
function Import-IEFPolicies {
    Uploads IEF xml policies to a tenant
    Uploads IEF xml policies to a tenant. Modifies the xml source prior to the upload by replacing IEF app symbolic names
    with actual app Ids from the tenant. Replaces other symbolic paramaters included in the xml with '{}' braces by corresponding
    values in the conf.json file. Injects a defined prefix into the name of the policy. Modified xml is saved in a separate directory after import.
    .PARAMETER sourceDirectory
    Directory with xml policies and (optinaly) conf.json file
    .PARAMETER configurationFilePath
    Name of file with configuration values if not conf.json
    .PARAMETER updatedSourceDirectory
    Directory updated policies are stored after upload
    .PARAMETER prefix
    Parameter to be injected into the name of each policy (e.g. B2C_1A_YOURPREFIXBase)
    .PARAMETER generateOnly
    Update xml files and store them in the updatedSourceDirectory but do not upload to the B2C tenant
        PS C:\> Import-IEFPolicies
        Upload policies from the current work directory using conf.json file for configuration data if it exists.
    Please use connect-iefpolicies -tenant <tanant Name> before executing this command


        [string]$sourceDirectory = '.\',

        [string]$configurationFilePath = '.\conf.json',

        [string]$updatedSourceDirectory = '.\debug\',




    # upload policies whose base id is given
    function Import-Children($baseId) {
        foreach($p in $policyList) {
            if ($p.BaseId -eq $baseId) {
                # Skip unchanged files
                #outFile = ""
                if (-not ([string]::IsNullOrEmpty($updatedSourceDirectory))) {
                    if(!(Test-Path -Path $updatedSourceDirectory )){
                        New-Item -ItemType directory -Path $updatedSourceDirectory
                        Write-Host "Updated source folder created"
                    if (-not $updatedSourceDirectory.EndsWith("\")) {
                        $updatedSourceDirectory = $updatedSourceDirectory + "\"
                    $envUpdatedDir = '{0}{1}' -f $updatedSourceDirectory, $b2cDomain
                    if(!(Test-Path -Path $envUpdatedDir)){
                        New-Item -ItemType directory -Path $envUpdatedDir
                        Write-Host " Updated source folder created for " + $b2cDomain
                    $outFile = '{0}\{1}' -f $envUpdatedDir, $p.Source
                    if (Test-Path $outFile) {
                        if ($p.LastWrite.Ticks -le (Get-Item $outFile).LastWriteTime.Ticks) {
                            "{0}: is up to date" -f $p.Id
                            Import-Children $p.Id
                $msg = "{0}: uploading" -f $p.Id
                Write-Host $msg  -ForegroundColor Green 
                # Replace tenant id but only if already there. It messes up xml formatting
                $xml = [xml] $p.Body
                $xml.PreserveWhitespace = $true
                try {
                    $resp = Invoke-RestMethod -Uri "" -Method Get -Headers $headers
                    $xml.TrustFrameworkPolicy.TenantObjectId = $resp.value[0].Id
                    $policy = $xml.OuterXml
                } catch {
                    # tenantId not used
                    $policy = $p.Body
                $policy = $policy -replace "yourtenant", $b2cName 
                $policy = $policy -replace "ProxyIdentityExperienceFrameworkAppId", $iefProxy.appId
                $policy = $policy -replace "IdentityExperienceFrameworkAppId", $iefRes.appId
                $policy = $policy.Replace('PolicyId="B2C_1A_', 'PolicyId="B2C_1A_{0}' -f $prefix)
                $policy = $policy.Replace('/B2C_1A_', '/B2C_1A_{0}' -f $prefix)
                $policy = $policy.Replace('<PolicyId>B2C_1A_', '<PolicyId>B2C_1A_{0}' -f $prefix)

                # replace other placeholders, e.g. {MyRest} with Note replacement string must be in {}
                if ($null -ne $conf) {
                    $special = @('IdentityExperienceFrameworkAppId', 'ProxyIdentityExperienceFrameworkAppId', 'PolicyPrefix')
                    foreach($memb in Get-Member -InputObject $conf -MemberType NoteProperty) {
                        if ($memb.MemberType -eq 'NoteProperty') {
                            if ($special.Contains($memb.Name)) { continue }
                            $repl = "{{{0}}}" -f $memb.Name
                            $policy = $policy.Replace($repl, $memb.Definition.Split('=')[1])

                $policyId = $p.Id.Replace('_1A_', '_1A_{0}' -f $prefix)
                $isOK = $true
                if (-not $generateOnly) {
                    $exists = $true
                    try {
                        Invoke-RestMethod -Uri ("{0}" -f $policyId) -Method Get -Headers $headers| Out-Null
                    } catch {
                        $exists = $false
                    try {
                        if ($exists) {
                            Invoke-RestMethod -Uri ("{0}/`$value" -f $policyId) -Method Put -Headers $headersXml -Body $policy| Out-Null 
                            #Set-AzureADMSTrustFrameworkPolicy -Content ($policy | Out-String) -Id $policyId | Out-Null
                        } else {
                            "New journey"
                            Invoke-RestMethod -Uri "" -Method Post -Headers $headersXml -Body $policy | Out-Null                           
                            #New-AzureADMSTrustFrameworkPolicy -Content ($policy | Out-String) | Out-Null
                    } catch {
                        $isOk = $false
                        if(-Not $exists) {
                            "Use to ensure the tenant is setup for IEF"
                        "Ending upload"

                if ($isOK) {
                    out-file -FilePath $outFile -inputobject $policy
                    Import-Children $p.Id

    if ($sourceDirectory.EndsWith('\')) {
        $sourceDirectory = $sourceDirectory + '*' 
    } else {
        if (-Not $sourceDirectory.EndsWith('\*')) { 
            $sourceDirectory = $sourceDirectory + '\*' 

    if($null -eq $tokens) {
        "Please use Connect-IefPolicies -tenant <name> to login first"

    $headers = @{
        'Content-Type' = 'application/json';
        'Authorization' = ("Bearer {0}" -f $tokens.access_token);
    $headersXml = @{
    'Content-Type' = 'application/xml';
    'Authorization' = ("Bearer {0}" -f $tokens.access_token);
    $domains = Invoke-RestMethod -Uri -Method Get -Headers $headers
    $b2cDomain = $domains.value[0].id
    $b2cName = $b2cDomain.Split('.')[0]
    try {
        $resp = Invoke-RestMethod -Uri "`$filter=startsWith(displayName,'IdentityExperienceFramework')" -Method Get -Headers $headers
        $iefRes = $resp.value[0]
        $resp = Invoke-RestMethod -Uri "`$filter=startsWith(displayName,'ProxyIdentityExperienceFramework')" -Method Get -Headers $headers
        $iefProxy = $resp.value[0]
    } catch {
        "Please ensure your B2C tenant is setup for using IEF ("

    # load originals
    $files = Get-Childitem -Path $sourceDirectory -Include *.xml
    $policyList = @()
    foreach($policyFile in $files) {
        $policy = Get-Content $policyFile
        $xml = [xml] $policy
        $policyList= $policyList + @(@{ Id = $xml.TrustFrameworkPolicy.PolicyId; BaseId = $xml.TrustFrameworkPolicy.BasePolicy.PolicyId; Body = $policy; Source= $policyFile.Name; LastWrite = $policyFile.LastWriteTime })
    "Source policies:"
    foreach($p in $policyList) {
        "Id: {0}; Base:{1}" -f $p.Id, $p.BaseId
    if(Test-Path $configurationFilePath){
        $conf = Get-Content -Path $configurationFilePath | Out-String | ConvertFrom-Json
        if ([string]::IsNullOrEmpty($prefix)){ $prefix = $conf.Prefix }

    # now start the upload process making sure you start with the base (base id == null)

function Export-IEFPolicies {
    Downloads IEF xml policy files from a B2C tenant
    Downloads IEF xml policy files from a B2C tenant optionally selecting only files with specified prefix in their name
    .PARAMETER prefix
    Used to select only certain files for doanload, prefix="V1" will download all IEF files with names starting with "B2C_1A_V1"
    .PARAMETER destinationPath
    Directory where files should be downloaded to
        PS C:\> Export-IEFPolicies -prefix V10
        Download IEF policies with names starting with 'B2C_1A_V10'
    Please use connect-iefpolicies -tenant <tanant Name> before executing this command


    if($null -eq $tokens) {
        "Please use Connect-IefPolicies -tenant <name> to login first"

    $headers = @{
        'Content-Type' = 'application/json';
        'Authorization' = ("Bearer {0}" -f $tokens.access_token);
    $headersXml = @{
    'Content-Type' = 'application/xml';
    'Authorization' = ("Bearer {0}" -f $tokens.access_token);
    if ([string]::IsNullOrEmpty($desinationPath)) {
        $destinationPath = ".\"

    if (-Not $destinationPath.EndsWith('\')) {
        $destinationPath = $destinationPath + '\' 

    $prefix = "B2C_1A_" + $prefix
    $policies = Invoke-RestMethod -Uri "" -Method Get -Headers $headers
    foreach($policy in $policies.value | Where-Object {($$prefix)}) {
        $fileName = "{0}\{1}.xml" -f $destinationPath, $policy.Id
        $policyXml = Invoke-RestMethod -Uri ("{0}/`$value" -f $ -Method Get -Headers $headersXml
        $policyXml >> $fileName
        #Get-AzureADMSTrustFrameworkPolicy -Id $policy.Id >> $fileName

function Connect-IEFPolicies {
    Gets OAuth2 tokens needed to manage IEF Policies
    Gets OAuth2 tokens needed to manage IEF Policies
    .PARAMETER tenant
    Tenant name, e.g. mytenant. is not needed.
        PS C:\> Connect-IEFPolicies -tenant abctenant
        Authorize to tenant abctenant.onmicrosoft.cvom

    if ([string]::IsNullOrEmpty($tenant)) {
        $tenantName = "organizations"
    } else {
         if ($tenant.EndsWith("")) {
            $tenantName = $tenant
        } else {
            $tenantName = "{0}" -f $tenant
    $hdrs = @{
        'Content-Type' = "application/x-www-form-urlencoded"
    $uri = "{0}/oauth2/v2.0/devicecode" -f $tenantName
    $body = "client_id=5ca00daf-7851-4276-b857-6b3de7b83f72& Policy.ReadWrite.TrustFramework Application.Read.All Directory.Read.All offline_access"
    $resp = Invoke-Webrequest -Method 'POST' -Uri $uri -Headers $hdrs -Body $body
    $codeResp = $resp.Content | ConvertFrom-Json
    #Start-Process "chrome.exe" $codeResp.verification_uri
    for($iter = 1; $iter -le ($codeResp.expires_in / $codeResp.interval); $iter++) {
        Start-Sleep -Seconds $codeResp.interval
        try {
            $uri = "{0}/oauth2/v2.0/token" -f $tenantName
            $body = "client_id=5ca00daf-7851-4276-b857-6b3de7b83f72&client_info=1&{0}" -f $codeResp.device_code
            $resp = Invoke-Webrequest -Method 'POST' -Uri $uri -Headers $hdrs -Body $body
            $global:tokens = $resp.Content | ConvertFrom-Json
            "Authorization completed"
            $headers = @{
                'Content-Type' = 'application/json';
                'Authorization' = ("Bearer {0}" -f $tokens.access_token);
            $domains = Invoke-RestMethod -Uri -Method Get -Headers $headers
            $b2cDomain = $domains.value[0].id
            $b2cName = $b2cDomain.Split('.')[0]    
            "Logged in to {0} tenant." -f $b2cName        
        } catch {

    # based on
function New-IEFPolicies {
    Download a starter pack for B2C StarterPack Git repo
    Download a starter pack for B2C StarterPack Git repo. Uses the Display Control version of the repo.
    .PARAMETER destinationPath
    Directory to download the files to. Default is current directory.
        PS C:\> New-IEFPolicies -destinationPath "c:\myPolicies"

    $owner = "Azure-Samples"
    $repository = "active-directory-b2c-custom-policy-starterpack"
    if ([string]::IsNullOrEmpty($destinationPath)) {
        $destinationPath = "."
    $path = $null
    while($null -eq $path) {
        $p = (Read-Host -Prompt "Package type: `n[L]ocal accounts only, `n[S] Social/federated only, `n[SL]ocal and social/federated, `n[M]FA social/federated and local with MFA? `n[Q]uit").ToUpper()
        switch($p) {
            "L" { $path = "Display%20Controls%20Starterpack/LocalAccounts" }
            "S" { $path = "Display%20Controls%20Starterpack/SocialAccounts" }
            "SL" { $path = "Display%20Controls%20Starterpack/SocialAndLocalAccounts" }
            "M" { $path = "Display%20Controls%20Starterpack/SocialAndLocalAccountsWithMfa" }
            "Q" { Exit }

    $url = "{0}/{1}/contents/{2}" -f $owner, $repository, $path
    $wr = Invoke-WebRequest -Uri $url
    $objects = $wr.Content | ConvertFrom-Json
    $files = $objects | Where-Object {$_.type -eq "file"} | Select-Object -exp download_url
    $directories = $objects | Where-Object {$_.type -eq "dir"}
    $directories | ForEach-Object { 
        DownloadFilesFromRepo -Owner $Owner -Repository $Repository -Path $_.path -DestinationPath $($DestinationPath+$

    if (-not (Test-Path $destinationPath)) {
        # Destination path does not exist, let's create it
        try {
            New-Item -Path $destinationPath -ItemType Directory -ErrorAction Stop
        } catch {
            throw "Could not create path '$destinationPath'!"

    foreach ($file in $files) {
        $fileDestination = Join-Path $destinationPath (Split-Path $file -Leaf)
        try {
            Invoke-WebRequest -Uri $file -OutFile $fileDestination -ErrorAction Stop -Verbose
            "Downloaded '$($file)' to '$fileDestination'"
        } catch {
            throw "Unable to download '$($file.path)'"