A company wishes to make one or more of its Enterprise Applications available to their employees (Members) connected-organisations (Guests/B2B users) as well as standalone consumers.


  • The solution must support the current Identity Governance mechanisms of Contoso AAD.
  • Standalone Consumers should not be given Guest (or B2B) accounts for Contoso AAD.
  • Standalone Consumers are not to be enabled for self-service signup.
    • They are to be invited by B2C Administrators or a standalone application-driven processes.


  1. Create the B2C Tenant.
  2. Create Application Registrations for the applications.
  3. Edit the manifest file of each to define the intended roles (these cannot be created in the B2C Portal).

In Contoso, for each Application:

  1. Create an Application Registration instance for the OIDC trust to the B2C tenant.
  2. Create Applicaiton specific AppRoles and assign Members, Guests.
  3. Generate a secret, redirect URI for OIDC to the B2C tenant and homepage sign-in URL of the application itself.

In B2C:

  1. Configure/Enable the Identity Experience Framework

For each Application:

  1. Define policy to enable AAD Passthrough Authentication & Authorisation.
  2. Define policy for local account signin and/or email passwordless sign-on.
  3. Define an API to lookup assigned roles for local consumers.

    The API looks up the app roles in B2C using Microsoft Graph with the B2C Consumer User Id and the B2C Application Id.


GitHub B2C Policy XML to follow.


Contoso has a Single OIDC App Registration for passthrough authentication to B2C (providing basic claims). Specific AppRoles are no longer passed and must be obtained by amending the Local User lookup service to include querying users within Contoso AAD to get their assigned approles. Mapping between requested B2C App ClientId and Contoso App ClientID would need to occur.