Using Passkeys with Microsoft Azure AD B2C
Learn how to add passkey autofill to your Microsoft Azure AD B2C login page with Authsignal.
This guide extends our previous guides where we showed you how to integrate Authsignal into Microsoft Azure AD B2C for multi-factor authentication (MFA) and passwordless login
In this guide, we will show you how to add passkey autofill into your Microsoft Azure AD B2C login page.
You can use this guide to add passkey autofill if you are using Authsignal for MFA or passwordless login.
Prerequisites
Before continuing with this guide, you should first complete the following:
- Replace your login screen with custom html templates. In our example, we have made a copy of the sample templates provided by Microsoft. This is required as we will need to add custom javascript to the login page.
- Set
up custom domains on your Azure AD B2C tenant. You can follow the official documentation
to set up custom domains. This is required as we will need to replace the default
b2clogin.com
domain with the domain where we will register our passkeys, so that the browser is able to detect available passkeys.We recommend setting your b2c domain to
identity.yourdomain.com
, and Authsignal custom domain toauth.yourdomain.com
Code example
A full code example referenced in this guide can be found on Github.
You can also refer to the code diff between the previous guide if you only want to see the changes.
Step by step guide
Step 1: Configure the custom domain of your Authsignal tenant
Navigate to Authsignal portal > Settings > Custom domains to configure the custom domain of your Authsignal tenant. We recommend this be a distinct subdomain from your Azure AD B2C tenant domain.
Step 2: Enable and configure the passkey authentication method on your Authsignal tenant
Navigate to Authsignal portal > Authenticators > Passkey to enable the passkey authenticator.
Set the relying party ID to your root domain (e.g. yourdomain.com
).
Set the expected origins for both your Azure AD B2C domain and your Authsignal custom domain. E.g., https://identity.yourdomain.com
and https://auth.yourdomain.com
.
Step 3: Add javascript to the login page html template
In order to enable passkey autofill in our B2C login page, we need add custom javascript into our html template.
In the <head>
tag, add the following script which will:
- Wait for Azure AD B2C to dynamically populate the
api
element with the login from - Load the Authsignal browser SDK
- Set the
autocomplete
attribute of the login input tousername webauthn
Step 5 (Optional): Hide the password input
This step is optional, and only required if you have a passwordless login flow. If you still allow users to login with their password, skip this step.
Add the following <style>
tag to your html template to hide the password input:
Step 6: Enable javascript in your html templates
Add the following <ScriptExecution>
element to our Relying Party policy under the <UserJourneyBehaviors>
element
See the official Microsoft guide
Step 7: Add the required claim types
Step 8: Add the claims transformations
Step 9: Add new technical profiles to check and validate passkey autofill challenges
Step 10: Adjust the technical profile used in our CombinedSignInAndSignUp orchestration step
Add the following claims to the OutputClaims
element:
Add the following validation technical profiles:
Step 11: Add a precondition to the orchestration step which shows an error page if the passkey autofill challenge is not successful
Step 12: Add a precondition to orchestration steps that should be skipped if passkey autofill is successful
Step 13: Upload the updated html template and custom policies, and test the changes
You can now test your integration by navigating to your custom policy in the Azure AD B2C portal and clicking “Run now”, ensuring that you change the API URL to your custom domain.
Once you sign up a new user and register a passkey, when the user next lands on the login screen they will be prompted to sign in with their passkey.
Congratulations!
You have successfully added passkey autofill to your Microsoft Azure AD B2C login page.
Was this page helpful?