Exploring Azure Active Directory B2C

Exploring Azure Active Directory B2C


In this module, we’re going to talk about
the Azure Active Directory that’s specifically B to C. So we have different modules that
are kind of evolving in our Azure Active Directory scope to allow us to basically extend Azure
Active Directory to other identity providers. Think about a federated-type model; that’s
really what we’re after here. But it kind of goes beyond that, it kind of helps users
to basically connect other types of identity providers in such a way that we’re also
still able to semi-kind of manage or allow those users to be managed inside of an application
inside Azure Active Directory. So if we took a look at what we traditionally have, typically
what we have with Azure Active Directory is that it’s a directory of names, right, so
we would have our users defined in here for an application let’s say, and over here
is our app, right. This app is going to use this, it’s going to prompt the user for
credentials when they log into the application and everything works fine. Now what happens
is people are saying well, we don’t necessarily just need to use all these, let’s say these
are like our corp users; maybe we also want to use people from like Facebook. In this
case, now how do we connect to Facebook users, right? We could augment our application over
here to support Facebook, right, but that’s kind of messy right because now every time
we want to do a provider, if we want to do Google, now we have to add those guys on there,
right. Each time we’re having to extend our application in order to support this,
and the idea was, can we come up with a way that makes it easier for people to do that?
So it looks like maybe they are hitting Azure active directory and basically we can prompt
them for the credentials for whatever we need here, what other identity providers, and maybe
there’s more coming out in the future that we want to go ahead and extend this out to.
And so that’s kind of the model between these kind of things, what’s actually happening
behind the scenes is when we provisioned a user that’s in let’s say Facebook into
our application – we’ll get through our configuration and I’ll show you that in
a second – but once we do the configuration, these guys actually were basically storing
a little like, you can think of it as like the little placeholder over here, right, to
that user. It’s not their credentials or any of that kind of stuff, it’s just like
when someone hits this and says hey I want to authenticate, it says oh, that’s a Facebook
one so go ahead and authenticate him via Facebook. It will do that Facebook authentication and
let them log into the application. And this little thing here, we can also tie RBAC to,
which is really nice, so like if we had in our application things that says you know,
user A can do this and user B can do this but maybe they’re using two different identity
providers. Well that would be kind of messy if we had to put all that in our code, so
the idea here is to kind of decouple that a little bit and allow people to use different
identity providers, but use the same kind of model behind the scenes when you’re building
your application so that you can kind of wire those things together.
And I want to show you in the portal what this actually looks like, because it’s a
little bit of a back and forth here, so when we come in to the portal – and actually
you’ll see that I’m in the old portal here, let’s just pop up to the root here
– so I’m at you see manage.windowsazure.com is the old portal – and so in this case
when we come in here this is the only way we can manage the Active Directory currently,
our Azure Active Directory. Once this thing loads, we’ll actually see that when we go
into our Active Directory we can provision it out. While it’s loading I’m going to
show you some of the screen to provision this, because it’s a little bit – you have to
enable this feature when you’re provisioning. So if you come in here under App Services
and under Active Directory, then under directory which hasn’t loaded because I’m still
waiting for the module to load, it is loaded now, okay so there it is. So if we pop back
over here you can see directory – actually let me scroll down here – you see active
directory, and then we go under directory, and then we go under directory, and what we
want to do is a custom create; you see we can go ahead and specify a name, whatever
we want our provision to be. It seems there’s a little check box down here at the bottom,
so B2C directory, this gets enabled at provisioning time, so you want to think about that whenever
you’re provisioning your Azure active directory, whether you want this directory for your application
to use external identity providers. So in this case if we check that box and I already
have one pre-provisioned so we don’t have to wait for that process – we can actually
go in here, you’ll see it looks slightly different. So here’s a typical just Azure
Active Directory one, you’ll notice we have all the features in here for when we want
to hook it up to an on premises domain. We have our AD features here, but when you have
one that has B2C, you’ll notice that we also have this B2C settings option here that’s
provisioned. So when you click on that, you actually get directed to the new portal, so
the management is being ported over to the new portal for Azure Active Directory, and
you can see here’s where the settings and you’ll notice also – I just want to call
this out, because it’s important that this guy is still in preview form, so this is something
probably not for production workloads, but something you should be looking at. So here’s
our domain that we actually provision, here’s our identity providers that we want to hook
up to this thing; we can pick what kind of identifiers that we want to use and when we
hit add here, this is where we can actually select from the ones that we have supported
right now in the preview which is Google, Facebook, LinkedIn, Amazon… so you can select
each one of these – let’s just say it’s Facebook for arguments sake – and then when
we come in here again, we would basically have our client ID secret that we’re going
to put in there along with the identifier for the application that this is going to
target, so it’s something you would build in Azure active directory, abstract from the
identity provider. Once we have that guy wired up, you can see – let me just cancel out
of some of this, but you can see back here we actually do have some sort of management
policies here, right, so we can do password reset for these guys like force them to do
things. We can’t do specifically to set like their password complexity right now,
that’s a feature I’ve heard a lot from people to say like, you know, could we control
password complexity rules for someone who’s using Facebook for instance? That’s not
there right now but what we can do is what’s listed here in the portal, and so you want
to take a look at those because especially if you’re in a line of business type application
and maybe you want to expose this, you want to be aware of the different policies that
can be applied to those kind of things around how they sign up as well as when they kind
of reset, those are some of the things that we can trigger right now and again this is
in preview form, so it’s not totally complete yet, but this is where we’re going with
the actual B2C and being able to connect these external providers to Azure Active Directory.
And so that concludes the module on Azure Active Directory B2C.

Daniel Ostrander

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *