A lap around Azure Active Directory Business to Consumer (B2C) TechEd 2013 4/18/2018 1:18 PM A lap around Azure Active Directory Business to Consumer (B2C) Rory Braybrook Girisha Arora @rbrayb @GirishaArora © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Active Directory B2C helps you to guard your external users in an ever evolving threat landscape

Contents Overview Policies OAuth Graph Explorer User types Fit? Pros / cons

Overview

What’s the use case Self-registration SSPR External users Self-registration SSPR Local account or social to login Modern authentication standards (OIDC / OAuth2) Scales out-of-the-box MFA SSO

Roll your own Cost Tons of code to write for I & AM TechEd 2013 4/18/2018 1:18 PM Roll your own Cost Tons of code to write for I & AM Sign in, sign up, forgotten user names and passwords. Sign in with social networks, with MFA Lot of resources to spend that are not working on the core function of your app © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Roll your own Scalability TechEd 2013 4/18/2018 1:18 PM Roll your own Scalability Your identity system has to be available 24/7 and it has to scale High Availability © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechEd 2013 4/18/2018 1:18 PM Roll your own Security If you have a list of names and passwords in your app, you’re a target Many people use the same username and password with multiple apps © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Current state Still in preview – GA “shortly” Officially called “B2C Basic” Still in preview – GA “shortly” Will also have B2C Premium – no details to date

Creating a B2C tenant

Policies

Policies Sign-up Sign-in Sign-up or sign-in Profile editing TechEd 2013 4/18/2018 1:18 PM Policies Sign-up Sign-in Sign-up or sign-in Profile editing Password reset © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Map policies Applications Identity Providers User Attributes TechEd 2013 4/18/2018 1:18 PM Map policies Applications Identity Providers User Attributes © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Sign-up / Identity Providers TechEd 2013 4/18/2018 1:18 PM Sign-up / Identity Providers Local accounts – typically JoeB@gmail.com not JoeB@b2c.onmicrosoft.com Facebook Google Amazon LinkedIn MSA © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Sign–up / in: Local & Facebook Edit attributes B & C Application A Attributes A, B, C & D

Sign–up / in: Local & Google Edit attributes Y & Z Application B Attributes W, X, Y & Z

OIDC / OAuth 2.0

TechEd 2013 4/18/2018 1:18 PM Extended Oauth 2.0 GET https://login.microsoftonline.com/x.onmicrosoft.com/oauth2/v2.0/authorize ?p=b2c_1_sign-in-email &client_id=6b6…d1e6f9f2 &redirect_uri=https://localhost:123456 &response_mode=form_post &response_type=id_token &scope=openid &… © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Walk-through

“Easy auth”

Configure

Internal tenant details

Demo Personalisation

Graph Explorer

Internal tenant details

JSON attributes

B2C user types

Add a user from the portal (Admin)

Using Business to Business (B2B)

B2B invitation email

User formats

Sign-up via an application to access it

Where does B2C fit?

Extending B2C And ADFS 4.0?

Pricing

Authentications/month Pricing Stored user/month Price First 50,000 Free Next 950,000 $0.00164 Authentications/month Price First 50,000 Free Next 950,000 $0.00418 MFA Price All $0.0448 per authentication For the first 100,000 users, this is NZ$82 / month plus NZ$209 / month = NZ$291 / month. For subsequent slots of 100,000 users, this is NZ$164 / month plus NZ$418 / month = NZ$582 / month.

Summary

Pros Cons External user capability OOTB Minimum help desk involvement Page look and feel can be customised Customised reset password Don’t have to roll your own (security!) SSO Cons No WS-Fed / SAML 2.0 support No SaaS integration Not a “normal” AAD tenant Extended OAuth2 No AD Connect Can’t add other social providers

Remember! BUT You can add users from other tenants for admin. purposes The best way to think about B2C is that only those users that signed up using B2C in the first place are the ones that can sign in to an application using it.

4/18/2018 1:18 PM “Azure Active Directory B2C helps us bring the stadium closer to our 450 million fans around the globe with simplified registration and login through social accounts, like Facebook, or traditional username/passwords login.” RAFAEL DE LOS SANTOS HEAD OF DIGITAL REAL MADRID Provided a seamless experience across mobile applications on any platform Built a fully customized login page without custom code Alleviated concerns about security, data breaches, and scalability © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

It’s a wrap

Azure Active Directory B2C helps you to guard your external users in an ever evolving threat landscape

Resources Azure AD B2C - https://azure.microsoft.com/en-us/documentation/services/active-directory-b2c/ Azure AD B2C limitations - https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-limitations/ NET Web App sample - https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/ Easy Auth - https://cgillum.tech/2016/05/27/app-service-auth-and-azure-ad-b2c/ Graph Explorer - https://graphexplorer.cloudapp.net/ .Graph Explorer (new) - https://graph.microsoft.io/en-us/graph-explorer#

The end But feel free to ask questions