Skip to content
Branch: master
Find file History
Type Name Latest commit message Commit time
Failed to load latest commit information.
media adding space May 9, 2019
policy clean up 'your-tenant', add readme starterpack Jun 17, 2019
source-code clean up 'your-tenant', add readme starterpack Jun 17, 2019 update disclaimer Jun 17, 2019

SignUp with email invitation

This sample console app (.Net core) demonstrates how to send sign-up email invitation. The web application sends an email to the end user with a link to sign-up policy. The link to the sign-up policy contains the email address, which is encapsulated inside a JWT token (id_token_hint). When a user clicks on that link, Azure AD B2C validates the JWT token signature, reads the information from the token, extracts the email address and ask the user to set the password, display name, surname and given name.

User flow

To invite a user, from the application, type the user's email address and click Send invintation. The application sends a sign-in link (with a id_token_hint). User clicks on the link, that takes to user to Azure AD B2C policy. Azure AD B2C validate the input id_token_hint, asks the user to provide the password and user data (the email is read only). User clicks continue, Azure AD B2C creates the account, issues an access token, and redirect the user back to the application.
User flow

Sending Application Data

The key of sending data to Azure AD B2C custom policy is to package the data into a JWT token as claims (id_token_hint). In this case, we send the user's email address to Azure B2C. Sending JWT token requires to host the necessary metadata endpoints required to use the "id_token_hint" parameter in Azure AD B2C.

ID tokens are JSON Web Tokens (JWTs) and, in this application, are signed using RSA certificates. This application hosts an Open ID Connect metatdata endpoint and JSON Web Keys (JWKs) endpoint which are used by Azure AD B2C to validate the signature of the ID token.

The web app has following endpoints:

  • /.well-known/openid-configuration, set this URL in the IdTokenHint_ExtractClaims technical profile
  • /.well-known/keys

Community Help and Support

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-ad-b2c]. If you find a bug in the sample, please raise the issue on GitHub Issues. To provide product feedback, visit the Azure Active Directory B2C Feedback page.

Creating a signing certificate

The sample application uses a self-signed certificate to sign the ID tokens. You can generate a valid self-signed certificate for this purpose and get the thumbprint using PowerShell (note: Run as Administrator):

$cert = New-SelfSignedCertificate -Type Custom -Subject "CN=MySelfSignedCertificate" -TextExtension @("{text}") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -NotAfter (Get-Date).AddYears(2) -CertStoreLocation "Cert:\CurrentUser\My"

Configuring the application

Update the appSettings values in appsettings.json with the information for your Azure AD B2C tenant and the signing certificate you just created.

  • B2CTenant: Your Azure AD B2C tenant name (without
  • B2CPolicy: The policy which you'd like to send the id_token_hint
  • B2CClientId: The application ID for the Azure AD B2C app you'd like to redirect to
  • B2CRedirectUri: The target redirect URI for your application
  • B2CSignUpUrl the link to B2C format
  • SigningCertThumbprint: The thumbprint for the signing certificate you just created
  • SigningCertAlgorithm: The certificate algorithm (must be an RSA algorithm)
  • LinkExpiresAfterMinutes: Link expiration (in minutes)
  • SMTPServer: Your SMTP server
  • SMTPPort: Your SMTP server port number
  • SMTPUsername: SMTP user name, if necessary
  • SMTPPassword: SMTP password, if necessary
  • SMTPUseSSL: SMTP use SSL, true of false
  • SMTPFromAddress: Send from email address
  • SMTPSubject: The invitation email's subject

Running the application

When you run the application, you'll be able to enter the email of a user. When you click on Send invite, the app sends a sign-in email to the account you specified.

To inspect the generated token, copy and paste it into a tool like

Hosting the application in Azure App Service

If you publish the application to Azure App Service, you'll need to configure a valid certificate with a private key in Azure App Service.

  1. First, export your certificate as a PFX file using the User Certificates management tool (or create a new one)
  2. Upload your certificate in the Private Certificates tab of the SSL Settings blade of your Azure App Service
  3. Follow these instructions to ensure App Service loads the certificate when the app runs


This sample policy is based on SocialAndLocalAccounts starter pack. All changes are marked with Demo: comment inside the policy XML files. Make the necessary changes in the Demo action required sections.

You can’t perform that action at this time.