Share via

Azure AD B2C - Using Multiple SignUp forms. The OrchestrationSteps are not working correctly

RT 0 Reputation points
2025-03-03T17:58:41.3566667+00:00

I can't seem to figure out how to resolve the 4 error messages.

Policy Design:

  1. Step 1: Combined sign-in/sign-up.
  2. Step 2: Social IDP login or basic sign-up.
  3. Step 3: Gather missing basic info (social users).
  4. Step 4: Address collection.
  5. Step 5: Create or update user (write to AAD).
  6. Step 6: Issue the token with claims.

Validation failed: 4 validation error(s)

**2 sendClaims steps. Please specify a DefaultCpimIssuerTechnicalProfileReferenceId attribute set to the default issuer technical profile reference id.User journey "SignUpOrSignIn"

step 3 with 2 claims exchanges. It must be preceded by a claims provider selection in order to determine which claims exchange can be used.User journey "SignUpOrSignIn"

step 4 with 2 claims exchanges. It must be preceded by a claims provider selection in order to determine which claims exchange can be used.User journey "SignUpOrSignIn"

step 5 with 2 claims exchanges. It must be preceded by a claims provider selection in order to determine which claims exchange can be used.User journey 'SignUpOrSignIn'**

Here's the OrchestrationSteps:

            <OrchestrationSteps>
                <!-- Step 1: Combined sign-in and sign-up page (collects basic attributes) -->
                <OrchestrationStep Order="1"
                                   Type="CombinedSignInAndSignUp"
                                   ContentDefinitionReferenceId="api.signuporsignin">
                    <ClaimsProviderSelections>
                        <ClaimsProviderSelection TargetClaimsExchangeId="FacebookOAuthExchange" />
                        <ClaimsProviderSelection TargetClaimsExchangeId="GoogleOAuthExchange" />
                        <ClaimsProviderSelection TargetClaimsExchangeId="AzureADOAuthExchange" />
                        <ClaimsProviderSelection TargetClaimsExchangeId="SignUpBasicExchange" />
                    </ClaimsProviderSelections>
                </OrchestrationStep>
                <!-- Step 2: Process social IDP sign up or local account sign up -->
                <OrchestrationStep Order="2"
                                   Type="ClaimsExchange">
                    <Preconditions>
                        <Precondition Type="ClaimsExist"
                                      ExecuteActionsIf="true">
                            <Value>objectId</Value>
                            <Action>SkipThisOrchestrationStep</Action>
                        </Precondition>
                    </Preconditions>
                    <ClaimsExchanges>
                        <ClaimsExchange Id="FacebookOAuthExchange"
                                        TechnicalProfileReferenceId="Facebook-OAUTH" />
                        <ClaimsExchange Id="GoogleOAuthExchange"
                                        TechnicalProfileReferenceId="Google-OAUTH" />
                        <ClaimsExchange Id="AzureADOAuthExchange"
                                        TechnicalProfileReferenceId="AzureAD-OAUTH" />
                        <ClaimsExchange Id="SignUpBasicExchange"
                                        TechnicalProfileReferenceId="SelfAsserted-SignUp" />
                    </ClaimsExchanges>
                </OrchestrationStep>
                <!-- Step 3: Self-asserted page for social users to collect any missing basic attributes -->
                <OrchestrationStep Order="3"
                                   Type="ClaimsExchange">
                    <Preconditions>
                        <Precondition Type="ClaimsExist"
                                      ExecuteActionsIf="true">
                            <Value>objectId</Value>
                            <Action>SkipThisOrchestrationStep</Action>
                        </Precondition>
                    </Preconditions>
                    <ClaimsProviderSelections>
                        <!-- Choose the correct claims exchange for Step 3 -->
                        <ClaimsProviderSelection TargetClaimsExchangeId="SelfAsserted-Social" />
                    </ClaimsProviderSelections>
                    <ClaimsExchanges>
                        <ClaimsExchange Id="SelfAsserted-Social"
                                        TechnicalProfileReferenceId="SelfAsserted-Social" />
                    </ClaimsExchanges>
                </OrchestrationStep>
                <!-- Step 4: Collect address information -->
                <OrchestrationStep Order="4"
                                   Type="ClaimsExchange">
                    <Preconditions>
                        <Precondition Type="ClaimEquals"
                                      ExecuteActionsIf="false">
                            <Value>newUser</Value>
                            <Value>true</Value>
                            <Action>SkipThisOrchestrationStep</Action>
                        </Precondition>
                    </Preconditions>
                    <ClaimsProviderSelections>
                        <ClaimsProviderSelection TargetClaimsExchangeId="CollectAddress" />
                    </ClaimsProviderSelections>
                    <ClaimsExchanges>
                        <ClaimsExchange Id="CollectAddress"
                                        TechnicalProfileReferenceId="SelfAsserted-Address" />
                    </ClaimsExchanges>
                </OrchestrationStep>
                <!-- Step 5: Write the user to AAD (only one claims exchange to write the user) -->
                <OrchestrationStep Order="5"
                                   Type="ClaimsExchange">
                    <Preconditions>
                        <Precondition Type="ClaimsExist"
                                      ExecuteActionsIf="true">
                            <Value>streetAddress</Value>
                            <Action>SkipThisOrchestrationStep</Action>
                        </Precondition>
                    </Preconditions>
                    <ClaimsProviderSelections>
                        <ClaimsProviderSelection TargetClaimsExchangeId="AADUserWrite" />
                    </ClaimsProviderSelections>
                    <ClaimsExchanges>
                        <ClaimsExchange Id="AADUserWrite"
                                        TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
                    </ClaimsExchanges>
                </OrchestrationStep>
                <!-- Step 6: Issue the token with all the collected claims -->
                <OrchestrationStep Order="6"
                                   Type="SendClaims"
                                   CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
            </OrchestrationSteps>
Microsoft Entra Internet Access
Microsoft Entra Internet Access
A Microsoft Entra service that provides an identity-centric Secure Web Gateway that protects access to internet, software as a service (SaaS), and Microsoft 365 apps and resources.
40 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kancharla Saiteja 1,335 Reputation points Microsoft External Staff
    2025-03-05T07:00:53.7233333+00:00

    Hi RT,

    Thank you for posting your query on Microsoft Q&A.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Based on your query, I understand you would like to configure sign up and sign in for social accounts.

    I see there is a might be a mis configuration on the user journey of combined sign up and sign in. Could you please add the following steps in your user journey:

    <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections.signup">
  <ClaimsProviderSelections>
    <ClaimsProviderSelection TargetClaimsExchangeId="SignUpWithLogonEmailExchange" />
  </ClaimsProviderSelections>
</OrchestrationStep>

    Identity provider selection for sign-up - Lists identity providers that users can choose from during sign-up. The options are usually enterprise identity providers, social identity providers such as Facebook and Google+, or local accounts.

    Now in the orchestration steps, you can precondition as below as well:

    <OrchestrationStep Order="2" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>objectId</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" />
    <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
  </ClaimsExchanges>
</OrchestrationStep>

    I would request you to configure your ClaimsExchange using the following document: Set up a sign-up and sign-in flow with a social account by using Azure Active Directory B2C custom policy

    Please make sure to have a look at the complete document and make sure to have green tick on steps configured from the document.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.