Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Azure AD B2C: Application Security Made Easy

Sjoukje Zaal
November 19, 2019

Azure AD B2C: Application Security Made Easy

Join me to secure your custom applications with Azure Business-to-Consumer, a
Cloud identity service on Azure which provides out of the box identity providers like Facebook, Microsoft Accounts, Google+, LinkedIn, and many others, or you can add your own and leverage these in your applications as well.

We will look the basics of Azure B2C, we will set up an application using Azure B2C for authentication, use built-in policies, and much more.

Sjoukje Zaal

November 19, 2019

More Decks by Sjoukje Zaal

Other Decks in Technology


  1. © 2019 Sjoukje Zaal Application Code Demo Flows & Policies

    Demos Identity Providers Demo Customize the UI Demo Step 05 Step 04 Step 03 What & Why Scenario Step 02 Step 01 Agenda
  2. © 2019 Sjoukje Zaal What is Azure Active Directory B2C

    Azure Active Directory B2C is a customer identity access management (CIAM) solution. It takes care of the scaling and safety of the authentication platform, monitoring and automatically handles threats.
  3. © 2019 Sjoukje Zaal z 8 6 ( Azure AD

    B2C key capabilities 01 Step 02 Step 03 Step 04 Step Standard based authentication OpenID Connect, OAuth 2.0, and SAML Single Sign On With most modern apps Custom branded Customize the user experience Multiple identities Social, enterprise, or local
  4. © 2019 Sjoukje Zaal Simple & Secure Minimal application code

    Easy to maintain Enterprise grade security features Flexible Multiple identity providers .NET, iOS, and Android Open standards Benefits for developers
  5. © 2019 Sjoukje Zaal Identity providers User interaction Security Default

    Authentication Providers Social Media Identity Providers Custom Identity Providers Sign up / sign in Edit profiles Single Sign On Multi-factor authentication Features
  6. © 2019 Sjoukje Zaal Scenario Contoso developed a cloud native

    To-do application which is deployed in Azure. This application is used globally. Contoso has no current identity solution For simplicity, customers of this application need to be able to securely login using their social media credentials. There also should be the option to create an account using an username and password. Contoso wants to use MFA for an extra layer of security. Contoso wants to keep a database with certain customer information for future marketing activities.
  7. © 2019 Sjoukje Zaal Web app MVC App for registering

    to-do items Calls Web API Requests Access tokens from Web API Tasks web API Performs CRUD operations Scoped based access control To-do application parts
  8. © 2019 Sjoukje Zaal Registered the Tasks demo Web API

    Published a read/write scope Added values to web.config files Copied the application IDs from both apps Generated and copied the client secret Registered the demo web app Granted the read and write permissions to the demo web app Step 1 Demo summary Step 2 Step 3 Step 4 Step 5
  9. © 2019 Sjoukje Zaal Open Application code Open standards Open

    ID Connect OAuth 2.0 MSAL Microsoft Authentication Library Secure &
  10. © 2019 Sjoukje Zaal x t x b Predefined Reusable

    Custom Attributes Is triggered by the application Flows A primary resource in Azure AD B2C
  11. © 2019 Sjoukje Zaal 001 Option 002 Option 003 Option

    004 Option Profile edit MFA Multi-Factor Authentication Sign in / sign up with local or social accounts Self-service password reset When to use flows Y
  12. © 2019 Sjoukje Zaal Created a new user flow Selected

    the included fields and returned claims Selected the Identity Provider to enable the flow Step 1 Demo summary Step 2 Step 3
  13. © 2019 Sjoukje Zaal x t x b Configuration files

    + custom code Identity Experience Framework XML Standards- based OAuth 2.0, OIDC, SAML Custom policies
  14. © 2019 Sjoukje Zaal 001 Option 002 Option 003 Option

    004 Option Use a user store outside Azure AD B2C Validate user provided information with a trusted system by using an API Send a welcome email using your own email service provider Provision a user account in another system at the time of registration When to use custom policies Y
  15. © 2019 Sjoukje Zaal Base file Extension file Starter pack

    Relying party files Custom policy artifacts
  16. © 2019 Sjoukje Zaal User clicks sign up button application

    B2C endpoint reached Orchestration step 1 Choose an identity provider Orchestration step 2 Gather registration info (e.g. address). Precondition step, can be skipped Orchestration step 3 Verify email, gather preference data. Here, we are going to store user records in Azure Table Storage. Token issued User journeys and orchestration steps
  17. © 2019 Sjoukje Zaal Azure Table Storage Storage account Azure

    Function Policy artifacts Demo artifacts
  18. © 2019 Sjoukje Zaal Created a Table Storage account Uploaded

    and tested the custom policy Created the custom policy derived from the starter package Created an Azure Function Created a signing and encryption key Step 1 Demo summary Step 2 Step 3 Step 4 Step 5
  19. © 2019 Sjoukje Zaal x t x b Authentication Service

    Security tokens Out-of-the-box providers Client ID & secret Identity providers
  20. © 2019 Sjoukje Zaal Registered a new Identity Provider in

    Azure B2C Tested the user flow from the Azure B2C tenant Enabled the Identity Provider in the user flow Added the client id and client secret to the identity provider Step 1 Demo summary Step 2 Step 3 Step 4
  21. © 2019 Sjoukje Zaal Merges UI with HTML CORS Visual

    consistency Customize look & feel Page UI customization feature
  22. © 2019 Sjoukje Zaal Created a storage account and blob

    container Tested the user flow Updated the user flow Created & uploaded a custom HTML/CSS file Enabled CORS Step 1 Demo summary Step 2 Step 3 Step 4 Step 5
  23. © 2019 Sjoukje Zaal 01 02 03 04 05 Not

    Azure AD B2B Apps can be hosted everywhere Migrate with Azure AD Graph API Reporting and Monitoring Language customization b C s h G Wrap up Key takeaways