Azure AD B2C Policy Keys
Service Name: Azure Active Directory B2C
Service Description: Azure AD B2C is a customer identity and access management (CIAM) solution that enables organizations to authenticate and manage identities for customer-facing applications. Policy keys are cryptographic keys used to sign and validate tokens, encrypt claims, and establish trust with identity providers.
Service Address: https://portal.azure.com/
Validation Type: API Auth
IP Allow list: IP Restriction is available through Conditional Access policies and Azure AD Identity Protection.
Secret Access Scope: Grants access to sign and encrypt tokens, establish trust relationships with identity providers, and manage authentication flows in Azure AD B2C tenants.
Secret Revokement URL: https://learn.microsoft.com/en-us/azure/active-directory-b2c/policy-keys-overview#replace-a-key
Secret Example: { "kid": "B2C_1A_TokenSigningKeyContainer", "use": "sig", "kty": "RSA", "n": "2tWVweKNTSQnZp_8CoEIqfQblQjxEtJmXnWUGJ9NR-P- 2iL_rNNn8a_rSMMzrCvKBBBgkTLAHlYxCtWZKwXPF4LEEwJxs3wN_vZfC5mfYEBILJ3nS0- pE8SZCJHNKkQ5WmRoU5NtTPJWZOLDXmgkpnMz7hZk9MvPfX_vJJkwgWxPxm9qRVzfEVYHWLuKKY zn_YJW-8LDCrJbVdB0Lrh5GmMrXexQ2A3eGkBYGQJ3UoNLQzMf_NVxq-lLu- XmY2j_8lBZ_QW_0NUTj5y0_CMhwYOFlYqUYOz8TSWJm5gYMxIbqbRwTEiSLQPB_8YIe4aFYhwj0 iyPIzZGd4JnEQ", "e": "AQAB" }
Suspicious Activity Investigation Instructions:
- Review Azure AD B2C audit logs for unusual policy modifications or key operations
-
Check for unexpected changes to authentication flows or custom policies
-
Monitor for unusual sign-in patterns or authentication failures
- Review Azure Activity logs for administrative actions on the B2C tenant
- Verify if any unauthorized identity providers have been added or modified
Mitigation Instructions:
- Rotate the compromised policy keys immediately in the Azure portal
- Navigate to Azure AD B2C > Security > Encryption keys
- Create new keys to replace the compromised ones
- Update any custom policies to reference the new keys
- Review and update access permissions for managing B2C policies and keys
- Enable multi-factor authentication for administrative accounts
- Implement Conditional Access policies to restrict administrative access
- Review and validate all identity provider configurations
- Consider implementing Azure Private Link for B2C to restrict network access