Sign-up and sign-in with Intuit using Azure AD B2C

This article describes how to add authentication for an Intuit account to an Azure AD B2C custom policy.


The following diagram illustrates the authentication flow for an Intuit account to an Azure AD B2C custom policy.

For information about Intuit and OAuth 2.0, see


  1. If you don’t already have one, then you must create an Azure AD B2C tenant that is linked to your Azure subscription.
  2. Prepare your Azure AD B2C tenant by creating the token signing and encryption keys and creating the Identity Experience Framework applications.
  3. Download one of the starter packs for Azure AD B2C from Microsoft’s GitHub repository.

Configure an Intuit application

  1. Log in to
  2. On the My Apps Dashboard page, select Create an app.
  3. On the Create app page, select QuickBooks Online and Payments.
  4. On the QuickBooks Online and Payments page, enter the following fields and then select Create app:
    1. App name
    2. Scope:
  5. On the app page, in the Development Settings > Keys & credentials > Keys section, copy the Client ID and Secret fields.
  6. On the app page, in the Development Settings > Keys & credentials > Redirect URIs section, enter the following fields and then select Save:
    1. Redirect URL: Enter either if you use the built-in domain or https://your-domain-name/ if you use a custom domain for the Redirect URL field. Replace your-tenant-name with your tenant name and your-domain-name with your custom domain.

Add the client secret for the Intuit application as a policy key

  1. Sign in to the Azure AD B2C portal.
  2. Select Identity Experience Framework.
  3. Select Policy keys.
  4. Select Add.
  5. In the Create a key section, enter the following fields and then select Create:
    1. Options: Manual
    2. Name: IntuitClientSecret
    3. Secret: Paste the Client secret field that was copied in the previous section.

Configure claims transformation

We must also configure a CreateDisplayName claims transformation that formats the givenName and surname claim types that are retrieved for the authenticated user.

  1. Open the TrustFrameworkExtensions.xml file.
  2. Find the BuildingBlocks element and then the ClaimsTransformations element. If they don’t exist, then add them to the TrustFrameworkPolicy element.
  3. Add the following ClaimsTransformation element to the ClaimsTransformations element.
<ClaimsTransformation Id="CreateDisplayName" TransformationMethod="FormatStringMultipleClaims">
    <InputClaim ClaimTypeReferenceId="givenName" TransformationClaimType="inputClaim1" />
    <InputClaim ClaimTypeReferenceId="surname" TransformationClaimType="inputClaim2" />
    <InputParameter Id="stringFormat" DataType="string" Value="{0} {1}" />
    <OutputClaim ClaimTypeReferenceId="displayName" TransformationClaimType="outputClaim" />
  1. Find the ClaimsProviders element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
  2. Add the following ClaimsProvider element to the ClaimsProviders element.
  <DisplayName>Claims Transformation</DisplayName>
    <TechnicalProfile Id="ClaimsTransformation-CreateDisplayName">
      <DisplayName>Create Display Name Claims Transformation</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=, Culture=neutral, PublicKeyToken=null" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaimsTransformation ReferenceId="CreateDisplayName" />
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

Configure Intuit as an identity provider

  1. Open the TrustFrameworkExtensions.xml file.
  2. Find the ClaimsProviders element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
  3. Add the following ClaimsProvider element to the ClaimsProviders element. Replace your-intuit-client-id with the Client ID field that was copied in the Configure an Intuit application section.
    <TechnicalProfile Id="Intuit-OAuth2">
      <Protocol Name="OAuth2" />
        <Item Key="client_id">your-intuit-client-id</Item>
        <Item Key="authorization_endpoint"></Item>
        <Item Key="AccessTokenEndpoint"></Item>
        <Item Key="ClaimsEndpoint"></Item>
        <Item Key="scope">openid profile email</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="token_endpoint_auth_method">client_secret_basic</Item>
        <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_IntuitClientSecret" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="familyName" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />

Add a user journey

  1. Open the TrustFrameworkBase.xml file.
  2. Copy the UserJourney element that includes Id="SignUpOrSignIn".
  3. Open the TrustFrameworkExtensions.xml file and find the UserJourneys element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
  4. Paste the UserJourney element that was copied in step 2 to the UserJourneys element and replace the Id attribute for this UserJourney element from "SignUpOrSignIn" to "IntuitSignUpOrSignIn".

Add the identity provider to the user journey

  1. Add the claims provider that was configured in the Configure Intuit as an identity provider section to the user journey that was added in the previous section.
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
    <ClaimsProviderSelection TargetClaimsExchangeId="IntuitExchange" />

<OrchestrationStep Order="2" Type="ClaimsExchange">
    <ClaimsExchange Id="IntuitExchange" TechnicalProfileReferenceId="Intuit-OAuth2" />

Add the claims transformation to the user journey

  1. Add the claims provider that was configured in the Configure claims transformation section to the user journey that was added in the Add a user journey section. This must be between after the AADUserReadUsingAlternativeSecurityId claims exchange and the SelfAsserted-Social claims exchange.
<OrchestrationStep Order="4" Type="ClaimsExchange">
    <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
    <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
    <ClaimsExchange Id="ClaimsTransformation-CreateDisplayName" TechnicalProfileReferenceId="ClaimsTransformation-CreateDisplayName" />

Configure the relying party policy

  1. Open the SignUpOrSignIn.xml file.
  2. Replace the ReferenceId attribute for the DefaultUserJourney element from "SignUpOrSignIn" to "IntuitSignUpOrSignIn".
  <DefaultUserJourney ReferenceId="IntuitSignUpSignIn" />

Upload and test the custom policy

  1. Upload all policy files in the following order to your Azure AD B2C tenant:
    1. TrustFrameworkBase.xml
    2. TrustFrameworkLocalization.xml
    3. TrustFrameworkExtensions.xml
    4. SignUpOrSignIn.xml
  2. Test the B2C_1A_signup_signin policy from your Azure AD B2C tenant.
[mailpoet_form id="1"]

Other Recent Blogs

Microsoft Teams IP Phones and Intune Enrollment

Microsoft Teams provides a growing portfolio of devices that can be used as desk and conference room phones. These IP phones run on Android 8.x or 9.x and are required to be enrolled in Intune. By default, these devices are enrolled as personal devices, which is not ideal as users should not be able to enrol their own personal Android devices.

Read More »

Level 9, 360 Collins Street, 
Melbourne VIC 3000

Level 2, 24 Campbell St,
Sydney NSW 2000

200 Adelaide St,
Brisbane QLD 4000

191 St Georges Terrace
Perth WA 6000

Level 10, 41 Shortland Street

Part of

Arinco trades as Arinco (VIC) Pty Ltd and Arinco (NSW) Pty Ltd. © 2023 All Rights Reserved Arinco™ | Privacy Policy | Sustainability and Our Community
Arinco acknowledges the Traditional Owners of the land on which our offices are situated, and pay our respects to their Elders past, present and emerging.

Get started on the right path to cloud success today. Our Crew are standing by to answer your questions and get you up and running.