Azure AD B2C Webinar Series: Custom Policies Part 1

1. Azure AD B2C Webinar Series Custom Policy Concepts John Garland VP Cloud Development & Instructor, Wintellect Azure MVP, MCT, P-CSA wintellect.com @dotnetgator Vinu Gunasekaran Program Manager, Microsoft

2. https://aka.ms/B2Cprecallsurvey Session Guidelines

3. Date Time (PDT) Topic 20-Apr 21-Apr 2-3 PM 8-9 AM Identity Protocols – OIDC, OAuth2 Recording: https://aka.ms/B2CWebinarRecordings 27-Apr 28-Apr 2-3 PM 8-9 AM B2C & App Integration (with MSAL) Recording: https://aka.ms/B2CWebinarRecordings 4-May 5-May 2-3 PM 8-9 AM Custom Policies Part 1: Concepts with Take-Home Lab 11-May 12-May 2-3 PM 8-9 AM Custom Policies Part 2: Policy Walkthrough 18-May 19-May 2-3 PM 8-9 AM Custom Policies Part 3: Troubleshooting Calendar of Previous & Upcoming Sessions

4. Azure AD B2C Webinar Series Custom Policy Concepts John Garland VP Cloud Development & Instructor, Wintellect Azure MVP, MCT, P-CSA wintellect.com @dotnetgator Vinu Gunasekaran Program Manager, Microsoft

5. • Introducing Custom Policies in Azure AD B2C • Custom Policy Components • Relying Party and User Journeys • Claims Definitions • Technical Profiles • Getting Started with Azure AD B2C Custom Policies Agenda Note – The content today assumes you are familiar with the pre-requisite material outlined in the session description, including: • What is Azure AD B2C • Basic Azure AD B2C configuration and user flow creation • Azure AD B2C Use Cases Also, if you haven’t already, you may want to go back and watch the prior sessions in this series.

6. Recap: Azure AD B2C policies Issue a token Read user profile Create an account Sign-Up or Sign- In

7. Types of policies User flows Built-in policies Identity Experience Framework Custom policies

8. BasePolicy Defines inheritance hierarchy among policy files. BuildingBlocks Configures claims, transformations, content definitions, and other policy features. ClaimsProviders Defines items which obtain, modify, and validate claims, expressed as units called Technical Profiles. UserJourneys Defines the sequence of steps to be executed and the conditions under which steps are invoked. RelyingParty Defines the behavior of the endpoint that is exposed by the policy, including which UserJourney is executed and which claims are returned. Policy Components <TrustFrameworkPolicy xmlns=“…” PolicySchemaVersion="0.3.0.0" TenantId="YOUR_TENANT_NAME. PolicyId="YOUR_POLICY_ID" PublicPolicyUri="http://YOUR_TENA _ID"> <BasePolicy>  </BasePolicy> <BuildingBlocks>  </BuildingBlocks> <ClaimsProviders>  </ClaimsProviders> <UserJourneys>  </UserJourneys> <RelyingParty>  </RelyingParty> </TrustFrameworkPolicy>

9. • A relying party application, such as a web, mobile, or desktop application, calls the relying party (RP) policy. • The RP policy configures the list of claims the relying party application receives as part of the token that is issued. • Multiple applications can use the same policy. All applications receive the same token with claims and the user goes through the same user journey. • A single application can use multiple policies. • A relying party policy, points to the user journey to be executed. Relying party policy

10. • The explicit paths through which a policy allows a relying party application to obtain the desired claims for a user. • The user is taken through these paths to retrieve the claims that are to be presented to the relying party. • During the journey, Azure AD B2C exchanges claims with parties. Sending input claims and receiving back output claims. • Each user journey is a sequence of orchestration steps. • Usually the last orchestration step issues the access token. User journeys

11. Local account sign-in REST API Social Identity provider MFA Self asserted (user input) Application insights Directory service (AAD) Relying party application Token Claims Claims Claims Claims Claims Claims Claims Claims bag (session) Token User Journey Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 User journeys

12. 1 • Show the sign-in form, sign-up link and password reset • If user provides credentials on screen, then login to local account  Validate credentials and return the user object Id 2 • If the user signed-in locally, skip this step • Otherwise, register the user with a new local account  Create the account in the directory 3 • Read the desired attributes from the user directory for the current user account 4 • Create a token with the desired claims collected from the current activity and return the token to the calling app Azure AD B2C directory services Local account sign-up or sign-in user journey

13. • Store information about the user, such as first name, last name, or display name. • When the policy runs, Azure AD B2C sends and receives claims to and from internal and external parties and then sends a set of claims to your relying party application. • Claims are used in these ways: • Claims are read from, saved to, or updated in the Azure AD user profile. • Claims can be received from an external identity provider. • Claims are sent and/or received from calls to a custom REST API service. • Data is collected as claims from users when they interact with User Interfaces shown by policies. Claims Definitions

14. Claims Definitions • Id (required) • Display name (required) • Data type (required) • User input type • Mask • User help text • Restriction & Predicate validation Text boxPasswordEmailDate pickerNumericDropdown list (single select)Checkbox list (multi select)Radio button (single select)ParagraphMaskUser help text Self-asserted UX Predicate validation

15. • Azure AD B2C supports many pre-built claims • Given Name, Surname, City, Postal Code, Phone Number, etc. • Additional claims can be defined with Custom Claims • Also known as Extension Property, Extension Attribute, Custom Attribute, etc. • Store additional user information like Loyalty Number, external system ID, or status information like pending migration. • Use the syntax extension_name Custom Claims

16. • Provides a framework with a built-in mechanism to communicate with applications and identity providers via open standard protocols: • OAuth1, OAuth2, OpenID Connect, SAML and WS-Fed • Communicate with B2C parties, using internal Azure AD B2C protocols • Azure Active Directory • Phone factor provider • Self-asserted • Restful provider • Session management • Application insights • Token issuer • And more… Technical profile

17. Local account sign-in REST API Social Identity provider MFA Self asserted (user input) Application insights Directory service (AAD) Azure AD B2C Relying party application Token Claims Claims Claims Claims Claims Claims Claims Claims bag (session) TokenTechnical profiles Technical profile

18. Claims bag Technical profile Input claims transformation Input claims Technical profile execution Validation technical profiles Output claims Output Claims Transformations Session manager Identity provider REST API Azure AD directory service MFA services Issue a token Self-asserted (user input) Auditing Technical profile

19. Self-asserted technical profile • All interactions where a user is expected to provide input are managed through self-asserted technical profiles. • Configure input claims, claims to display/collect, and output claims • User interface layout is defined by the Content Definition setting • To customize the user interface, you specify a URL in the Content Definition element with customized HTML content. • Azure AD B2C runs code in your customer's browser that combines your HTML file with Azure AD B2C HTML content

20. Examples of self-asserted technical profiles

21. Validation technical profile • A self-asserted technical profile may define one or more validation technical profiles to be used to validate output claims. • A validation technical profile is an ordinary technical profile from any protocol, such as Azure Active Directory or a REST API. • The validation technical profile returns output claims or returns an HTTP error message Examples: • On Sign-in with a local account, Azure AD B2C invokes a validation technical profile to validate the user’s credentials and return the user’s object id. • On Sign-up, Azure AD B2C invokes a validation technical profile to check if the account already exists. If it does not, the account is created, and the user object id is returned. • You can add additional validation technical profiles to check if a user exists in your database or update your system when a user changes their account profile.

22. Examples of validation technical profile Validation technical profile collection Validate user credentials Custom REST API

23. • Validate user input data • Overwrite input claims • Enrich user data by further integrating with corporate line-of- business applications • Run custom business logic Call a REST API

24. Validate user input and enrich user data PLACE A NEW ORDER REVIEW EXISTING ORDER WELCOME JAN! IT’S APPLE SEASON THE MOST POPULAR VARIETIES ARE

25. Relying Party policy User Journey Orchestration Step(s) Technical Profile(s) if Preconditions Policy Execution

26. Getting Started with Azure AD B2C Custom Policies https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started • Create an Azure AD B2C tenant and link it to an Azure Subscription • Define Signing and Encryption Keys to be used by your policies • Register applications that allow you to sign in local accounts • Retrieve values that are used to allow your policies to work with Custom Claims • If you are working with external identity providers (such as Facebook), register an application with the identity provider • Download the Custom Policy Starter Pack and update the policy values

27. The Policy Starter Pack Why a “starterpack” • Common starting point • Provides sample user journeys • Structured for change management • Maintained / Tested Pack Use case LocalAccounts Enables the use of local accounts only SocialAccounts Social (or federated) accounts only SocialAndLocalAccounts Both SocialAndLocalAccountsWithMFA Adds Multi-Factor Authentication

28. B2C_1A_TrustFrameworkBase B2C_1A_TrustFrameworkExtensions B2C_1A_signup_signinB2C_1A_ProfileEdit B2C_1A_PasswordReset App1 App2 App3 Relying Party applications Relying party policies More relying party policies Moreinheritancelevels

29. • Create a custom policy that will: • Allow new users to sign up or existing users to sign in • Users will create credentials that are local to the application • B2C user accounts should record a user’s Loyalty Number (grocery store points club membership number) • In order to keep the initial sign-up experience as simple as possible, the Loyalty Number should be obtained progressively • It is not collected when the user first signs up, but instead the policy should wait until the user signs in a second time. Exercise: Progressive Profiling https://aka.ms/B2CWebinarLabs/

30. Please take a few minutes to complete the feedback survey, and we'll prepare a few questions to discuss. https://aka.ms/B2CTheoryPostCallSurvey/ Feedback and Q&A

31. Thank you! Vinu Gunasekaran Program Manager, Microsoft John Garland VP Cloud Development & Instructor, Wintellect Azure MVP, MCT, P-CSA wintellect.com @dotnetgator

Azure AD B2C Webinar Series: Custom Policies Part 1

Azure AD B2C Webinar Series: Custom Policies Part 1

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Azure AD B2C Webinar Series: Custom Policies Part 1

Similar to Azure AD B2C Webinar Series: Custom Policies Part 1(20)

Recently uploaded

Recently uploaded(20)

Azure AD B2C Webinar Series: Custom Policies Part 1

Editor's Notes