馃攳
What is Azure Active Directory B2C? | Azure Active Directory - YouTube
Channel: Microsoft Azure
[1]
[MUSIC]
[9]
Adam Stoffel: Hi. My name is Adam Stoffel.
[11]
Karen Schoen: And my name is Karen Schoen. Adam
[13]
and I are part of the Customer Experience team within
[15]
Microsoft Identity Engineering. We focus on external
[18]
identities and help our customers build and deploy
[21]
identity solutions for customers and partners. Today,
[25]
we鈥檒l take a look at Azure Active Directory B2C, our
[28]
consumer identity and access management solution.
[32]
Adam: Azure Active Directory B2C is a white label
[34]
authentication solution which enables businesses, governments,
[37]
and other organizations to provide their customers,
[39]
consumers, or citizens with access to public facing web
[43]
and mobile applications using the identities that they
[45]
already have. Customers can use their preferred social
[48]
identity, enterprise identity, or local accounts with a username
[51]
and password to get single sign on access to any application.
[55]
The entire experience can be completely branded and
[57]
customized so that it blends seamlessly with each application.
[60]
B2C can also centralize the collection of user profile and
[63]
preference information and capture detailed analytics
[66]
information about behavior and sign up conversion.
[70]
By serving as a central authentication authority for all
[72]
your applications, B2C provides you with a way to build
[75]
a single sign on solution for any API, web, or mobile
[78]
application. Microsoft will act as the secure front door to
[81]
any of these applications and we鈥檒l worry about the safety
[84]
and scalability of the authentication platform. We will handle
[87]
things like denial of service, password spray, and brute force
[90]
attacks, so that you can focus on your core business and
[93]
stay out of the identity business.B2C uses standard spaced
[96]
authentication protocols like OpenID Connect, OAuth 2,
[99]
and XAML so that it can integrate with almost any
[102]
modern application or commercial off the shelf software.
[105]
We offer out of the box support for integrating many
[107]
different third party identity providers including social
[110]
identities, developer accounts from GitHub, and you can
[113]
bring any other external identity provider which supports
[116]
a standard protocol.
[117]
In addition to providing an enterprise grade security platform,
[121]
B2C is also an extremely customizable solution which fits
[124]
in perfectly with any consumer facing application. With
[127]
B2C, you can enrich social and third party identity provider
[130]
information with custom registration fields and user
[133]
attributes and add multi-factor authentication to any user
[136]
flow. You can also customize every page using HTML,
[140]
CSS, and JavaScript so that the B2C experience looks and
[143]
feels exactly like it鈥檚 apart of the web or mobile application.
[147]
The power of Azure AD B2C lies in the identity experience
[150]
framework. This framework is an extremely powerful
[153]
orchestration engine which can be used to build almost
[155]
any authentication, user registration, profile editing, or
[159]
account recovery experience that you can imagine. The
[162]
IEF gives you the ability to construct user journeys out of
[165]
any combination of steps, such as federation with other
[168]
identity providers, first party or third party multi-factor
[171]
authentication challenges, collecting additional user input,
[175]
and integration with external systems using rest API
[177]
communication. Each of these user journeys is defined by
[180]
a policy and you can build as many or as few polices as
[183]
you need in order to enable the best user experience for
[186]
your business.
[188]
Now, let's take a look at how Azure AD B2C actually integrates
[192]
into a web application.
[194]
Here we have WoodGrove Groceries. They're a modern, 21st
[197]
century grocery store, so they sell their goods online to their
[199]
customers. They're using Azure AD B2C to authenticate their
[202]
customers and have designed their sign-in and sign up
[205]
policies to offer a seamless and secure user experience.
[209]
If we click on sign-in, we鈥檙e presented with a few different
[211]
options for sign-in and here we鈥檒l follow the individual
[214]
customers flow, that鈥檚 what鈥檚 using Azure AD B2C.
[219]
When I click sign-in here, their website redirects me over
[222]
to Azure AD B2C and presents me with a policy with a
[225]
few different options for sign-in. I can use a social account
[228]
or I can sign-in with a local account using an email address
[231]
and a password. Let's sign up for a local account here.
[237]
When I click sign up, I can see that there's a few different
[239]
pieces of information that WoodGrove Groceries wants to
[241]
collect about me. As usual, I need to provide my email
[246]
address.
[250]
And we鈥檒l go ahead and do an inline verification on this
[252]
email address. B2C will send a verification code to that
[255]
email and I鈥檒l need to provide that verification code right
[257]
here. This enables us to verify that the user actually owns
[260]
that email so that they can use it later on for things like
[263]
password reset and account recovery. Of course, I also
[266]
need to provide a password. We can see here that we鈥檙e
[269]
doing an automate check for complexity of the password.
[273]
And we鈥檙e also collecting a few other pieces of information:
[276]
a display name and in this situation an account ID, which
[279]
is a great example of how we can collect custom user
[281]
attributes and a B2C registration flow. Those custom
[284]
attributes can also have verification logic, so we have an
[288]
inline verification logic right here and we need to agree
[292]
to a terms of service in order to get signed in. So, let
[295]
go ahead and I鈥檒l check that I agree to that terms of service.
[300]
And now I need to provide my verification code that I got
[301]
sent via email.
[309]
And great, we鈥檙e verified. I鈥檒l go ahead and I鈥檒l click create.
[313]
And well see that this policy is actually stopping me. There's
[315]
one other verification that鈥檚 done here in this policy and
[318]
that is by calling a rest API. We actually send that account
[321]
number that was provided to a rest API to verify whether
[324]
that鈥檚 the correct data. In this situation, the rest API has
[328]
returned an error message and says that that account
[330]
number is not quite right. For the purposes of our demo,
[333]
we need to make sure that our account number ends with
[334]
a five. So, let me update that.
[340]
Great. Now I can proceed. My account鈥檚 been created. And
[342]
the next thing that I'm asked to do is enroll in multi-factor
[345]
authentication. So, let's go ahead and do that.
[358]
With B2C, I can do multi-factor authentication challenges
[361]
via either text message or SMS or phone call. I鈥檒l send a
[365]
code here to verify via SMS.
[373]
Great. Now I verified my MFA enrollment and I'm redirected
[376]
back to the application. Here, when I'm back in this demo,
[380]
there's a few other interesting things that we can show. For
[382]
example, I can show how we link a social account to this
[386]
identity.
[389]
When I click on link a social account, I'm taken back to
[391]
B2C and asked which social provider I鈥檇 like to associate with
[395]
my existing identity. In this case, I鈥檒l add a Facebook account.
[400]
Now that I've linked my Facebook account to this identity,
[403]
Azure Active Directory B2C knows that I'm the same
[405]
user and I can use either credential to get logged in, my
[408]
Facebook account or the username and password that I
[410]
set up. B2C has also updated my profile information with
[414]
data from that third party identity provider. And you can see,
[416]
for example, that my profile photo from Facebook has now
[420]
been populated into Azure AD B2C.
[424]
I'm going to go ahead and get logged out and then log back
[425]
in so that I can show you one other interesting feature of
[428]
Azure AD B2C.
[433]
I鈥檒l once and I鈥檒l sign in with that same account that I just
[435]
used. I鈥檒l use Facebook this time to get logged in. Here we can
[439]
see that on this second authentication attempt, Azure AD
[442]
B2C has invoked progressive profiling. Progressive profiling
[445]
allows you to collect additional attributes from the user on
[449]
subsequent logins and you can configure this many ways.
[451]
You might do this based on a certain amount of time having
[454]
passed since a previous authentication or it could be a
[456]
certain number of authentications that have happened.
[458]
There's flexibility there in that custom policy framework
[461]
for you to choose how to invoke that progressive profiling
[463]
behavior. Here I鈥檒l say that I have allergies to a couple
[468]
different types of food, for example, to dairy and nuts.
[470]
And we can see how that data will be collected and stored
[473]
in my B2C profile so that it can exposed to the applications.
[477]
In this situation, that information鈥檚 been added to my
[480]
authentication token and here I can see how the application
[483]
has actually changed its behavior in response to that updated
[486]
information. In this situation, the application is displaying
[489]
some warning icons here showing me that I may be allergic
[492]
to certain kinds of products. The other thing that I鈥檒l call out
[495]
is you may have noticed that during this sign-in attempt,
[498]
I wasn鈥檛 prompted to perform an MFA challenge. That鈥檚
[501]
because in this demo, we鈥檝e set up our policy to use step
[504]
up multi-factor authentication. With step up multi-factor
[507]
authentication, we can actually make the user experience
[510]
a little bit more seamless and also save money on the cost
[513]
of those MFA transactions. In this situation, the only time
[517]
I鈥檒l be asked to perform a multi-factor challenge is when I
[519]
perform a more sensitive operation. So, for example, in
[522]
this demo, we鈥檒l see that when I go to complete the
[524]
purchase, that鈥檚 when I鈥檒l be asked for multi-factor
[527]
authentication.
[529]
When I click complete purchase, the application can see
[532]
that my current authentication context does not have a
[534]
strong authentication claim in it and I'm sent back to
[537]
B2C so that I can perform that step up authentication
[540]
challenge.
[547]
Once I complete that multi-factor challenge, I'm taken
[549]
back to the application with an updated authentication
[551]
context which includes the fact that I've strongly
[554]
authenticated myself.
[557]
Karen: Thank you Adam. I hope this video has helped
[559]
you learn more about Azure AD B2C.
[562]
Adam: Watch the next video to find out more about how
[564]
to set up Azure AD B2C, the simplicity of built in user
[567]
journeys, and the power of custom polices.
[570]
[MUSIC]
Most Recent Videos:
You can go back to the homepage right here: Homepage