Latest posts by Paul Schnackenburg (see all)
- Office 365 Secure Score – Securing Exchange Online - Thu, Aug 3 2017
- Office 365 Secure Score - Reporting and monitoring - Tue, Aug 1 2017
- Office 365 Secure Score - MFA for users and auditing - Mon, Jul 31 2017
The challenge of user accounts ^
When you’re building an app, the identity of your user can be very important if securing the data is crucial, or merely something you want to track to present customized information to particular users. Regardless of the reason, there are a few approaches. One is to create your own database to keep user accounts and passwords. The problem with this approach is that in today’s super-connected world, those identities have value, and you may have to spend a lot of effort protecting your database from attacks. Not to mention the hassle of building and maintaining it in the first place.
Another option is to rely on a third-party identity provider such as Google or Facebook. This solves the security issue by letting them take care of protecting the identities. But you still have to code your application to talk to each of these identity providers. What if your users want to use a provider you haven’t set up yet? More work.
Azure B2C (Business to Consumer), currently in preview, solves these problems. It supports mobile apps (iOS, Android, and Windows Phone) or web apps. It supports social identities from Facebook, Google, Amazon, LinkedIn, or Microsoft. Or users can create new accounts using an email address and a password.
Meet Azure B2C ^
It’s backed by Azure Active Directory, the same directory that Office 365 and Azure rely on and is going to be offered as a pay as you go model with a free tier offering 50,000 user accounts and 50,000 authentications per month. During the preview phase, the entire service is free. After it becomes generally available, a tiered pricing structure applies.
There are default sign-up, sign-in, and password reset pages, but you can customize these with HTML and CSS content. You need to configure a web URI where the token provided by the service is sent after an authentication event.
Start by logging in at manage.windowsazure.com and select New - App Services - Active Directory - Directory - Custom Create. I certainly hope this service moves to the new portal before it becomes generally available. Give your new directory a name and a domain name, and select a region. Once the new directory has been created, you can actually manage it from portal.azure.com. Note that you’ll need to change the directory you’re logged in to (top right), and then you can manage settings for your B2C directory in the new portal.
You also have to create a sign-up policy and a sign-in policy. Policies bring together identity providers, which attributes you’re collecting, claims delivered to your apps, whether to use multifactor authentication, and the customization of the web page for sign-up/sign-in. Recently added is the ability to combine these two into a single policy and a single resulting web page.
If you’re going to use any of the social network providers, you’ll need to create a developer account with them, which will give you the necessary details to set up your profiles.
Note that you need to create a separate tenant for storing identities. It can’t be added to an existing Azure Active Directory tenant. Your actual application, of course, can run on-premises or in any cloud, including Azure, as long as it can communicate HTTP requests publicly. You can customize the branding, colors, and settings for different pages.
It is possible to code your application to send protocol messages directly (Open ID Connect or OAuth 2.0) or use the libraries Microsoft provides for iOS and Android (Universal Windows App and Windows Desktop App are coming soon). For web apps, there are libraries for .NET MVC, Node JS, and .NET Web API, with Angular JS SPA coming soon.
You can optionally turn on Azure multifactor authentication if your application requires extra security.
Since this service is in preview, some things are missing. There isn’t a tool for uploading identities from an existing database, but this is on the roadmap. Likewise, support for Microsoft Dynamics CRM is on the roadmap, as are inbuilt reports. The pages are in English only, with localization coming “soon,” and the URL for the sign-up and sign-in pages is “login.microsoftonline.com,” with support for custom URLs coming. The documentation is still a bit thin, but there are some blog posts that give details on new features.
There’s a “sister service” to Azure B2C, called Azure B2B, which is all about people in businesses collaborating easily. We’ll cover that in the next article, as well as when you would choose one over the other.