true"
ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="extension_requiresMigration" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true"
DefaultValue="{Policy:TenantObjectId}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>
@rbrayb
Copy link
Author

rbrayb commented Jul 16, 2025

https://medium.com/the-new-control-plane/some-notes-on-migrating-from-azure-ad-b2c-to-entra-external-id-eeid-part-1-f00fe7638b40

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment