Using CAPTCHA in Azure AD B2C

Captcha.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_Captcha" PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_Captcha" DeploymentMode="Development" UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights">

	<BasePolicy>
		<TenantId>tenant.onmicrosoft.com</TenantId>
		<PolicyId>B2C_1A_TrustFrameworkExtensions-Captcha</PolicyId>
	</BasePolicy>

	<BuildingBlocks>
		<ClaimsSchema>
			<ClaimType Id="inputSolution">
				<DataType>string</DataType>
			</ClaimType>

			<ClaimType Id="solved">
				<DataType>boolean</DataType>
			</ClaimType>

			<ClaimType Id="reason">
				<DataType>string</DataType>
			</ClaimType>

			<ClaimType Id="azureregion">
				<DataType>string</DataType>
			</ClaimType>

			<ClaimType Id="challengeId">
				<DisplayName>The ID of the generated captcha</DisplayName>
				<DataType>string</DataType>
				<UserHelpText>Captcha challenge identifier</UserHelpText>
				<UserInputType>Paragraph</UserInputType>
			</ClaimType>

			<ClaimType Id="challengeType">
				<DisplayName>Type of captcha (visual / audio)</DisplayName>
				<DataType>string</DataType>
				<UserHelpText>Captcha challenge type</UserHelpText>
				<UserInputType>Paragraph</UserInputType>
			</ClaimType>

			<ClaimType Id="challengeString">
				<DisplayName>Captcha challenge code</DisplayName>
				<DataType>string</DataType>
				<UserHelpText>Captcha challenge code</UserHelpText>
				<UserInputType>Paragraph</UserInputType>
			</ClaimType>

			<ClaimType Id="captchaEntered">
				<DisplayName>Captcha entered by the user</DisplayName>
				<DataType>string</DataType>
				<UserHelpText>Enter the characters you see</UserHelpText>
				<UserInputType>TextBox</UserInputType>
			</ClaimType>

			<ClaimType Id="isCaptchaSolved">
				<DisplayName>Flag indicating that the captcha was successfully solved</DisplayName>
				<DataType>boolean</DataType>
			</ClaimType>
		</ClaimsSchema>

		<ContentDefinitions>
			<ContentDefinition Id="api.localaccountsignup">
				<!--Update this DataUri-->
				<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.29</DataUri>
			</ContentDefinition>

			<ContentDefinition Id="api.signuporsignin">
				<!--Update this DataUri-->
				<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.29</DataUri>
			</ContentDefinition>
		</ContentDefinitions>

		<DisplayControls>
			<DisplayControl Id="captchaControlChallengeCode" UserInterfaceControlType="CaptchaControl" DisplayName="Help us beat the bots">
				<InputClaims>
					<InputClaim ClaimTypeReferenceId="challengeType"/>
					<InputClaim ClaimTypeReferenceId="challengeId"/>
				</InputClaims>

				<DisplayClaims>
					<DisplayClaim ClaimTypeReferenceId="challengeType" ControlClaimType="ChallengeType"/>
					<DisplayClaim ClaimTypeReferenceId="challengeId" ControlClaimType="ChallengeId"/>
					<DisplayClaim ClaimTypeReferenceId="challengeString" ControlClaimType="ChallengeString"/>
					<DisplayClaim ClaimTypeReferenceId="captchaEntered" ControlClaimType="CaptchaEntered"/>
				</DisplayClaims>

				<Actions>
					<Action Id="GetChallenge">
						<ValidationClaimsExchange>
							<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="HIP-GetChallenge"/>
						</ValidationClaimsExchange>
					</Action>

					<Action Id="VerifyChallenge">
						<ValidationClaimsExchange>
							<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="HIP-VerifyChallenge"/>
						</ValidationClaimsExchange>
					</Action>
				</Actions>
			</DisplayControl>
		</DisplayControls>
	</BuildingBlocks>

	<ClaimsProviders>
		<ClaimsProvider>
			<DisplayName>HIPChallenge</DisplayName>
			<TechnicalProfiles>
				<TechnicalProfile Id="HIP-GetChallenge">
					<DisplayName>GetChallenge</DisplayName>
					<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.CaptchaProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
					<Metadata>
						<Item Key="Operation">GetChallenge</Item>
						<Item Key="Brand">HIP</Item>
					</Metadata>
					<InputClaims>
						<InputClaim ClaimTypeReferenceId="challengeType"/>
					</InputClaims>
					<DisplayClaims>
						<DisplayClaim ClaimTypeReferenceId="challengeString"/>
					</DisplayClaims>
					<OutputClaims>
						<OutputClaim ClaimTypeReferenceId="challengeId"/>
						<OutputClaim ClaimTypeReferenceId="challengeString" PartnerClaimType="ChallengeString"/>
						<OutputClaim ClaimTypeReferenceId="azureregion"/>
					</OutputClaims>
				</TechnicalProfile>

				<TechnicalProfile Id="HIP-VerifyChallenge">
					<DisplayName>Verify Code</DisplayName>
					<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.CaptchaProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
					<Metadata>
						<Item Key="Brand">HIP</Item>
						<Item Key="Operation">VerifyChallenge</Item>
					</Metadata>
					<InputClaims>
						<InputClaim ClaimTypeReferenceId="challengeType" DefaultValue="Visual"/>
						<InputClaim ClaimTypeReferenceId="challengeId"/>
						<InputClaim ClaimTypeReferenceId="captchaEntered" PartnerClaimType="inputSolution" Required="true"/>
						<InputClaim ClaimTypeReferenceId="azureregion"/>
					</InputClaims>
					<DisplayClaims>
						<DisplayClaim ClaimTypeReferenceId="captchaEntered"/>
					</DisplayClaims>
					<OutputClaims>
						<OutputClaim ClaimTypeReferenceId="challengeId"/>
						<OutputClaim ClaimTypeReferenceId="isCaptchaSolved" PartnerClaimType="solved"/>
						<OutputClaim ClaimTypeReferenceId="reason" PartnerClaimType="reason"/>
					</OutputClaims>
				</TechnicalProfile>

				<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
					<Metadata>
						<!--Add this metadata entry. Set value to true to activate CAPTCHA-->
						<Item Key="setting.enableCaptchaChallenge">true</Item>
					</Metadata>
					<DisplayClaims>
						<!--Add this display claim, which is a reference to the captcha display control-->
						<DisplayClaim DisplayControlReferenceId="captchaControlChallengeCode"/>
					</DisplayClaims>
				</TechnicalProfile>

				<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
					<Metadata>
						<!--Add this metadata entry. Set value to true to activate CAPTCHA-->
						<Item Key="setting.enableCaptchaChallenge">true</Item>
					</Metadata>
					<DisplayClaims>
						<!--Add this display claim, which is a reference to the captcha display control-->
						<DisplayClaim DisplayControlReferenceId="captchaControlChallengeCode"/>
					</DisplayClaims>
				</TechnicalProfile>
			</TechnicalProfiles>
		</ClaimsProvider>		

	</ClaimsProviders>

	<RelyingParty>
		<DefaultUserJourney ReferenceId="SignUpOrSignIn"/>

		<Endpoints>
			<!--points to refresh token journey when app makes refresh token request-->
			<Endpoint Id="Token" UserJourneyReferenceId="RedeemRefreshToken" />
		</Endpoints>

		<UserJourneyBehaviors>
			<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="123456" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0"/>
		</UserJourneyBehaviors>

		<TechnicalProfile Id="PolicyProfile">
			<DisplayName>PolicyProfile</DisplayName>
			<Protocol Name="OpenIdConnect"/>
			<OutputClaims>
				<OutputClaim ClaimTypeReferenceId="displayName"/>
				<OutputClaim ClaimTypeReferenceId="givenName"/>
				<OutputClaim ClaimTypeReferenceId="surname"/>
				<OutputClaim ClaimTypeReferenceId="email"/>
				<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
				<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}"/>
			</OutputClaims>
			<SubjectNamingInfo ClaimType="sub"/>
		</TechnicalProfile>
	</RelyingParty>
</TrustFrameworkPolicy>

https://medium.com/the-new-control-plane/using-captcha-in-an-azure-ad-b2c-custom-policy-abe2ff869ed3