What is Azure B2C and how to use it?

Diagram of third-party identities federating to Azure AD B2C.

Azure B2C is a authentication portal for social, personal and corporate accounts. The authentication is based on OpenID Connect.

You can modify the login pages, add identity providers, give all Azure AD tenants the right to login thru your tenant.

There is wide range of possibilities with it but first about the authentication and then to the end-user product benefits and setup.

What about OpenID Connect?

OpenID has these certified partners

What is OpenID?

OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to an application. When you use the Microsoft identity platform’s implementation of OpenID Connect, you can add sign-in and API access to your apps. This article shows how to do this independent of language and describes how to send and receive HTTP messages without using any Microsoft open-source libraries.

OpenID Connect extends the OAuth 2.0 authorization protocol for use as an authentication protocol, so that you can do single sign-on using OAuth. OpenID Connect introduces the concept of an ID token, which is a security token that allows the client to verify the identity of the user. The ID token also gets basic profile information about the user. It also introduces the UserInfo endpoint, an API that returns information about the user.

OpenID authentication flow

OpenID Connect protocol: Sign-in

OpenID Connect metadata

Discovery document path: /.well-known/openid-configuration

Authority: https://login.microsoftonline.com/{tenant}/v2.0

The {tenant} can take one of four values:

ValueDescription
commonUsers with both a personal Microsoft account and a work or school account from Azure AD can sign in to the application.
organizationsOnly users with work or school accounts from Azure AD can sign in to the application.
consumersOnly users with a personal Microsoft account can sign in to the application.
8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.onmicrosoft.comOnly users from a specific Azure AD tenant (whether they are members in the directory with a work or school account, or they are guests in the directory with a personal Microsoft account) can sign in to the application. Either the friendly domain name of the Azure AD tenant or the tenant’s GUID identifier can be used. You can also use the consumer tenant, 9188040d-6c67-4c5b-b112-36a304b66dad, in place of the consumers tenant.

The authority differs across national clouds – e.g. https://login.microsoftonline.de for the Azure AD Germany instance. If you do not use the public cloud, please review the national cloud endpoints to find the appropriate one for you. Ensure that the tenant and /v2.0/ are present in your request so you can use the v2.0 version of the endpoint.

Azure B2C (Admin) experience

Creating a B2C tenant is really straight forward, you create a resource and find Azure B2C, choose your B2C name tenant name and create.

You can also link existing B2C to your tenant.

In any case you need an tenant having a subscription to the background that will be linked for B2C tenant.

The portal itself

Couple of points here. First you register an application then setup identity providers and the last creating user flows.

Registering application

  1. Select App registrations, and then select New registration.
  2. Enter a Name for the application. For example, webapp1.
  3. Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows).
  4. Under Redirect URI, select Web, and then enter https://jwt.ms in the URL text box.The redirect URI is the endpoint to which the user is sent by the authorization server (Azure AD B2C, in this case) after completing its interaction with the user, and to which an access token or authorization code is sent upon successful authorization. In a production application, it’s typically a publicly accessible endpoint where your app is running, like https://contoso.com/auth-response. For testing purposes like this tutorial, you can set it to https://jwt.ms, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). During app development, you might add the endpoint where your application listens locally, like https://localhost:5000. You can add and modify redirect URIs in your registered applications at any time.The following restrictions apply to redirect URIs:
    • The reply URL must begin with the scheme https.
    • The reply URL is case-sensitive. Its case must match the case of the URL path of your running application. For example, if your application includes as part of its path .../abc/response-oidc, do not specify .../ABC/response-oidc in the reply URL. Because the web browser treats paths as case-sensitive, cookies associated with .../abc/response-oidc may be excluded if redirected to the case-mismatched .../ABC/response-oidc URL.
  5. Under Permissions, select the Grant admin consent to openid and offline_access permissions check box.
  6. Select Register.

Identity providers

These are there by default, I have already added MS Account and Azure AD to this and will go thru those options also.

In the beginning of this post I wrote about the OpenID Connect supported providers, all of those you can add to this list.

Let’s go thru MS Account first.

First the MS Account provider will be registered to the linked Real Azure subscription with app registration.

  1. Choose All services in the top-left corner of the Azure portal, and then search for and select App registrations.
  2. Select New registration.
  3. Enter a Name for your application. For example, MSAapp1.
  4. Under Supported account types, select Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).For more information on the different account type selections, see Quickstart: Register an application with the Microsoft identity platform.
  5. Under Redirect URI (optional), select Web and enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-tenant-name with the name of your tenant, and your-domain-name with your custom domain.
  6. Select Register
  7. Record the Application (client) ID shown on the application Overview page. You need the client ID when you configure the identity provider in the next section.
  8. Select Certificates & secrets
  9. Click New client secret
  10. Enter a Description for the secret, for example Application password 1, and then click Add.
  11. Record the application password shown in the Value column. You need the client secret when you configure the identity provider in the next section.

And then go go B2c tenant and add your app id and secret to the settings.

That’s it, what about Azure AD?

The process is similar but you need to define more. First your create the app registration inside the Real Azure tenant having the subscription.

  1. Under Azure services, select App registrations or search for and select App registrations.
  2. Select New registration.
  3. Enter a Name for your application. For example, Azure AD B2C App.
  4. Accept the default selection of Accounts in this organizational directory only (Default Directory only – Single tenant) for this application.
  5. For the Redirect URI, accept the value of Web, and enter the following URL in all lowercase letters, where your-B2C-tenant-name is replaced with the name of your Azure AD B2C tenant.Copyhttps://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp For example, https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp.If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant.
  6. Select Register. Record the Application (client) ID for use in a later step.
  7. Select Certificates & secrets, and then select New client secret.
  8. Enter a Description for the secret, select an expiration, and then select Add. Record the Value of the secret for use in a later step.

Once you have it created you will go back to B2C tenant and add the info to a new OpenID provider.

  1. Select Identity providers, and then select New OpenID Connect provider.
  2. Enter a Name. For example, enter Contoso Azure AD.
  3. For Metadata url, enter the following URL replacing {tenant} with the domain name of your Azure AD tenant:https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

For example, https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration. If you use a custom domain, replace contoso.com with your custom domain in https://login.microsoftonline.com/contoso.com/v2.0/.well-known/openid-configuration.

  1. For Client ID, enter the application ID that you previously recorded.
  2. For Client secret, enter the client secret that you previously recorded.
  3. For Scope, enter openid profile.
  4. Leave the default values for Response type, and Response mode.
  5. (Optional) For the Domain hint, enter contoso.com. For more information, see Set up direct sign-in using Azure Active Directory B2C.
  6. Under Identity provider claims mapping, select the following claims:
    • User IDoid
    • Display namename
    • Given namegiven_name
    • Surnamefamily_name
    • Emailemail
  7. Select Save.

And this what it looks like in the portal.

Once done add them both as identity providers to user flows. In my example I will use the default flows only.

Identity providers to user flows

Open policies -> user flows.

You will these templates out of the box.

In my example I will use Sign Up or Sign in.

Open your user flow and choose identity providers.

Then save and you run your flow from “Run user flow” it will try your journey (yes, journey)

In the testing it will ran against jwt.ms and it will show how the login experience is.

and this is what the default page look like. As you can see there is the identity providers we setup and ready to use.

When you login, you will be greeted with the consent from your Azure AD and the token is created.

Azure AD B2C (end-user) experience

The end-user experience with consumer accounts.

And for the enterprise users. The same login screen that you login to all Microsoft services.

Features

An Azure AD B2C tenant is different than an Azure Active Directory tenant, which you may already have, but it relies on it. The following Azure AD features can be used in your Azure AD B2C tenant.

FeatureAzure ADAzure AD B2C
GroupsGroups can be used to manage administrative and user accounts.Groups can be used to manage administrative accounts. Consumer accounts can not be member of any group.
Inviting External Identities guestsYou can invite guest users and configure External Identities features such as federation and sign-in with Facebook and Google accounts.You can invite only a Microsoft account or an Azure AD user as a guest to your Azure AD tenant for accessing applications or managing tenants. For consumer accounts, you use Azure AD B2C user flows and custom policies to manage users and sign-up or sign-in with external identity providers, such as Google or Facebook.
Roles and administratorsFully supported for administrative and user accounts.Roles are not supported with consumer accounts. Consumer accounts don’t have access to any Azure resources.
Custom domain namesYou can use Azure AD custom domains for administrative accounts only.Consumer accounts can sign in with a username, phone number, or any email address. You can use custom domains in your redirect URLs.
Conditional AccessFully supported for administrative and user accounts.A subset of Azure AD Conditional Access features is supported with consumer accounts Lean how to configure Azure AD B2C conditional access.
Premium P1Fully supported for Azure AD premium P1 features. For example, Password ProtectionHybrid IdentitiesConditional AccessDynamic groups, and more.A subset of Azure AD Conditional Access features is supported with consumer accounts. Learn how to configure Azure AD B2C Conditional Access.
Premium P2Fully supported for Azure AD premium P2 features. For example, Identity Protection, and Identity Governance.A subset of Azure AD Identity Protection features is supported with consumer accounts. Learn how to Investigate risk with Identity Protection and configure Azure AD B2C Conditional Access.

Limitations

The following end-user related service limits apply to all authentication and authorization protocols supported by Azure AD B2C, including SAML, Open ID Connect, OAuth2, and ROPC.

CategoryLimit
Number of requests per IP address per Azure AD B2C tenant6,000/5min
Total number of requests per Azure AD B2C tenant12,000/min

The number of requests can vary depending on the number of directory reads and writes that occur during the Azure AD B2C user journey. For example, a simple sign-in journey that reads from the directory consists of 1 request. If the sign-in journey must also update the directory, this operation is counted as an additional request.

Azure AD B2C configuration limits

The following table lists the administrative configuration limits in the Azure AD B2C service.

CategoryLimit
Number of scopes per application 1000
Number of custom attributes per user 1100
Number of redirect URLs per application100
Number of sign out URLs per application 1
String Limit per Attribute250 Chars
Number of B2C tenants per subscription20
Levels of inheritance in custom policies10
Number of policies per Azure AD B2C tenant (user flows + custom policies)200
Maximum policy file size1024 KB

Community site

In this site you will find custom user journeys, a demo website (which I took the last login pics from), Github repo, webinars and links to official documentations.

Ending of the post

So with Azure B2C you can deliver and excellent end-user experience with almost all the possible login identities you can imagine.

The user interface can be customized and you can create custom user flows and also the first 50.000 users are free.

You can have your custom domain example with Azure Front Door and Microsoft even provides you the certificate for the domain.

This really is an excellent product for your custom application front ends.

KEEP CALM AND LOVE B2C Poster | lola | Keep Calm-o-Matic
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *