About

chverstr@microsoft.com

•

•

•

•

5

LOA II,III,IV

••••••••••

••••••••••

Advanced CapabilitiesCore Capabilities +

Policies

Social and local accounts

Seamless user experience

7

Multifactor authentication

OAuth2/OpenID Connect support

http://aka.ms/aadsamples

Azure AD Graph API support

8

Customizable user journeys

Bring-your-own identity provider

Enhanced privacy options

9

Bring-your-own multifactor authentication

Protocol conversion

Attribute providers and verifiers

10

Azure AD B2C is provisioned by creating a new Azure Active Directory and enabling it for B2C

12

The process of configuring Azure AD B2C consists of the following four tasks:

We will discuss these tasks in more detail in the following slides.

NOTE: It is possible to test most of the Azure AD B2C configuration before the applications are integrated by using the Run Now button on each policy.

13

Configure identity

providers the

application will

leverage

Configure

attributes the

application will use

Configure policies

for sign up, sign in,

profile edit, etc.

Integrate the

application with

B2C using OIDC

Azure AD B2C supports local and social accounts

Local accounts

14

Social accounts

Users can choose which type of account they want to use during sign up and sign in.

15

Azure AD supports B2C makes available a number of default attributes (see table at right)

Additional custom attributes can be created

Users will be prompted to provide attributes during sign up

16

Defines

Domain-specific language designed for B2C

18

Polices describe how users will interact with the various Azure AD B2C capabilities

There are five types of policies that can be defined

You can define multiple policies of each type and apps can share policies

Policies are specified in the query string of the Azure AD B2C URL19

Types of policies

Policies can be invoked by multiple relying parties

20

Base policies set standards that may or may not be overridden

Unlimited policy depth, but generally three levels is enough

21

Com

munity o

f interest

Req4: https://login.microsoftonline.com/v2/contosob2c.onmicrosoft.com/oauth2/auth?<std qp>&p=p2

22

Contoso

App #1

Sign

up

Sign in

Contoso

App #1

Profile

Sign out

Contoso

App #2

Sign

up

Sign in

Contoso

App #2

Contoso

App #1

App 1

App 2

P1 (SU)

P2 (SI)

P3 (PE)

Req1: https://login.microsoftonline.com/v2/contosob2c.onmicrosoft.com/oauth2/auth?<std qp>&p=p1

Req1Req2Req3

Req4

Req3: https://login.microsoftonline.com/v2/contosob2c.onmicrosoft.com/oauth2/logout?<std qp>&p=p2Req2: https://login.microsoftonline.com/v2/contosob2c.onmicrosoft.com/oauth2/auth?<std qp>&p=p3

Identity provider settings

Sign-up attribute settings

Profile attribute settings

23

Application claim settings

Token, session, and SSO settings

Multifactor authentication settings

24

Page UI customization

25

26

Sign up Sign inSign up or

sign inProfile editing Password reset

Identity provider settings X X X X X

Sign-up attribute settings X X

Profile attribute settings X

Application claim settings X X X X X

Token, session, and SSO settings X X X X

Multifactor authentication

settingX X X X

Page UI customization setting X X X X X

Several customizations to the user interface can be made using the web-based administrative interface:

27

For more advanced customization, a custom page can be specified for each page applicable to a policy

The following pages can be customized for each policy type:

NOTE: Each policy can have its own custom page version28

Page Sign-up policy Sign-in policySign-up/sign-in

policy

Profile editing

policy

Password reset

policy

Identity provider selection page X X X

Unified sign-up or sign-in page X

Local account sign-up page X X

Social account sign-up page X X

Multifactor authentication page X X X X

Profile editing page X

Forgot password page X

Error page X X X X X

The custom page files have specific requirements

29

When a user accesses a customized page for a given policy, the following occurs:

NOTE: CORS must be enabled on the server hosting the custom page or, for security reasons, the browser will refuse to load the page

30

CORS is a browser security feature designed to control JavaScript access to web servers in domains different than the one serving the main page

Azure AD B2C uses CORS’s simplest mode:

Bottom Line: The server hosting Azure AD B2C custom pages must support CORS and must allow GET requests to the custom pages from https://login.microsoftonline.com. 31

The local account sign-in page (not the sign-up and sign-in page) is shared with non-B2C Azure AD and therefore cannot be modified as described above.

Rather, this page can be branded using the Azure AD branding tools.

New customization capabilities may be coming in the future

32

Multifactor authentication (MFA) is phone-based, sending a code to the phone through text or voice call.

The code must be entered as a second step during the login process.

To help make sure MFA is enabled, set up MFA on the sign-up policy.

MFA can be enabled or disabled on a policy-by-policy basis

33

Azure AD B2C MFA uses the same infrastructure as Azure MFA, but with fewer configuration options

Social accounts can have MFA as easily as local accounts, thus adding additional security for social accounts when it is needed

It is possible to preregister MFA, but with some caveats and limitations:

34

Self-service password reset always uses the verified email address

If MFA is configured, an MFA check is also performed after email verification and before the password reset.

The password reset page can be customized like other pages.

Azure AD password complexity requirements apply to all passwords.

35

Azure AD B2C is designed for consumer- and citizen-facing mobile and web apps

Business to Employee | Business to Consumer | Business to Business

Service-to-service

37

Consider this

product...

Azure AD

multitenant

software as a

service (SaaS) app

Azure AD B2B

collaborationAzure AD B2C

If I need to

provide...

a service to

businesses

partner access to

my apps

a service to

consumers

And I am similar

to...Pharma distributor Imaging company Sports franchise

Deploying an

app for...

Practice

managementSupplier extranet Soccer fans

Targeting... Doctors’ officesApproved

business partners

Anyone with

email

Accessible

when...

Customer admin

consentsMy admin invites

The consumer

signs up

38

A service to Businesses Partner access to my

applications

Service to consumers

Example Company A provides

services such as payroll or

analytics application but

need their customers to

manage their own Azure AD

identities. Customers

manage access to apps.

Company A has created an

application in Azure AD

and would like to grant

Company B SSO (Partners)

to access the application

Company A manages

access to apps.

Company A has created an

application they want

consumers to access.

Consumers can self

provision access to apps.

Customers log in with Work or school accounts Work or School accounts Social IDP or Local

Account

Access granted when Customer admin accepts

consent model

Company A admin sends

an invite

Consumer signs up

I should use: Azure AD Multi-tenant App Azure AD B2B

collaboration

Azure AD B2C

RESTful interface to Microsoft Azure AD

Requests use standard HTTP methods

OAuth 2.0 for access authorization, role-based assignment for app and user authorization

It’s the same graph whether it’s being used to manage employees or consumers.

Reading

• Implement people or group picker—

list/search users/groups

• Make authorization decisions

• Returning audit reports

Writing

• Updating user attributes

• Setting user password

• Provisioning/deprovisioning users

Add user as emailAddress

POST - https://graph.windows.net/<insert>.onmicrosoft.com/users?api-version=beta

{

"alternativeSignInNamesInfo": [

{ "type": "emaillAddress",

"value": "" }

],

"displayName": "David Tester 1",

"passwordProfile": { "password": "Test1234", "forceChangePasswordNextLogin": false },

"passwordPolicies": "DisablePasswordExpiration",

"accountEnabled": true,

"creationType": "NameCoexistence",

}43

Add user as userName

POST - https://graph.windows.net/<insert>.onmicrosoft.com/users?api-version=beta

{

"alternativeSignInNamesInfo": [

{ "type": "userName",

"value": "DavidTest" }

],

"displayName": "David Tester",

"passwordProfile": { "password": "Test1234", "forceChangePasswordNextLogin": false },

"passwordPolicies": "DisablePasswordExpiration",

"accountEnabled": true,

"creationType": "NameCoexistence"

}44

Get user by Logon ID

GET -https://graph.windows.net/<insert>.onmicrosoft.com/users?$filter=alternativeSignInNamesInfo/any(x:x/value eq 'David')&api-version=beta

45

Get Audit Events

GET - Audit data

https://graph.windows.net/<insert>.onmicrosoft.com/reports/auditEvents?api-version=beta

46

47

Initial state Approach Implication

Custom Store: User ID/password in

LDAP store or membership database

1. Transition using dual-write and

force password change on

existing system controlling the

SSPR page.

2. Transition using graph batch

update (requires either password

or reset password with user

notification.

A dual-write approach would be

utilized as a coexistence strategy

and would require custom password

and sign-up management. This

scenario doesn’t support social

identities.

SSPR available after full transition.

Social Providers

• Facebook as an IDP

• Google as an IDP

• Amazon as an IDP

• LinkedIn as an IDP

Transition by requiring new sign up Existing “application” would require

modification.

Features such as acquiring access

tokens for other purposes may not

be available.

COTS or OSS Product-specific and may require

custom sign up and user input

A WordPress plugin, for example,

may require some back-end

database association with the new

identity and the standard setup

procedures or move to Azure and

utilize Easy Auth

Apps

Analytics

CRM andMarketingAutomation

Business

Social IDs

Business & Government IDs

contoso

Customers

Azure AD B2C

Securely authenticate customerswith their preferred identity provider

Provide branded registration

and login experiences

Capture login, preference, and conversion data for customers

Built-in Policy

Ready-to-go templates for Sign-up,

Sign-in, Edit Profile, Reset Password.

Reach any user. Existing social

account or create a local account.

Pixel-perfect control. Your brand,

your HTML and CSS.

Socialaccounts

Customattributes

Customize withHTML and CSS

Multifactorauthentication

</>

Build apps quickly using built-in templates

User journeys

Openstandards

Optimize

Conversion

Conditional branching

User migration

Connect with REST

Build complex apps with custom policy

Custom Policy

Tailor every step of the user journey

Integrate with existing

infrastructure

Connect to or migrate from your

existing user stores