Best Practice

Identity Management Using Azure Active Directory B2C

    Azure AD B2C stands for Azure Active Directory Business-to-Consumer. This component is responsible for handling user account sign-up, sign-in, profile edit and password reset functionalities outside the applications developed to meet any specific functionality. AAD B2C has its own login portal management which can be customized to a certain extent to change the look and feel as required by customers.

    Azure AD B2C is a directory service that leverages identity stores outside of your company. It is an authentication service for publicly facing applications. In addition to provide authentication service for local email accounts, it also integrates with other third-party identity providers such as Google+, Facebook, Amazon, or LinkedIn to provide a one-stop shop for authentication. It acts as an alternative to the burden of having to manage authentication and account details yourself.

    Identity Management using Azure Active Directory 1 

    Figure 1: Basic Solution Architecture

    It serves as a direct replacement for managing your own authentication and account database. It also replaces using SDKs to manage authentication using Facebook, Google, or some other identity provider. All of this is to make it easier for the consumer to sign in and use your application.

    Some of the major advantages of using Azure AD B2C are:

    1. Integrating with social accounts such as Facebook or Google+ requires additional work. By using Azure AD B2C, this work is offloaded to Microsoft and developers can concentrate more on the core functionalities to be developed in the application. Azure AD B2C also handles multi-factor authentication and password self-service reset by applying some basic configurations.
    2. Implementing Azure AD B2C is very cost effective due to reasonable pricing compared to other providers or developing your own identity management framework. The first 50,000 authentications and users are free. More details on pricing can be found here.
    3. The authentication system provided by Azure AD B2C is very secure for protecting user identity and credentials. Azure AD B2C provides identity as a service for your apps by supporting two industry standard protocols: OpenID Connect and OAuth 2.0.

    Azure AD B2C default login screens look like:

    Identity Management using Azure Active Directory 2 

    Figure 2: Sign in Page

    Identity Management using Azure Active Directory 3 

    Figure 3: Sign Up Page

    Identity Management using Azure Active Directory 4 

    Figure 4: Verification Page

    Identity Management using Azure Active Directory 5 

    Figure 5: Password Reset Page

    The basic steps to setup Azure AD B2C are:

    1. Create Azure AD B2C tenant.
    2. Switch to Azure AD B2C directory.
    3. Register your application(s).
    4. Set up with any third-party identity providers.
    5. Create sign-up, sign-in, password reset, and profile editing policies.
    6. Configure your app to use the Azure AD B2C policies you created. This can be done using a Microsoft library for .NET or NodeJS web apps. Otherwise, you must use an OAuth 2.0 or OpenID Connect SDK (these are the two protocols Azure AD B2C uses).
    7. (Optional) Create a custom user interface (UI) using HTML and CSS stylesheets.

    For a full guide, the Microsoft documentation is the best place to start.