Azure AD & Azure AD B2C provide identity and access management services. Azure AD is primarily for enterprise use, allowing single sign-on for Office 365, Azure, and other cloud services. It offers features like multi-factor authentication, application access control, and on-premises Active Directory synchronization. Azure AD B2C is designed more for consumer-facing apps and allows fully customizable login experiences and identity providers like social accounts and local usernames. Both services provide user management and authentication capabilities for applications.
2. Speaker Intro
• Joonas Westlin
• Developer @ Zure
• Azure MVP
• Global #1 on Stack Overflow for Azure AD answers
• Blog: https://joonasw.net
• Twitter: @JoonasWestlin
3. Contents
• High-level overview of Azure Active Directory (AAD) and Azure Active
Directory B2C (AAD B2C)
• General features as well as more developer- and IT Pro-specific features
covered
• Ultimate goal: You know some of the capabilities of these services
• Docs for AAD and AAD B2C:
• https://docs.microsoft.com/en-us/azure/active-directory/
• https://docs.microsoft.com/en-us/azure/active-directory-b2c/index
4. Azure Active Directory
• “Azure Active Directory (Azure AD) is a cloud identity service that allows
developers to securely sign in users with a Microsoft work or school
account.”
• The identity provider underneath Office 365, Azure, Dynamics 365
• Identity and access management
• Single Sign-On for cloud services
• High grade security
• For developers: An identity provider their apps can leverage
• For IT Pros: The control plane for identity and access management
• For users: Single identity that gives them access to all the things they need
for work
5. Pricing
• Azure AD uses user-based licensing
• Free tier is what you have without any licenses
• Basic 0.844 €/user/month
• Group-based access management
• Self-service password reset
• SLA
• Premium P1 5.06 €/user/month
• MFA
• Conditional Access
• Premium P2 7.59 €/user/month
• Identity Protection
• Privileged Identity Management
6. Azure AD Key Features
• User authentication via OpenId Connect / OAuth / WS-Federation / SAML2
• User and group management
• B2B Collaboration
• Multi-factor authentication
• Single Sign-On
• Identity Protection
• Privileged Identity Management
• Application registration
• Application access control
• User permissions to apps, apps’ permissions to APIs
• On-prem AD sync with AAD Connect
7. Authentication
• Supported protocols: OpenId Connect, OAuth2, WS-Federation, SAML2
• OpenId Connect and OAuth2 significant majority, >90%
• User authentication usually based on redirecting their browser to AAD login
or showing it in a pop-up / Webview
• An app doesn’t need to care how the user authenticates, if they use MFA etc.
• An app also does not handle passwords
• As a result, the app gets an Id token, which tells the app who they are
• You can also acquire access tokens to call APIs as the user, or the app itself
• Read more: https://docs.microsoft.com/en-us/azure/active-
directory/develop/authentication-scenarios
8. Authentication with OpenId Connect
Web app sends user
to authenticate
Azure AD shows
login page
User types in
username and
password (+MFA)
User sent back to
Web app with
authorization code
Web app exchanges
authorization code
for Id token, access
token, refresh token
9. Single Sign-On
• SSO = sign in once
• User only has to enter their password when they use a new device, a new
browser session, or their session has expired
• Most of the time the login page won’t even show
• Azure AD keeps track of the user session with a cookie in the browser
• If it considers this cookie still valid, the login page can be skipped entirely
and the user is logged in
• Can be annoying if you have multiple accounts
• Firefox + Multi-account containers is really good for this
• An app can disable SSO for a login request if desired
10. Multi-Factor Authentication
• MFA is included with Premium licenses / O365
• O365 MFA only applies to O365
• MFA is free for Global Administrators
• Can require additional verification from users when they sign in
• Set per user
• Prevents unauthorized access when password is compromised
• Enter code sent via phone call / SMS, or from the Microsoft Authenticator
mobile app
• Or click Approve on a notification sent to Microsoft Authenticator
• TOTP tokens (classic hardware tokens) in preview now as well
11. Users
• User accounts can be created
via many ways
• Azure Portal
• Office 365 Admin Portal
• PowerShell cmdlets
• MS Graph API
• Username uses one of the
verified domain names
• @tenant.onmicrosoft.com default
• Can require password change
on first login
12. B2B Collaboration features
• You can invite users from other AAD tenants as Guests into your AAD tenant
• + Personal MS accounts and Gmail accounts
• Their organization remains in control of their identity
• Or they themselves if it is a personal account
• If they disable the user account, they lose access to your org too
• You control their access into your organization’s resources
• Guests can be invited via e.g.:
• Azure Portal
• Teams
• Microsoft Graph API
• There are settings that allow you to restrict what guests can do
• E.g. if they can see the whole user list (disabled by default)
13. On-prem AD Sync
• Azure AD Connect installed in a domain-joined server
• Synchronizes e.g. users and groups to Azure AD
• Allows organization users to sign in to cloud services with the same account
• Various methods of setting up authentication
• Federation via ADFS
• Password Hash Sync
• Passthrough Authentication
14. Groups
• Groups can contain
• Users
• Other groups
• Service principals (app identities)
• Assignment can be direct or
dynamic
• Dynamic groups allow automated
membership based on rule
• Can assign groups to roles on
apps
• The role is not inherited to
nested groups though
15. Identity Protection
• Automated anomaly detection for user accounts
• Can configure automated responses if a sign in is considered odd
• Require MFA
• Lock the account
• Reset password
• Notifies administrators of risk events
• Requires Premium P2 licenses
• More: https://docs.microsoft.com/en-us/azure/active-directory/identity-
protection/overview
16. Privileged Identity Management
• Users do not need high-level administrator privileges most of the time
• But sometimes they do need it for a while
• Users request privileged role, admin can approve or reject
• Can include why the role is needed and for how long
• Can also request role on Azure resources
• The role is removed after a time period
• You can also allow certain roles to certain users that won’t require admin
approval
• Requires Premium P2 licenses for users using PIM
• More: https://docs.microsoft.com/en-us/azure/active-directory/privileged-
identity-management/pim-configure
17. Application Registration
• Applications developed in your org can be registered
• Third party apps can be added from Gallery (e.g. Dropbox)
• They can then use AAD as their identity provider
• Single-tenant and multi-tenant apps
• Single-tenant = Line of business apps
• Multi-tenant = SaaS apps
• Web apps / Mobile apps / APIs / daemon services
• Require access to APIs
• E.g. read user’s calendar
• Some require administrator approval
• The new app registration experience is now in public preview
18. Application Access Control
• Apps can define roles
• Can be assigned to users (and groups if you have Basic licenses or higher)
• With group-based assignment, users can have multiple roles
• Apps that have an API can also define permissions they expose
• Delegated or application permissions
• Other applications can require these
• Control what other apps can do in the API
20. Azure Active Directory B2C
• A more general identity provider than standard AAD
• Built for consumer-facing applications
• Can be used for enterprise scenarios as well
• Hyper-customizable thanks to custom policy capability
• The login pages can be customized greatly, and localization can also be
done
21. Pricing
• Based on # of stored users and # of authentications per month
• 50,000 users + 50,000 authentications free
• Authentication means token issuance
• So every time you get a new authentication token for a user
• Set access token lifetimes long to save costs
• Read more: https://azure.microsoft.com/en-us/pricing/details/active-
directory-b2c/
22. Key Features
• Local accounts
• Social account federation
• User flows
• Custom policies for advanced scenarios
• Multi-factor authentication
• UI customization
23. Local accounts
• Can choose to allow users to create accounts with username/email +
password
• These accounts are created in B2C locally
• Yet another password for user to manage
• Can use if you are migrating to B2C or if you do not want to federate to
other identity providers
24. Social Account Federation
• Many providers available out of the box
• Facebook
• Twitter
• Google
• …
• User can click the provider button on login page and sign in with their
existing account
• No need to create another password
• Up to you which ones you enable
• Custom OpenId Connect provider allows you to add any identity provider
that supports the protocol
25. Built-in user flows
• Your app always sends the user to authenticate via a user flow
• Previously known as policies
• You can have many of these
• Different types, e.g.: sign-up / sign-in / edit profile / password reset
• Choose what identity providers are available
• MFA can be required
• What data are collected on sign-up
• What data are sent in the token back to apps
• Custom page layouts and custom languages available too
26. UI Customization
• B2C allows full customization of the login UI
• Unlike regular AAD which only allows limited branding
• Can bring the product / company brand out more
• You can also localize the UI for any languages you need
• Docs: https://docs.microsoft.com/en-us/azure/active-directory-
b2c/customize-ui-overview
27. Custom policies
• Custom user flows
• Created by using the Identity Experience
Framework
• Learning curve is steep
• Process customized via XML files
• Use almost any identity provider
• Validate user data in your back-end
• On-boarding flows
28. Multi-factor authentication
• Actually two-step verification with SMS or phone call
• Charged 0,0253 € / authentication
• Enable on user flows where you want MFA to apply
• You can have without MFA and one with MFA to apply MFA in sensitive sections
• You can also have apps without MFA and apps that require MFA
• There is no “Remember this device” checkbox in the standard MFA
• So every time you redirect the user to authenticate, it will cost you
• Keep session lifetimes in your app high and use refresh token if you need
new access tokens
29. Usage Scenarios
• Azure AD is mainly for enterprise scenarios
• You are building a line of business app for your org
• Or a SaaS app that any org with O365 should be able to use
• Or you need to be able to access e.g. Microsoft Graph API for the organization
• Azure AD B2C is mainly for consumer scenarios
• Any app where anyone should be able to create an account
• Custom policies in B2C make it viable for many more scenarios
• E.g. use any identity provider
• Learning curve is very steep though
• B2C login page can be customized greatly, whereas AAD offers very limited
options
31. Summary
• Azure AD is the central identity management system for the Microsoft
ecosystem
• Applications can use as identity provider
• Rich features for identity and access management
• Azure AD B2C offers a solution more for consumer-facing applications
• More generic identity provider
• Local accounts, social accounts, custom identity providers