B2C Custom Policy Dynamic Identity Provider

Question

I'm struggling to find an example of this or how to do it, I'm sure that it's possible. Below the the scenario

1. User directed to to custom policy
2. User asked for email address
3. Policy then checks the email address against a database (via Azure Function). This function will return the provider to use. At the moment either https://login.microsoftonline.com/organizations or b2c
4. If the function returns https://login.microsoftonline.com/organizations then direct to Microsoft Sign in (passing email as hint so it's already filled in). This will then return back to the B2C signin flow
5. If B2C is returned then authentication is carried out by the B2C
6. Once user is authenticated via microsoftonline or B2C returned to app as normal

I know that external functions can be called from a custom signin policy. However, it's the user journey where it will send of to microsoftonline to sign in or carry on with the normal B2C flow that I'm struggling with. This artical is close https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=app-reg-ga, however, I want this choice to be made dynamically based on return value from an Azure Function.

Hopefully, someone will understand what I'm talking about

Answer 1

We call this home realm discovery, see this sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/default-home-realm-discovery

The sample uses a lookup inside the B2C policy itself, with a claims transformation. But you could swap that out for a REST APi instead if needed.