Creating an approval journey with Azure AD B2C

B2C_1A_MagicLink.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                      xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                      xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
                      PolicySchemaVersion="0.3.0.0"
                      TenantId="yourtenant.onmicrosoft.com"
                      PolicyId="B2C_1A_MagicLink"
                      PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_MagicLink"
                      DeploymentMode="Development"
                      UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights">

	<BasePolicy>
		<TenantId>yourtenant.onmicrosoft.com</TenantId>
		<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
	</BasePolicy>

	<BuildingBlocks>
		<ClaimsSchema>
						
			<ClaimType Id="strongAuthenticationEmailAddress">
				<DisplayName>Email Address</DisplayName>
				<DataType>string</DataType>
				<AdminHelpText>Email address that the user can use for strong authentication.</AdminHelpText>
				<UserHelpText>Email address to use for strong authentication.</UserHelpText>
				<UserInputType>TextBox</UserInputType>
			</ClaimType>
			
			<ClaimType Id="signInNamesInfo.emailAddress">
				<DisplayName>Email Address</DisplayName>
				<DataType>string</DataType>
				<AdminHelpText>Email address that the user can use to sign in.</AdminHelpText>
				<UserHelpText>Email address to use for signing in.</UserHelpText>
				<UserInputType>TextBox</UserInputType>
			</ClaimType>
			
			<ClaimType Id="emails">
				<DisplayName>Email Addresses</DisplayName>
				<DataType>stringCollection</DataType>
				<AdminHelpText>Email addresses of the user.</AdminHelpText>
				<UserHelpText>Your email addresses.</UserHelpText>
			</ClaimType>
			
			<ClaimType Id="extension_Reason">
				<DisplayName>Approval reason</DisplayName>
				<DataType>string</DataType>
			</ClaimType>
						
		</ClaimsSchema>
		
		<ClaimsTransformations>
			
			<ClaimsTransformation Id="CreateEmailsFromOtherMailsAndSignInNamesInfo" TransformationMethod="AddItemToStringCollection">
				<InputClaims>
					<InputClaim ClaimTypeReferenceId="signInNamesInfo.emailAddress" TransformationClaimType="item"/>
					<InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection"/>
				</InputClaims>
				<OutputClaims>
					<OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/>
				</OutputClaims>
			</ClaimsTransformation>

			<ClaimsTransformation Id="AddStrongAuthenticationEmailToEmails" TransformationMethod="AddItemToStringCollection">
				<InputClaims>
					<InputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" TransformationClaimType="item"/>
					<InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/>
				</InputClaims>
				<OutputClaims>
					<OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/>
				</OutputClaims>
			</ClaimsTransformation>
			
		</ClaimsTransformations>
	</BuildingBlocks>

	<ClaimsProviders>		
	
		<ClaimsProvider>
			<DisplayName>Local Account Username</DisplayName>
			<TechnicalProfiles>
			
				<TechnicalProfile Id="AAD-ReadCommon">
					<Metadata>
						<Item Key="Operation">Read</Item>
						<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
					</Metadata>
					<OutputClaims>
						<OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
						<OutputClaim ClaimTypeReferenceId="displayName"/>
						<!-- <OutputClaim ClaimTypeReferenceId="mail"/> -->
						<OutputClaim ClaimTypeReferenceId="otherMails"/>
						<!-- <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" PartnerClaimType="signInNames.emailAddress"/> -->
					</OutputClaims>
					<OutputClaimsTransformations>
						<OutputClaimsTransformation ReferenceId="CreateEmailsFromOtherMailsAndSignInNamesInfo"/>
						<OutputClaimsTransformation ReferenceId="AddStrongAuthenticationEmailToEmails"/>
					</OutputClaimsTransformations>
					<IncludeTechnicalProfile ReferenceId="AAD-Common"/>
				</TechnicalProfile>
				
				<TechnicalProfile Id="IdTokenHint_Asymmetric_ExtractClaims">
					<DisplayName>My ID Token Hint Asymmetric Technical Profile</DisplayName>
					<Protocol Name="None"/>
					<Metadata>
						<!-- Replace with your endpoint location -->
						<Item Key="METADATA">https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1A_MLB2C_SUSI
						</Item>						
						<Item Key="IdTokenAudience">e00...a70</Item>
						<Item Key="issuer">yourtenant.onmicrosoft.com</Item>
					</Metadata>
					<OutputClaims>
						<!-- Note. If you change this, also change in RP!!! -->
						<OutputClaim ClaimTypeReferenceId="displayName"/>
						<OutputClaim ClaimTypeReferenceId="givenName"/>
						<OutputClaim ClaimTypeReferenceId="surName"/>
						<OutputClaim ClaimTypeReferenceId="email"/>
						<OutputClaim ClaimTypeReferenceId="extension_Reason"/>
					</OutputClaims>
				</TechnicalProfile>
			</TechnicalProfiles>
		</ClaimsProvider>
			
	</ClaimsProviders>

	<UserJourneys>
	
		<!-- If extension_mfatype exists, then the user has proofed up. If not, they are asked to go through the proofup journey -->
		<UserJourney Id="MagicLink-Approve">
			<OrchestrationSteps>
			
				<OrchestrationStep Order="1" Type="GetClaims" CpimIssuerTechnicalProfileReferenceId="IdTokenHint_Asymmetric_ExtractClaims"/>
				
				<OrchestrationStep Order="2" Type="ClaimsExchange">
					<ClaimsExchanges>
						<ClaimsExchange Id="UserWriteUsingLogonEmail" TechnicalProfileReferenceId="AAD-UserWriteUsingLogonEmail"/>
					</ClaimsExchanges>
				</OrchestrationStep>
				
				<!-- This is where you would call a REST API to use a magic link to reset the user password in B2C -->

				<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/>

			</OrchestrationSteps>
			<ClientDefinition ReferenceId="DefaultWeb"/>
		</UserJourney>
	</UserJourneys>
  
	<RelyingParty>
		<DefaultUserJourney ReferenceId="MagicLink-Approve"/>
		<UserJourneyBehaviors>
			<SingleSignOn Scope="Tenant"/>
			<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="410...5d0" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0"/>
			<!-- <ScriptExecution>Allow</ScriptExecution> -->
		</UserJourneyBehaviors>
		<TechnicalProfile Id="PolicyProfile">
			<DisplayName>PolicyProfile</DisplayName>
			<Protocol Name="OpenIdConnect"/>
			<InputClaims>
				<InputClaim ClaimTypeReferenceId="displayName"/>
				<InputClaim ClaimTypeReferenceId="givenName"/>
				<InputClaim ClaimTypeReferenceId="surName"/>
				<InputClaim ClaimTypeReferenceId="email"/>
				<InputClaim ClaimTypeReferenceId="extension_Reason"/>
			</InputClaims>
			<OutputClaims>
				<OutputClaim ClaimTypeReferenceId="displayName"/>
				<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenname"/>
				<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname"/>
				<OutputClaim ClaimTypeReferenceId="email"/>
				<OutputClaim ClaimTypeReferenceId="extension_Reason"/>				
				<OutputClaim ClaimTypeReferenceId="objectId" DefaultValue="123456" PartnerClaimType="sub"/>
				<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="Local"/>
				<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}"/>
			</OutputClaims>
			<SubjectNamingInfo ClaimType="sub"/>
		</TechnicalProfile>
	</RelyingParty>
</TrustFrameworkPolicy>

https://medium.com/the-new-control-plane/creating-an-approval-journey-with-azure-ad-b2c-b9e6d606e648