In part 1 of this series we looked at approaches for building and publishing Azure AD B2C custom policies from a local environment. Manually deploying policies works fine for development/test environments, but it isn't a very good approach for production deployments. Manual deployments can be prone to errors and ideally we'd like to be able to review changes before they are pushed.

In this part we will look at an Azure DevOps extension that I built and how we can use it to build and publish Azure AD B2C custom policies.

The Azure DevOps extension

A couple months ago I released an extension for Azure DevOps: Azure AD B2C custom policy build and publish. It comes with two tasks for Azure Pipelines:

  1. Build policies like the VS Code extension
  2. Publish policies to an Azure AD B2C tenant

The source code for the extension is also available on GitHub.

Building custom policies in Azure DevOps

Using the extension, we can build a version of our custom policies for a specfic environment. This means replacing placeholders in the policy files, like the VS Code extension for Azure AD B2C does. With a YAML pipeline, it is pretty simple:

- task: b2c-policy-build@1
  displayName: Build policies
  inputs:
    environment: "Production"
    inputFolder: "$(Build.Repository.LocalPath)/Policies"
    outputFolder: "$(Build.ArtifactStagingDirectory)/policies"
    additionalArguments: |
      ApiUrl=https://test.com
      SecondSetting=$(SecondSetting)

This takes the policy files from the input folder, finds the appsettings.json file in the same folder, and replaces the placeholders in the policy files with values from the settings file. It works exactly the same as the VS Code extension that we looked at in part 1. The resulting policy files are output to the output folder.

The task also supports additional arguments, in case you want to override values in appsettings.json.

Publishing custom policies from Azure DevOps

To publish the policies we built, we need to do some additional setup. You need to create an app registration in the Azure AD B2C tenant with the Policy.ReadWrite.TrustFramework application permission, and a client secret. More detailed instructions are available in the extension readme.

With the app registration made, you can publish policies with:

- task: b2c-policy-publish@1
  displayName: Publish policies
  inputs:
    inputFolder: "$(Build.ArtifactStagingDirectory)/policies"
    authority: "https://login.microsoftonline.com/your-tenant-id-here"
    clientId: "your-client-id-here"
    clientSecret: "$(ClientSecret)"

It takes policies from a folder, looks at them to figure out what the deployment order needs to be and then uploads them through Microsoft Graph API (using this operation). The reason the order matters is that the base policies must be uploaded first.

Summary

I definitely recommend automating the process of building and publishing custom policies to Azure AD B2C. It reduces errors and makes the deployment repeatable. You can also enforce a review process before changes are deployed.

You can use the extension I made for this purpose, or you can use one of the others that exist.

Links