Skip to content

Azure AD B2C Policy Keys

Service Name: Azure Active Directory B2C

Service Description: Azure AD B2C is a customer identity and access management (CIAM) solution that enables organizations to authenticate and manage identities for customer-facing applications. Policy keys are cryptographic keys used to sign and validate tokens, encrypt claims, and establish trust with identity providers.

Service Address: https://portal.azure.com/

Validation Type: API Auth

IP Allow list: IP Restriction is available through Conditional Access policies and Azure AD Identity Protection.

Secret Access Scope: Grants access to sign and encrypt tokens, establish trust relationships with identity providers, and manage authentication flows in Azure AD B2C tenants.

Secret Revokement URL: https://learn.microsoft.com/en-us/azure/active-directory-b2c/policy-keys-overview#replace-a-key

Secret Example: { "kid": "B2C_1A_TokenSigningKeyContainer", "use": "sig", "kty": "RSA", "n": "2tWVweKNTSQnZp_8CoEIqfQblQjxEtJmXnWUGJ9NR-P- 2iL_rNNn8a_rSMMzrCvKBBBgkTLAHlYxCtWZKwXPF4LEEwJxs3wN_vZfC5mfYEBILJ3nS0- pE8SZCJHNKkQ5WmRoU5NtTPJWZOLDXmgkpnMz7hZk9MvPfX_vJJkwgWxPxm9qRVzfEVYHWLuKKY zn_YJW-8LDCrJbVdB0Lrh5GmMrXexQ2A3eGkBYGQJ3UoNLQzMf_NVxq-lLu- XmY2j_8lBZ_QW_0NUTj5y0_CMhwYOFlYqUYOz8TSWJm5gYMxIbqbRwTEiSLQPB_8YIe4aFYhwj0 iyPIzZGd4JnEQ", "e": "AQAB" }

Suspicious Activity Investigation Instructions:

  • Review Azure AD B2C audit logs for unusual policy modifications or key operations
  • Check for unexpected changes to authentication flows or custom policies

  • Monitor for unusual sign-in patterns or authentication failures

  • Review Azure Activity logs for administrative actions on the B2C tenant
  • Verify if any unauthorized identity providers have been added or modified

Mitigation Instructions:

  • Rotate the compromised policy keys immediately in the Azure portal
  • Navigate to Azure AD B2C > Security > Encryption keys
  • Create new keys to replace the compromised ones
  • Update any custom policies to reference the new keys
  • Review and update access permissions for managing B2C policies and keys
  • Enable multi-factor authentication for administrative accounts
  • Implement Conditional Access policies to restrict administrative access
  • Review and validate all identity provider configurations
  • Consider implementing Azure Private Link for B2C to restrict network access