SlideShare a Scribd company logo
Azure AD & Azure AD B2C
19.12.2018
Speaker Intro
• Joonas Westlin
• Developer @ Zure
• Azure MVP
• Global #1 on Stack Overflow for Azure AD answers
• Blog: https://joonasw.net
• Twitter: @JoonasWestlin
Contents
• High-level overview of Azure Active Directory (AAD) and Azure Active
Directory B2C (AAD B2C)
• General features as well as more developer- and IT Pro-specific features
covered
• Ultimate goal: You know some of the capabilities of these services
• Docs for AAD and AAD B2C:
• https://docs.microsoft.com/en-us/azure/active-directory/
• https://docs.microsoft.com/en-us/azure/active-directory-b2c/index
Azure Active Directory
• “Azure Active Directory (Azure AD) is a cloud identity service that allows
developers to securely sign in users with a Microsoft work or school
account.”
• The identity provider underneath Office 365, Azure, Dynamics 365
• Identity and access management
• Single Sign-On for cloud services
• High grade security
• For developers: An identity provider their apps can leverage
• For IT Pros: The control plane for identity and access management
• For users: Single identity that gives them access to all the things they need
for work
Pricing
• Azure AD uses user-based licensing
• Free tier is what you have without any licenses
• Basic 0.844 €/user/month
• Group-based access management
• Self-service password reset
• SLA
• Premium P1 5.06 €/user/month
• MFA
• Conditional Access
• Premium P2 7.59 €/user/month
• Identity Protection
• Privileged Identity Management
Azure AD Key Features
• User authentication via OpenId Connect / OAuth / WS-Federation / SAML2
• User and group management
• B2B Collaboration
• Multi-factor authentication
• Single Sign-On
• Identity Protection
• Privileged Identity Management
• Application registration
• Application access control
• User permissions to apps, apps’ permissions to APIs
• On-prem AD sync with AAD Connect
Authentication
• Supported protocols: OpenId Connect, OAuth2, WS-Federation, SAML2
• OpenId Connect and OAuth2 significant majority, >90%
• User authentication usually based on redirecting their browser to AAD login
or showing it in a pop-up / Webview
• An app doesn’t need to care how the user authenticates, if they use MFA etc.
• An app also does not handle passwords
• As a result, the app gets an Id token, which tells the app who they are
• You can also acquire access tokens to call APIs as the user, or the app itself
• Read more: https://docs.microsoft.com/en-us/azure/active-
directory/develop/authentication-scenarios
Authentication with OpenId Connect
Web app sends user
to authenticate
Azure AD shows
login page
User types in
username and
password (+MFA)
User sent back to
Web app with
authorization code
Web app exchanges
authorization code
for Id token, access
token, refresh token
Single Sign-On
• SSO = sign in once
• User only has to enter their password when they use a new device, a new
browser session, or their session has expired
• Most of the time the login page won’t even show
• Azure AD keeps track of the user session with a cookie in the browser
• If it considers this cookie still valid, the login page can be skipped entirely
and the user is logged in
• Can be annoying if you have multiple accounts
• Firefox + Multi-account containers is really good for this
• An app can disable SSO for a login request if desired
Multi-Factor Authentication
• MFA is included with Premium licenses / O365
• O365 MFA only applies to O365
• MFA is free for Global Administrators
• Can require additional verification from users when they sign in
• Set per user
• Prevents unauthorized access when password is compromised
• Enter code sent via phone call / SMS, or from the Microsoft Authenticator
mobile app
• Or click Approve on a notification sent to Microsoft Authenticator
• TOTP tokens (classic hardware tokens) in preview now as well
Users
• User accounts can be created
via many ways
• Azure Portal
• Office 365 Admin Portal
• PowerShell cmdlets
• MS Graph API
• Username uses one of the
verified domain names
• @tenant.onmicrosoft.com default
• Can require password change
on first login
B2B Collaboration features
• You can invite users from other AAD tenants as Guests into your AAD tenant
• + Personal MS accounts and Gmail accounts
• Their organization remains in control of their identity
• Or they themselves if it is a personal account
• If they disable the user account, they lose access to your org too 
• You control their access into your organization’s resources
• Guests can be invited via e.g.:
• Azure Portal
• Teams
• Microsoft Graph API
• There are settings that allow you to restrict what guests can do
• E.g. if they can see the whole user list (disabled by default)
On-prem AD Sync
• Azure AD Connect installed in a domain-joined server
• Synchronizes e.g. users and groups to Azure AD
• Allows organization users to sign in to cloud services with the same account
• Various methods of setting up authentication
• Federation via ADFS
• Password Hash Sync
• Passthrough Authentication
Groups
• Groups can contain
• Users
• Other groups
• Service principals (app identities)
• Assignment can be direct or
dynamic
• Dynamic groups allow automated
membership based on rule
• Can assign groups to roles on
apps
• The role is not inherited to
nested groups though
Identity Protection
• Automated anomaly detection for user accounts
• Can configure automated responses if a sign in is considered odd
• Require MFA
• Lock the account
• Reset password
• Notifies administrators of risk events
• Requires Premium P2 licenses
• More: https://docs.microsoft.com/en-us/azure/active-directory/identity-
protection/overview
Privileged Identity Management
• Users do not need high-level administrator privileges most of the time
• But sometimes they do need it for a while
• Users request privileged role, admin can approve or reject
• Can include why the role is needed and for how long
• Can also request role on Azure resources
• The role is removed after a time period
• You can also allow certain roles to certain users that won’t require admin
approval
• Requires Premium P2 licenses for users using PIM
• More: https://docs.microsoft.com/en-us/azure/active-directory/privileged-
identity-management/pim-configure
Application Registration
• Applications developed in your org can be registered
• Third party apps can be added from Gallery (e.g. Dropbox)
• They can then use AAD as their identity provider
• Single-tenant and multi-tenant apps
• Single-tenant = Line of business apps
• Multi-tenant = SaaS apps
• Web apps / Mobile apps / APIs / daemon services
• Require access to APIs
• E.g. read user’s calendar
• Some require administrator approval
• The new app registration experience is now in public preview 
Application Access Control
• Apps can define roles
• Can be assigned to users (and groups if you have Basic licenses or higher)
• With group-based assignment, users can have multiple roles
• Apps that have an API can also define permissions they expose
• Delegated or application permissions
• Other applications can require these
• Control what other apps can do in the API
Questions on AAD?
Azure Active Directory B2C
• A more general identity provider than standard AAD
• Built for consumer-facing applications
• Can be used for enterprise scenarios as well
• Hyper-customizable thanks to custom policy capability
• The login pages can be customized greatly, and localization can also be
done
Pricing
• Based on # of stored users and # of authentications per month
• 50,000 users + 50,000 authentications free
• Authentication means token issuance
• So every time you get a new authentication token for a user
• Set access token lifetimes long to save costs
• Read more: https://azure.microsoft.com/en-us/pricing/details/active-
directory-b2c/
Key Features
• Local accounts
• Social account federation
• User flows
• Custom policies for advanced scenarios
• Multi-factor authentication
• UI customization
Local accounts
• Can choose to allow users to create accounts with username/email +
password
• These accounts are created in B2C locally
• Yet another password for user to manage
• Can use if you are migrating to B2C or if you do not want to federate to
other identity providers
Social Account Federation
• Many providers available out of the box
• Facebook
• Twitter
• Google
• …
• User can click the provider button on login page and sign in with their
existing account
• No need to create another password
• Up to you which ones you enable
• Custom OpenId Connect provider allows you to add any identity provider
that supports the protocol
Built-in user flows
• Your app always sends the user to authenticate via a user flow
• Previously known as policies
• You can have many of these
• Different types, e.g.: sign-up / sign-in / edit profile / password reset
• Choose what identity providers are available
• MFA can be required
• What data are collected on sign-up
• What data are sent in the token back to apps
• Custom page layouts and custom languages available too
UI Customization
• B2C allows full customization of the login UI
• Unlike regular AAD which only allows limited branding
• Can bring the product / company brand out more
• You can also localize the UI for any languages you need
• Docs: https://docs.microsoft.com/en-us/azure/active-directory-
b2c/customize-ui-overview
Custom policies
• Custom user flows
• Created by using the Identity Experience
Framework
• Learning curve is steep
• Process customized via XML files
• Use almost any identity provider
• Validate user data in your back-end
• On-boarding flows
Multi-factor authentication
• Actually two-step verification with SMS or phone call
• Charged 0,0253 € / authentication
• Enable on user flows where you want MFA to apply
• You can have without MFA and one with MFA to apply MFA in sensitive sections
• You can also have apps without MFA and apps that require MFA
• There is no “Remember this device” checkbox in the standard MFA
• So every time you redirect the user to authenticate, it will cost you
• Keep session lifetimes in your app high and use refresh token if you need
new access tokens
Usage Scenarios
• Azure AD is mainly for enterprise scenarios
• You are building a line of business app for your org
• Or a SaaS app that any org with O365 should be able to use
• Or you need to be able to access e.g. Microsoft Graph API for the organization
• Azure AD B2C is mainly for consumer scenarios
• Any app where anyone should be able to create an account
• Custom policies in B2C make it viable for many more scenarios
• E.g. use any identity provider
• Learning curve is very steep though
• B2C login page can be customized greatly, whereas AAD offers very limited
options
Demos
Summary
• Azure AD is the central identity management system for the Microsoft
ecosystem
• Applications can use as identity provider
• Rich features for identity and access management
• Azure AD B2C offers a solution more for consumer-facing applications
• More generic identity provider
• Local accounts, social accounts, custom identity providers
Introduction to Azure AD and Azure AD B2C

More Related Content

What's hot

Azure Active Directory - An Introduction
Azure Active Directory  - An IntroductionAzure Active Directory  - An Introduction
Azure Active Directory - An Introduction
Venkatesh Narayanan
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to Azure
Robert Crane
 
Azure Monitoring Overview
Azure Monitoring OverviewAzure Monitoring Overview
Azure Monitoring Overview
gjuljo
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Marius Zaharia
 
Azure: PaaS or IaaS
Azure: PaaS or IaaSAzure: PaaS or IaaS
Azure: PaaS or IaaS
Shahed Chowdhuri
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overview
gjuljo
 
Microsoft Azure
Microsoft AzureMicrosoft Azure
Microsoft Azure
Novosco
 
Azure key vault
Azure key vaultAzure key vault
Azure key vault
Rahul Nath
 
Azure App Service Deep Dive
Azure App Service Deep DiveAzure App Service Deep Dive
Azure App Service Deep Dive
Azure Riyadh User Group
 
Azure web apps
Azure web appsAzure web apps
Azure web apps
Vaibhav Gujral
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure Networking
Pedro Sousa
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
nelmedia
 
Introduction to Microsoft Azure
Introduction to Microsoft AzureIntroduction to Microsoft Azure
Introduction to Microsoft Azure
Kasun Kodagoda
 
Azure Identity and access management
Azure   Identity and access managementAzure   Identity and access management
Azure Identity and access management
Dinusha Kumarasiri
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
Daniel Toomey
 
Azure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAzure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - Ajay
Anoop Nair
 
Azure Cloud PPT
Azure Cloud PPTAzure Cloud PPT
Azure Cloud PPT
Aniket Kanitkar
 
Serverless Computing in Azure
Serverless Computing in AzureServerless Computing in Azure
Serverless Computing in Azure
Daniel Toomey
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
Shawn Ismail
 

What's hot (20)

Azure Active Directory - An Introduction
Azure Active Directory  - An IntroductionAzure Active Directory  - An Introduction
Azure Active Directory - An Introduction
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to Azure
 
Azure Monitoring Overview
Azure Monitoring OverviewAzure Monitoring Overview
Azure Monitoring Overview
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
 
Azure: PaaS or IaaS
Azure: PaaS or IaaSAzure: PaaS or IaaS
Azure: PaaS or IaaS
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overview
 
Microsoft Azure
Microsoft AzureMicrosoft Azure
Microsoft Azure
 
Azure key vault
Azure key vaultAzure key vault
Azure key vault
 
Azure App Service Deep Dive
Azure App Service Deep DiveAzure App Service Deep Dive
Azure App Service Deep Dive
 
Azure web apps
Azure web appsAzure web apps
Azure web apps
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure Networking
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
 
Introduction to Microsoft Azure
Introduction to Microsoft AzureIntroduction to Microsoft Azure
Introduction to Microsoft Azure
 
Azure Identity and access management
Azure   Identity and access managementAzure   Identity and access management
Azure Identity and access management
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
 
Azure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAzure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - Ajay
 
Azure Cloud PPT
Azure Cloud PPTAzure Cloud PPT
Azure Cloud PPT
 
Serverless Computing in Azure
Serverless Computing in AzureServerless Computing in Azure
Serverless Computing in Azure
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
 

Similar to Introduction to Azure AD and Azure AD B2C

Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
Microsoft 365 Developer
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision IT
 
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision IT
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Security Conference
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsSC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
FredBrandonAuthorMCP
 
CSF18 - External Collaboration with Azure B2B - Sjoukje Zaal
CSF18 - External Collaboration with Azure B2B - Sjoukje ZaalCSF18 - External Collaboration with Azure B2B - Sjoukje Zaal
CSF18 - External Collaboration with Azure B2B - Sjoukje Zaal
NCCOMMS
 
Azure AD for browser-based application developers
Azure AD for browser-based application developersAzure AD for browser-based application developers
Azure AD for browser-based application developers
Bob German
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision IT
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
Girish Kalamati
 
External collaboration with Azure B2B
External collaboration with Azure B2B External collaboration with Azure B2B
External collaboration with Azure B2B
Sjoukje Zaal
 
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Max Fritz
 
External collaboration with Azure B2B
External collaboration with Azure B2BExternal collaboration with Azure B2B
External collaboration with Azure B2B
Sjoukje Zaal
 
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
Scott Hoag
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Vinu Gunasekaran
 
Dear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2BDear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2B
Sjoukje Zaal
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
NCCOMMS
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
Kumton Suttiraksiri
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADuberbaum
 
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentDEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
Felipe Prado
 

Similar to Introduction to Azure AD and Azure AD B2C (20)

Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
 
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsSC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
 
CSF18 - External Collaboration with Azure B2B - Sjoukje Zaal
CSF18 - External Collaboration with Azure B2B - Sjoukje ZaalCSF18 - External Collaboration with Azure B2B - Sjoukje Zaal
CSF18 - External Collaboration with Azure B2B - Sjoukje Zaal
 
Azure AD for browser-based application developers
Azure AD for browser-based application developersAzure AD for browser-based application developers
Azure AD for browser-based application developers
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
 
External collaboration with Azure B2B
External collaboration with Azure B2B External collaboration with Azure B2B
External collaboration with Azure B2B
 
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
 
External collaboration with Azure B2B
External collaboration with Azure B2BExternal collaboration with Azure B2B
External collaboration with Azure B2B
 
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
 
Dear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2BDear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2B
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
 
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentDEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
 

More from Joonas Westlin

Using feature flags in an ASP.NET Core app on Azure
Using feature flags in an ASP.NET Core app on AzureUsing feature flags in an ASP.NET Core app on Azure
Using feature flags in an ASP.NET Core app on Azure
Joonas Westlin
 
Deep Dive into Durable Functions
Deep Dive into Durable FunctionsDeep Dive into Durable Functions
Deep Dive into Durable Functions
Joonas Westlin
 
Deep Dive into Durable Functions
Deep Dive into Durable FunctionsDeep Dive into Durable Functions
Deep Dive into Durable Functions
Joonas Westlin
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
Joonas Westlin
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
Joonas Westlin
 
Building a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable FunctionsBuilding a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable Functions
Joonas Westlin
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
Joonas Westlin
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
Joonas Westlin
 
Zero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesZero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resources
Joonas Westlin
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
Joonas Westlin
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
Joonas Westlin
 
Get rid of credentials from your code: Using Managed identities for Azure res...
Get rid of credentials from your code: Using Managed identities for Azure res...Get rid of credentials from your code: Using Managed identities for Azure res...
Get rid of credentials from your code: Using Managed identities for Azure res...
Joonas Westlin
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active Directory
Joonas Westlin
 

More from Joonas Westlin (13)

Using feature flags in an ASP.NET Core app on Azure
Using feature flags in an ASP.NET Core app on AzureUsing feature flags in an ASP.NET Core app on Azure
Using feature flags in an ASP.NET Core app on Azure
 
Deep Dive into Durable Functions
Deep Dive into Durable FunctionsDeep Dive into Durable Functions
Deep Dive into Durable Functions
 
Deep Dive into Durable Functions
Deep Dive into Durable FunctionsDeep Dive into Durable Functions
Deep Dive into Durable Functions
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
 
Building a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable FunctionsBuilding a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable Functions
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
 
Zero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesZero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resources
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
 
Get rid of credentials from your code: Using Managed identities for Azure res...
Get rid of credentials from your code: Using Managed identities for Azure res...Get rid of credentials from your code: Using Managed identities for Azure res...
Get rid of credentials from your code: Using Managed identities for Azure res...
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active Directory
 

Recently uploaded

Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software  Development Company in Noida - DeugloEmpowering Growth with Best Software  Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR  SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR  SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 

Recently uploaded (20)

Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software  Development Company in Noida - DeugloEmpowering Growth with Best Software  Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR  SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR  SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 

Introduction to Azure AD and Azure AD B2C

  • 1. Azure AD & Azure AD B2C 19.12.2018
  • 2. Speaker Intro • Joonas Westlin • Developer @ Zure • Azure MVP • Global #1 on Stack Overflow for Azure AD answers • Blog: https://joonasw.net • Twitter: @JoonasWestlin
  • 3. Contents • High-level overview of Azure Active Directory (AAD) and Azure Active Directory B2C (AAD B2C) • General features as well as more developer- and IT Pro-specific features covered • Ultimate goal: You know some of the capabilities of these services • Docs for AAD and AAD B2C: • https://docs.microsoft.com/en-us/azure/active-directory/ • https://docs.microsoft.com/en-us/azure/active-directory-b2c/index
  • 4. Azure Active Directory • “Azure Active Directory (Azure AD) is a cloud identity service that allows developers to securely sign in users with a Microsoft work or school account.” • The identity provider underneath Office 365, Azure, Dynamics 365 • Identity and access management • Single Sign-On for cloud services • High grade security • For developers: An identity provider their apps can leverage • For IT Pros: The control plane for identity and access management • For users: Single identity that gives them access to all the things they need for work
  • 5. Pricing • Azure AD uses user-based licensing • Free tier is what you have without any licenses • Basic 0.844 €/user/month • Group-based access management • Self-service password reset • SLA • Premium P1 5.06 €/user/month • MFA • Conditional Access • Premium P2 7.59 €/user/month • Identity Protection • Privileged Identity Management
  • 6. Azure AD Key Features • User authentication via OpenId Connect / OAuth / WS-Federation / SAML2 • User and group management • B2B Collaboration • Multi-factor authentication • Single Sign-On • Identity Protection • Privileged Identity Management • Application registration • Application access control • User permissions to apps, apps’ permissions to APIs • On-prem AD sync with AAD Connect
  • 7. Authentication • Supported protocols: OpenId Connect, OAuth2, WS-Federation, SAML2 • OpenId Connect and OAuth2 significant majority, >90% • User authentication usually based on redirecting their browser to AAD login or showing it in a pop-up / Webview • An app doesn’t need to care how the user authenticates, if they use MFA etc. • An app also does not handle passwords • As a result, the app gets an Id token, which tells the app who they are • You can also acquire access tokens to call APIs as the user, or the app itself • Read more: https://docs.microsoft.com/en-us/azure/active- directory/develop/authentication-scenarios
  • 8. Authentication with OpenId Connect Web app sends user to authenticate Azure AD shows login page User types in username and password (+MFA) User sent back to Web app with authorization code Web app exchanges authorization code for Id token, access token, refresh token
  • 9. Single Sign-On • SSO = sign in once • User only has to enter their password when they use a new device, a new browser session, or their session has expired • Most of the time the login page won’t even show • Azure AD keeps track of the user session with a cookie in the browser • If it considers this cookie still valid, the login page can be skipped entirely and the user is logged in • Can be annoying if you have multiple accounts • Firefox + Multi-account containers is really good for this • An app can disable SSO for a login request if desired
  • 10. Multi-Factor Authentication • MFA is included with Premium licenses / O365 • O365 MFA only applies to O365 • MFA is free for Global Administrators • Can require additional verification from users when they sign in • Set per user • Prevents unauthorized access when password is compromised • Enter code sent via phone call / SMS, or from the Microsoft Authenticator mobile app • Or click Approve on a notification sent to Microsoft Authenticator • TOTP tokens (classic hardware tokens) in preview now as well
  • 11. Users • User accounts can be created via many ways • Azure Portal • Office 365 Admin Portal • PowerShell cmdlets • MS Graph API • Username uses one of the verified domain names • @tenant.onmicrosoft.com default • Can require password change on first login
  • 12. B2B Collaboration features • You can invite users from other AAD tenants as Guests into your AAD tenant • + Personal MS accounts and Gmail accounts • Their organization remains in control of their identity • Or they themselves if it is a personal account • If they disable the user account, they lose access to your org too  • You control their access into your organization’s resources • Guests can be invited via e.g.: • Azure Portal • Teams • Microsoft Graph API • There are settings that allow you to restrict what guests can do • E.g. if they can see the whole user list (disabled by default)
  • 13. On-prem AD Sync • Azure AD Connect installed in a domain-joined server • Synchronizes e.g. users and groups to Azure AD • Allows organization users to sign in to cloud services with the same account • Various methods of setting up authentication • Federation via ADFS • Password Hash Sync • Passthrough Authentication
  • 14. Groups • Groups can contain • Users • Other groups • Service principals (app identities) • Assignment can be direct or dynamic • Dynamic groups allow automated membership based on rule • Can assign groups to roles on apps • The role is not inherited to nested groups though
  • 15. Identity Protection • Automated anomaly detection for user accounts • Can configure automated responses if a sign in is considered odd • Require MFA • Lock the account • Reset password • Notifies administrators of risk events • Requires Premium P2 licenses • More: https://docs.microsoft.com/en-us/azure/active-directory/identity- protection/overview
  • 16. Privileged Identity Management • Users do not need high-level administrator privileges most of the time • But sometimes they do need it for a while • Users request privileged role, admin can approve or reject • Can include why the role is needed and for how long • Can also request role on Azure resources • The role is removed after a time period • You can also allow certain roles to certain users that won’t require admin approval • Requires Premium P2 licenses for users using PIM • More: https://docs.microsoft.com/en-us/azure/active-directory/privileged- identity-management/pim-configure
  • 17. Application Registration • Applications developed in your org can be registered • Third party apps can be added from Gallery (e.g. Dropbox) • They can then use AAD as their identity provider • Single-tenant and multi-tenant apps • Single-tenant = Line of business apps • Multi-tenant = SaaS apps • Web apps / Mobile apps / APIs / daemon services • Require access to APIs • E.g. read user’s calendar • Some require administrator approval • The new app registration experience is now in public preview 
  • 18. Application Access Control • Apps can define roles • Can be assigned to users (and groups if you have Basic licenses or higher) • With group-based assignment, users can have multiple roles • Apps that have an API can also define permissions they expose • Delegated or application permissions • Other applications can require these • Control what other apps can do in the API
  • 20. Azure Active Directory B2C • A more general identity provider than standard AAD • Built for consumer-facing applications • Can be used for enterprise scenarios as well • Hyper-customizable thanks to custom policy capability • The login pages can be customized greatly, and localization can also be done
  • 21. Pricing • Based on # of stored users and # of authentications per month • 50,000 users + 50,000 authentications free • Authentication means token issuance • So every time you get a new authentication token for a user • Set access token lifetimes long to save costs • Read more: https://azure.microsoft.com/en-us/pricing/details/active- directory-b2c/
  • 22. Key Features • Local accounts • Social account federation • User flows • Custom policies for advanced scenarios • Multi-factor authentication • UI customization
  • 23. Local accounts • Can choose to allow users to create accounts with username/email + password • These accounts are created in B2C locally • Yet another password for user to manage • Can use if you are migrating to B2C or if you do not want to federate to other identity providers
  • 24. Social Account Federation • Many providers available out of the box • Facebook • Twitter • Google • … • User can click the provider button on login page and sign in with their existing account • No need to create another password • Up to you which ones you enable • Custom OpenId Connect provider allows you to add any identity provider that supports the protocol
  • 25. Built-in user flows • Your app always sends the user to authenticate via a user flow • Previously known as policies • You can have many of these • Different types, e.g.: sign-up / sign-in / edit profile / password reset • Choose what identity providers are available • MFA can be required • What data are collected on sign-up • What data are sent in the token back to apps • Custom page layouts and custom languages available too
  • 26. UI Customization • B2C allows full customization of the login UI • Unlike regular AAD which only allows limited branding • Can bring the product / company brand out more • You can also localize the UI for any languages you need • Docs: https://docs.microsoft.com/en-us/azure/active-directory- b2c/customize-ui-overview
  • 27. Custom policies • Custom user flows • Created by using the Identity Experience Framework • Learning curve is steep • Process customized via XML files • Use almost any identity provider • Validate user data in your back-end • On-boarding flows
  • 28. Multi-factor authentication • Actually two-step verification with SMS or phone call • Charged 0,0253 € / authentication • Enable on user flows where you want MFA to apply • You can have without MFA and one with MFA to apply MFA in sensitive sections • You can also have apps without MFA and apps that require MFA • There is no “Remember this device” checkbox in the standard MFA • So every time you redirect the user to authenticate, it will cost you • Keep session lifetimes in your app high and use refresh token if you need new access tokens
  • 29. Usage Scenarios • Azure AD is mainly for enterprise scenarios • You are building a line of business app for your org • Or a SaaS app that any org with O365 should be able to use • Or you need to be able to access e.g. Microsoft Graph API for the organization • Azure AD B2C is mainly for consumer scenarios • Any app where anyone should be able to create an account • Custom policies in B2C make it viable for many more scenarios • E.g. use any identity provider • Learning curve is very steep though • B2C login page can be customized greatly, whereas AAD offers very limited options
  • 30. Demos
  • 31. Summary • Azure AD is the central identity management system for the Microsoft ecosystem • Applications can use as identity provider • Rich features for identity and access management • Azure AD B2C offers a solution more for consumer-facing applications • More generic identity provider • Local accounts, social accounts, custom identity providers