May 24, 2017
Azure AD B2C: A Directory Service for External Identity Providers
First there was Azure AD. Then there was Azure AD B2B. Now to the delight of all us acronym aficionados, there’s Azure AD B2C. Confused as to what that is? You’re in the right place.
Azure AD B2C stands for Azure Active Directory Business-to-Consumer. Last year, Microsoft announced general availability and gave the green light to use this new service for production systems. While it is by no means a new feature, people are starting to take notice. We at Credera have had more and more clients asking about this feature. So let’s take a look, shall we?
What It Is
First, back to basics. What is Active Directory? Active Directory, or AD, has a lot of cool features and is used for all sorts of things, but at its heart is nothing more than an identity store for your organization. It keeps a record of who is in your organization and authenticates the user based on their credentials and entitlements. Azure AD extended a lightweight version of that to the cloud, but the core concept remains pretty much the same, just with cool cloud features. Azure AD B2B Collaboration then allowed us to grant access to internal resources to business partners using their own Microsoft or Azure AD identity.
That brings us to Azure AD B2C. Azure AD B2C is a zebra in a field full of horses. The overall shape looks similar, but ultimately it’s a zebra—stripes and all. Azure AD B2C is a directory service that leverages identity stores outside of your company. More specifically, it is an authentication service for publicly facing applications. It integrates with other third-party identity providers such as Google+, Facebook, Amazon, or LinkedIn to provide a one-stop shop for authentication. It acts as an alternative to the burden of having to manage authentication and account details yourself.
What It’s Not
Azure AD B2C is not Azure AD.
This might sound obvious, but it’s important to know. It just isn’t the same. It shares a name, the bones might be the same, but it is fundamentally different. How you ask?
First, setting up Azure AD B2C starts by creating an entirely separate directory. Let’s explore what that looks like:
Here, I have created a new Azure AD B2C tenant and named it GenCorp. I’ve supplied it an initial domain name, which will be an onmicrosoft.com domain, and selected my region. This region is not what you may expect. While Azure AD B2C is available worldwide, Azure currently only supports data residency in the U.S. and Europe. In other words, all the user data is hosted in either the U.S. or Europe, and when your users sign in, they must talk to the servers in that region to authenticate. This could cause some latency issues when users sign in or sign up, but otherwise shouldn’t affect your application. More information is available here.
Astute readers will notice that it says PREVIEW in the Create Tenant blade. That’s because I elected to use the new Azure portal, which currently has Azure AD in preview. Apparently, that extends to a couple blades in Azure AD B2C as well. To our never-ending frustration, there are management features that seem to be only available in preview through the new portal (mainly Users and Groups) and some in the classic portal that don’t work (e.g., validating a new domain) or redirect to the new portal. For now, we must grin and bear it and anxiously await the day there is a single portal.
To manage the newly created Azure AD B2C directory, you must first change to that directory. Here’s what that looks like:
After you’ve done that, when you navigate to Azure AD B2C, you’ll see that it is entirely empty except for one global administrator account—you. Any other accounts must be created manually or through a registered app. There is no link between an Azure AD B2C directory and the original Azure AD directory.
The second reason Azure AD B2C is not plain Jane Azure AD is that Azure AD B2C is meant for public facing applications. It is designed to be used both as a source of identity and an authentication service for external users. That’s what puts the ‘consumer’ in Azure AD Business-to-Consumer. It serves as a direct replacement for managing your own authentication and account database. It also replaces using SDKs to manage authentication using Facebook, Google, or some other identify provider. All of this is to make it easier for the consumer to sign in and use your application. With all these features, there come restrictions that we don’t see with Azure AD. For example, Azure AD B2C does not support the nested groups we are accustomed to in traditional Azure AD.
Why Azure AD B2C?
Let’s look at some use cases. Why should we use Azure AD B2C?
Lazy Joe developed an app that could make your company millions. He doesn’t want to write the code to manage users and accounts, and you want him to focus on new features.
Nelly’s database got hacked last Wednesday and thousands of account details were leaked. Her boss is telling her she needs to use a third-party service for secure authentication, but she doesn’t have the budget for something expensive.
These three obviously legitimate scenarios illustrate four benefits of Azure AD B2C.
Managing authentication is a difficult task. And if you want to let users use Google+ or Facebook to sign in, integrating with those becomes additional work. Azure AD B2C lets you offload that task to Microsoft without having to become an expert in authentication. It even handles multi-factor authentication and password self-service reset with just a flip of a switch.
Modernize applications and support business initiatives with Microsoft Azure
Writing code to manage authentication, in addition to being challenging, takes a lot of time. That is time that could be spent working on new features, fixing bugs, and otherwise adding value to your application. Letting Azure AD B2C handle that can free you or your developers from handling this chore.
A lot of third-party authentication services that will solve the above three problems are expensive. Azure AD B2C is pay-as-you-go and seems to have some reasonable prices. The first 50,000 authentications and users are free, meaning you can try it out on a small development scale for essentially free. When you use more than 50,000 users or authentications, you must pay for the service, but the prices are very reasonable. Unless you’re looking at a massively-scaled application, it shouldn’t cost you much at all. More details on pricing here.
No matter how much time and effort you spend trying to secure your own authentication system, you will fail. Even companies that specialize in security like LastPass or BitDefender get hacked. The average software developer or systems administrator doesn’t stand a chance really. Even if you don’t handle sensitive information, it’s still not worth the risk. Let’s be honest. How many people do you know who use the same username and password for everything? Azure AD B2C is secure with OAuth 2.0 and OpenID Connect authentication, and lets you take advantage of the years of experience and hardening of Azure AD with relatively little effort.
I want to use import users from my on-premises or Azure AD directory. How do I do that?
Short answer? You don’t. Azure AD B2C is an entirely different animal. There is no connection between the two and Microsoft currently offers no migration or synchronization tools. They are allegedly in the works, but no promises on when. You could create your own tool using the Graph API or even just manually create accounts for the users you wish to migrate. Just because you can, doesn’t mean you should. These would be new accounts with separate credentials and no link between the two. If the user changes their password on the public app using Azure AD B2C, for instance, their Azure AD credentials would remain the same.
When should I use Azure AD vs. Azure AD B2B vs. Azure AD B2C?
If you’re developing an application used by members of the public (e.g., forums, SaaS, ecommerce, etc.), Azure B2C could be the choice for you. If instead the new or existing application is for internal use (e.g., line-of-business apps), then Azure AD is still your go-to. And if you want to give access to that internal application to business partners, Azure AD B2B Collaboration is built just for that.
In short, have a public app? Use Azure AD B2C. Internal app? Azure AD. Want to use an internal app to collaborate with business partners? Azure AD B2B.
What if you have an external facing app that you also want employees to be able to sign in to using their company Active Directory credentials?
Unfortunately, that’s not in the cards right now, at least not natively. Azure AD B2C integrates with several identity providers, such as Google+, Facebook, and Amazon, but not Azure AD. Don’t believe me? Take a look.
What does this mean? Users cannot authenticate using their normal Azure AD credentials. This is probably the least intuitive part of Azure AD B2C. Take a moment to let it sink in.
The workaround for this would be to create an option in your application itself to allow users to choose which type of user they are: employee or non-employee. You could then authenticate to Azure AD or Azure AD B2C as appropriate. Not ideal, but functional. This, while we’re on the subject, is also a better alternative to importing internal user accounts. If you have access to the application’s source code and can do it, it’s much better to modify the application than to force your employees to keep track of two (or more) accounts with the same username.
How It Works
The full process for getting started with Azure AD B2C is too long to explain in detail in this blog post. For a full guide, the Microsoft documentation is the best place to start. Here, I will just give you the basics of how to get started and what working with Azure AD B2C looks like. The basic flow of setup looks like this:
Create Azure AD B2C tenant.
Switch to Azure AD B2C directory.
Register your application(s).
Set up with any third-party identify providers.
Create sign-up, sign-in, password reset, and profile editing policies.
Configure your app to use the Azure AD B2C policies you created. This can be done using a Microsoft library for .NET or NodeJS web apps. Otherwise, you must use an OAuth 2.0 or OpenID Connect SDK (these are the two protocols Azure AD B2C uses).
(Optional) Create a custom user interface (UI) using HTML and CSS stylesheets.
The custom UI step is optional but strongly recommended. Otherwise, you’ll end up with the default Azure AD UI. Custom branding is possible, but a totally custom UI looks much nicer and for your publicly facing app, first impressions are important.
The end result will look something like this:
This is my beautiful NodeJS application that I totally did not borrow from the Microsoft examples on GitHub. It has four incredible features: Sign in, sign up, update profile, and reset password. Each one of these, coincidentally, aligns with an Azure AD B2C policy. Let’s look at the sign-in page. I’m using a single sign-in and sign-up policy because the standalone sign-in policy doesn’t support custom UI. Go figure.
Behold. A fully customized, totally sexy sign-in page, which I also totally didn’t borrow from Microsoft’s documentation. Here, I only implemented Google+ as an identity provider, but you could have any number of them on this page. The HTML framework and CSS master style sheet is hosted in Blob storage on Azure and Azure AD B2C fills in the rest. (Developers, you can find how to create your HTML and what HTML elements are inserted by Azure AD B2C here)
My impression working with Azure AD B2C is that it is a functional service with a lot of potential, but still a bit buggy in places, many of which Microsoft admits in their documentation, some of which I found on my own. Despite these, it’s a viable solution, as long as you can work around some of the restrictions. The inability to integrate with Azure AD as an identity provider is a definite drawback, but not a fatal flaw in my opinion. My advice to anyone considering this service for a new or current application is to read the limitations documentation carefully and decide if you can work around them
Azure AD B2C seems particularly suited for smaller-scale or brand-new projects. Anything where you want to get it up and running quickly with minimal cost while maintaining security, scalability, and the overall user experience. Some real example use cases could be a customer loyalty application or a public facing status tracking app for a staffing company. Larger, older projects with lots of technical debt or restrictions of their own could potentially be more challenging to integrate with Azure AD B2C in its current state.
Are you interested in leveraging Azure B2C with your public facing apps? Credera has extensive experience in cloud infrastructure design and implementation. If you have questions or would like to discuss cloud and infrastructure solutions, contact us at firstname.lastname@example.org.
Ready to achieve your vision? We're here to help.
We'd love to start a conversation. Fill out the form and we'll connect you with the right person.
Searching for a new career?View job openings