ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
14 March 2019

Azure AD B2C: Built-in flows vs custom policies. Which is right for you?

Profile photo for Marcus Idle - Head of CIAM.
Written by Marcus Idle

Microsoft's Azure AD B2C solution is yours to make your own, should you so wish.

So, you’re considering a single sign-on deployment using Microsoft Azure AD B2C, but how far will the out-of-the-box user flows take you, versus the more functionally rich (but harder to configure) custom polices? In this blog we explore the differences between the two (and the, surprisingly, wide range of scenarios you can address with the built-in flows).

Microsoft Azure AD B2C is a comprehensive platform for single sign-on (SSO), offering state-of-the-art security, standards-based social login, and much more.

When you integrate an application with B2C, you normally invoke B2C user flows (also called ‘user journeys’ and ‘policies’) to take control from the application while the user completes an authentication-related experience, e.g. sign in, sign up or password reset.

These user flows provide a completely custom look and feel, while running in the context of B2C and benefiting from Microsoft’s security-hardened infrastructure.

(NB: All information is correct at time of writing in February 2019, but may change over time.)

Ready-made or truly tailored?

User flows come in two flavours:

Capabilities of built-in flows

Although limited, built-in flows provide a fully-customisable (in terms of look and feel) end-to-end experience which will suit many use cases.

Types of flow available are:

As the screenshot from the Azure Portal shows below, using the Portal you can edit various aspects of built-in flows, including choice of identity providers, attributes collected and passed to the application, and page layouts.

Connecting your application to B2C to run a flow or policy is the same in both cases, and requires very few lines of code (apart from the supplied code libraries). You can work in a number of languages on the application side. In the case of C#.Net, Microsoft provides a sample application on their website. You can use this as a basis for your application, if you’re starting from scratch. More often, organisations will cannibalise this sample app and make use of the code libraries.

Making changes to the look and feel is one of the simplest changes you can make. The template selection looks as follows – as you can see, the admin user has a drop down selection:

Once you have made your selection, you can run the policy to see your change. Here’s the “ocean blue”:

…and here’s the “slate gray”:

…but of course you can fully customise the page look and feel using your own HTML, CSS and JavaScript.

Capabilities of custom policies

Custom polices are programmable, so in theory offer unlimited options for customisation of not only the user interface but the logic employed in the authentication experience.

Here are some examples of what you can achieve with custom policies (in addition to all of the above types of built-in flows):

Editing a custom policy isn’t easy. They do not have the same point-and-click interface as the built-in flows; logic is created by building XML into a custom policy XML document, which is then uploaded into the Azure Portal.

However, using the concept of “Journey Steps”, you can add any number of steps (for example, if you wanted to capture the user’s acceptance of your terms of service before they finish registering, you can do that).

This gives you a flexible authentication experience within the secure framework of Microsoft’s B2C service.


Built-in flows offer entry-level functionality, but can present an equivalent experience to custom policies in terms of look and feel, and can therefore provide an industrial-strength ‘minimum viable product’ with all the benefits of single sign-on and world-beating security measures.

For organisations contemplating more complex authentication journeys, it helps to start with custom policies, as these can then be enhanced as requirements become more complex.

To find out more about Azure AD B2C, download our free e-Guide to delve into its security benefits.

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

Profile photo for Marcus Idle - Head of CIAM.

About Marcus Idle

Head of CIAM and IP Development

Marcus Idle is our Head of Customer Identity and Access Management and IP Development at ThirdSpace. He is responsible for projects involving external identities. Expert in Microsoft’s Azure AD B2B...


You may also like...


Azure AD B2B vs B2C: What are the key differences between Microsoft’s external access products?


How to reduce membership friction and stay secure with Azure AD B2C


Secure application sign-in with Azure AD B2C

Recent Blog Articles

View All
Related topics

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.