Azure AD B2C

By Kishan -

  • What is Active Directory? Active Directory, or AD, has a lot of cool features and is used for all sorts of things, but at its heart is nothing more than an identity store for your organization. It keeps a record of who is in your organization and authenticates the user based on their credentials and entitlements.
  • Azure AD extended a lightweight version of that to the cloud, but the core concept remains pretty much the same, just with cool cloud features. Azure AD B2B Collaboration then allowed us to grant access to internal resources to business partners using their own Microsoft or Azure AD identity.
  • That brings us to Azure AD B2C. Azure AD B2C is a directory service that leverages identity stores outside of your company. More specifically, it is an authentication service for publicly facing applications. It integrates with other third-party identity providers such as Google+, Facebook, Amazon, or LinkedIn to provide a one-stop shop for authentication. It acts as an alternative to the burden of having to manage authentication and account details yourself.
  • Azure AD is an identity as a service provider aimed at organization users to provide and control access to cloud resources
  • Azure AD B2B is not a separate service but a feature in Azure AD. It allows cross-organization collaboration in applications from an identity standpoint.
  • Azure AD B2C is an independent service for building a consumer application identity repository. If you need a service to handle email or Facebook login – it is there for you
  • it is not to be used by single organization users. It’s built to allow anyone to sign up as a user in a service with their email or social media provider like Facebook, Google or LinkedIn.
  • You don’t need on-premises AD here since you’re not creating a synchronization process.
The purpose of Azure AD B2C is to allow organizations to build a cloud identity directory for their customers.
Azure AD B2C does users, login process, sign-up process, password reset. It is an identity repository in the cloud that allows your users to sign up for your applications with an email address and password (no restrictions on the email domain) or social media logins. The service itself handles all the processes like sign-up, sign-in, password reset and so on. You don’t have to worry about it. 

If you establish it once and your customer is signed up, and later you spin off a new application – it is all there. They don’t have to sign up again. They can use their existing account for your applications.

The key scenario: Consumer-facing applications and websites. A business wants to maintain a relationship with customers online  their Azure AD B2C handles the identity and access part. Multiple applications can use the same directory to provide the client with SSO experience in your applications.

WHY AZURE AD B2C?

Managing authentication is a difficult task. And if you want to let users use Google+ or Facebook to sign in, integrating with those becomes additional work. Azure AD B2C lets you offload that task to Microsoft without having to become an expert in authentication. It even handles multi-factor authentication and password self-service reset with just a flip of a switch.

1. Time Savings

Writing code to manage authentication, in addition to being challenging, takes a lot of time. That is time that could be spent working on new features, fixing bugs, and otherwise adding value to your application. Letting Azure AD B2C handle that can free you or your developers from handling this chore.

2. Cost Savings

A lot of third-party authentication services that will solve the above three problems are expensive. Azure AD B2C is pay-as-you-go and seems to have some reasonable prices. The first 50,000 authentications and users are free, meaning you can try it out on a small development scale for essentially free. When you use more than 50,000 users or authentications, you must pay for the service, but the prices are very reasonable. Unless you’re looking at a massively-scaled application, it shouldn’t cost you much at all. 

3. Security

No matter how much time and effort you spend trying to secure your own authentication system, you will fail. Even companies that specialize in security like LastPass or BitDefender get hacked. The average software developer or systems administrator doesn’t stand a chance really. Even if you don’t handle sensitive information, it’s still not worth the risk. Let’s be honest. How many people do you know who use the same username and password for everything? Azure AD B2C is secure with OAuth 2.0 and OpenID Connect authentication, and lets you take advantage of the years of experience and hardening of Azure AD with relatively little effort.

HOW IT WORKS
The full process for getting started with Azure AD B2C is too long to explain in detail in this blog post. For a full guide, the Microsoft documentation is the best place to start. Here, I will just give you the basics of how to get started and what working with Azure AD B2C looks like. 
The basic flow of setup looks like this:
  • Create Azure AD B2C tenant.
  • Switch to Azure AD B2C directory.
  • Register your application(s).
  • Set up with any third-party identify providers.
  • Create sign-up, sign-in, password reset, and profile editing policies.
  • Configure your app to use the Azure AD B2C policies you created. This can be done using a Microsoft library for .NET or NodeJS web apps. Otherwise, you must use an OAuth 2.0 or OpenID Connect SDK (these are the two protocols Azure AD B2C uses).
  • (Optional) Create a custom user interface (UI) using HTML and CSS stylesheets.

The custom UI step is optional but strongly recommended. Otherwise, you’ll end up with the default Azure AD UI. Custom branding is possible, but a totally custom UI looks much nicer and for your publicly facing app, first impressions are important.
Azure AD B2C seems particularly suited for smaller-scale or brand-new projects. Anything where you want to get it up and running quickly with minimal cost while maintaining security, scalability, and the overall user experience. Some real example use cases could be a customer loyalty application or a public facing status tracking app for a staffing company. Larger, older projects with lots of technical debt or restrictions of their own could potentially be more challenging to integrate with Azure AD B2C in its current state.

Comments

Post a Comment

Popular posts from this blog

Setting up Dotnetnuke (DNN) to work with Active Directory

By -
Image
Setting Up Active Directory Integration with DotNetNuke Seems like enough people ask, and the information is hidden enough around the DNN AD forum that this information could be posted in one place.  These are the steps I take to get my DNN AD integration to work every time.  I have never had it fail.  I hope you find it helpful.  Now if you are setting up your AD in Mixed-Mode most likley this little write up isn't for you. The setup process is a three step process.  The first step is done from within DNN.  The second step takes place in DNN’s web.config file.  The final step takes place in IIS. Within the DNN Website Login as Admin or Host to your DNN website. After login go to                                        ...
Read more

SQL Server 2016 TDE ( Transparent Data Encryption)

By -
Image
Transparent Data Encryption is designed to protect data by encrypting the physical files of the database, rather than the data itself These physical files include the database file (.mdf), the transaction log file (.ldf) and the backup files (.bak). Its main purpose is to prevent unauthorized access to the data by restoring the files to another server.  With Transparent Data Encryption in place, this requires the original encryption certificate and master key. The protection of the database files is accomplished through an encryption key hierarchy that exists externally from the database in which TDE has been enabled. The service master key exists at the instance level. The database master key and certificate at the Master database are used to protect the database encryption key that is located at the user database The dependency upon the encryption key hierarchy in the Master database, as well as the instance, prevents the database files from being restored to an in...
Read more

jQuery Tips for DotNetNuke Developers

By -
Image
Make sure you call jQuery.noConflict();. This is necessary to not cause other client scripts and libraries to run errors. This is due to the fact that other client scripts might be using the $ designator for a JavaScript class. [jQuery.noConflict(); documentation] If manually adding jQuery, try to load the jQuery library in the header before all others. Not doing this can lead to the jQuerylibrary not being loaded before another client script or library tries to use it. This is especially true of jQuery plugins. Always call the jQuery core methods using the jQuery() format. This is related to the previous issue. Check the jQuery plugin source code. Not all jQuery plugins use the long form of calling jQuery. This can result in errors if you have called jQuery.noConflict();. In DNN 5+, register jQuery. DNN 5+ allows module developers to register jQuery to be loaded only when modules need it. Just callDotNetNuke.Framework.jQuery.RequestRegistration(). This prevents jQuery f...
Read more