Deploying Azure B2C custom policies with different environment configurations

Question

I am currently working on Azure B2C custom policy development, and I need to deploy the following XML files into Azure AD B2C (ADB2C) using the Azure Portal:

TrustFrameworkBase.xml, Login.xml,TrustFrameworkExtensions.xml ,SignUp.xml,TrustFrameworkLocalization.xml

However, I have multiple environments (dev, sit, uat, pro) with different configurations for each environment. These configurations include the tenant name, ContentDefinition, and API URL paths specific to each environment.

I would like to know how to handle these environment-specific configurations effectively, so that I can easily deploy the custom policies to different environments without manually modifying the XML files each time.

Any suggestions or best practices on how to achieve this would be greatly appreciated.

Answer 1

Microsoft have guides on how to deploy custom policies to a B2C tenant using Azure DevOps pipelines and GitHub Actions. Both ultimately use Microsoft Graph to deploy the actual files but I don't think either talks about variable replacement so you can correctly target things like different APIs in different environments.

For variable replacement you're probably best off looking into how the VSCode extension manages variables. Instead of hard-coding the environment-specific settings into your policy file, you instead add variable tags ({Settings:VariableName}) which you can then replace in your deployment pipeline either using PowerShell or using a dedicated task.

Policy file without settings

<!-- some info excluded for readability -->
<TrustFrameworkPolicy
  TenantId="mydevtenant.onmicrosoft.com"
  PolicyId="B2C_1A_TrustFrameworkExtensions"
  PublicPolicyUri="https://mydevtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions">

  <BasePolicy>
    <TenandId>mydevtenant.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>
  </BasePolicy>

  <ClaimsProviders>
    <ClaimsProvider>
      <DisplayName>Local Account SignIn</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="login-NonInteractive">
          <Metadata>
            <Item Key="client_id">c075395b-87f1-4bd7-ba36-e34608440efc</Item>
            <Item Key="IdTokenAudience">900eb993-c567-4c32-9846-6c4e89f3cb38</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
  </ClaimsProviders>
</TrustFrameworkPolicy>

Policy file with settings

<!-- some info excluded for readability -->
<TrustFrameworkPolicy
  TenantId="{Settings:Tenant}"
  PolicyId="B2C_1A_TrustFrameworkExtensions"
  PublicPolicyUri="http://{Settings:Tenant}/B2C_1A_TrustFrameworkExtensions">

  <BasePolicy>
    <TenandId>{Settings:Tenant}</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>
  </BasePolicy>

  <ClaimsProviders>
    <ClaimsProvider>
      <DisplayName>Local Account SignIn</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="login-NonInteractive">
          <Metadata>
            <Item Key="client_id">{Settings:ProxyIdentityExperienceFrameworkClientId}</Item>
            <Item Key="IdTokenAudience">{Settings:IdentityExperienceFrameworkClientId}</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
  </ClaimsProviders>
</TrustFrameworkPolicy>

The pipeline would replace the variables when deploying to the appropriate environment. So when deploying the bottom policy to dev, the pipeline would generate a policy that looks like the top one.