presentation title goes here - microsoft azuremsservicesday.azurewebsites.net/content...the process...
Post on 09-Aug-2020
4 Views
Preview:
TRANSCRIPT
•
•
•
•
5
LOA II,III,IV
••••••••••
••••••••••
Advanced CapabilitiesCore Capabilities +
Policies
Social and local accounts
Seamless user experience
7
Multifactor authentication
OAuth2/OpenID Connect support
http://aka.ms/aadsamples
Azure AD Graph API support
8
Customizable user journeys
Bring-your-own identity provider
Enhanced privacy options
9
Bring-your-own multifactor authentication
Protocol conversion
Attribute providers and verifiers
10
Azure AD B2C is provisioned by creating a new Azure Active Directory and enabling it for B2C
12
The process of configuring Azure AD B2C consists of the following four tasks:
We will discuss these tasks in more detail in the following slides.
NOTE: It is possible to test most of the Azure AD B2C configuration before the applications are integrated by using the Run Now button on each policy.
13
Configure identity
providers the
application will
leverage
Configure
attributes the
application will use
Configure policies
for sign up, sign in,
profile edit, etc.
Integrate the
application with
B2C using OIDC
Azure AD B2C supports local and social accounts
Local accounts
14
Social accounts
Users can choose which type of account they want to use during sign up and sign in.
15
Azure AD supports B2C makes available a number of default attributes (see table at right)
Additional custom attributes can be created
Users will be prompted to provide attributes during sign up
16
Defines
Domain-specific language designed for B2C
18
Polices describe how users will interact with the various Azure AD B2C capabilities
There are five types of policies that can be defined
You can define multiple policies of each type and apps can share policies
Policies are specified in the query string of the Azure AD B2C URL19
Types of policies
Policies can be invoked by multiple relying parties
20
Base policies set standards that may or may not be overridden
Unlimited policy depth, but generally three levels is enough
21
Com
munity o
f interest
Req4: https://login.microsoftonline.com/v2/contosob2c.onmicrosoft.com/oauth2/auth?<std qp>&p=p2
22
Contoso
App #1
Sign
up
Sign in
Contoso
App #1
Profile
Sign out
Contoso
App #2
Sign
up
Sign in
Contoso
App #2
Contoso
App #1
App 1
App 2
P1 (SU)
P2 (SI)
P3 (PE)
Req1: https://login.microsoftonline.com/v2/contosob2c.onmicrosoft.com/oauth2/auth?<std qp>&p=p1
Req1Req2Req3
Req4
Req3: https://login.microsoftonline.com/v2/contosob2c.onmicrosoft.com/oauth2/logout?<std qp>&p=p2Req2: https://login.microsoftonline.com/v2/contosob2c.onmicrosoft.com/oauth2/auth?<std qp>&p=p3
Identity provider settings
Sign-up attribute settings
Profile attribute settings
23
Application claim settings
Token, session, and SSO settings
Multifactor authentication settings
24
Page UI customization
25
26
Sign up Sign inSign up or
sign inProfile editing Password reset
Identity provider settings X X X X X
Sign-up attribute settings X X
Profile attribute settings X
Application claim settings X X X X X
Token, session, and SSO settings X X X X
Multifactor authentication
settingX X X X
Page UI customization setting X X X X X
Several customizations to the user interface can be made using the web-based administrative interface:
27
For more advanced customization, a custom page can be specified for each page applicable to a policy
The following pages can be customized for each policy type:
NOTE: Each policy can have its own custom page version28
Page Sign-up policy Sign-in policySign-up/sign-in
policy
Profile editing
policy
Password reset
policy
Identity provider selection page X X X
Unified sign-up or sign-in page X
Local account sign-up page X X
Social account sign-up page X X
Multifactor authentication page X X X X
Profile editing page X
Forgot password page X
Error page X X X X X
The custom page files have specific requirements
29
When a user accesses a customized page for a given policy, the following occurs:
NOTE: CORS must be enabled on the server hosting the custom page or, for security reasons, the browser will refuse to load the page
30
CORS is a browser security feature designed to control JavaScript access to web servers in domains different than the one serving the main page
Azure AD B2C uses CORS’s simplest mode:
Bottom Line: The server hosting Azure AD B2C custom pages must support CORS and must allow GET requests to the custom pages from https://login.microsoftonline.com. 31
The local account sign-in page (not the sign-up and sign-in page) is shared with non-B2C Azure AD and therefore cannot be modified as described above.
Rather, this page can be branded using the Azure AD branding tools.
New customization capabilities may be coming in the future
32
Multifactor authentication (MFA) is phone-based, sending a code to the phone through text or voice call.
The code must be entered as a second step during the login process.
To help make sure MFA is enabled, set up MFA on the sign-up policy.
MFA can be enabled or disabled on a policy-by-policy basis
33
Azure AD B2C MFA uses the same infrastructure as Azure MFA, but with fewer configuration options
Social accounts can have MFA as easily as local accounts, thus adding additional security for social accounts when it is needed
It is possible to preregister MFA, but with some caveats and limitations:
34
Self-service password reset always uses the verified email address
If MFA is configured, an MFA check is also performed after email verification and before the password reset.
The password reset page can be customized like other pages.
Azure AD password complexity requirements apply to all passwords.
35
Azure AD B2C is designed for consumer- and citizen-facing mobile and web apps
Business to Employee | Business to Consumer | Business to Business
Service-to-service
37
Consider this
product...
Azure AD
multitenant
software as a
service (SaaS) app
Azure AD B2B
collaborationAzure AD B2C
If I need to
provide...
a service to
businesses
partner access to
my apps
a service to
consumers
And I am similar
to...Pharma distributor Imaging company Sports franchise
Deploying an
app for...
Practice
managementSupplier extranet Soccer fans
Targeting... Doctors’ officesApproved
business partners
Anyone with
Accessible
when...
Customer admin
consentsMy admin invites
The consumer
signs up
38
A service to Businesses Partner access to my
applications
Service to consumers
Example Company A provides
services such as payroll or
analytics application but
need their customers to
manage their own Azure AD
identities. Customers
manage access to apps.
Company A has created an
application in Azure AD
and would like to grant
Company B SSO (Partners)
to access the application
Company A manages
access to apps.
Company A has created an
application they want
consumers to access.
Consumers can self
provision access to apps.
Customers log in with Work or school accounts Work or School accounts Social IDP or Local
Account
Access granted when Customer admin accepts
consent model
Company A admin sends
an invite
Consumer signs up
I should use: Azure AD Multi-tenant App Azure AD B2B
collaboration
Azure AD B2C
RESTful interface to Microsoft Azure AD
Requests use standard HTTP methods
OAuth 2.0 for access authorization, role-based assignment for app and user authorization
It’s the same graph whether it’s being used to manage employees or consumers.
Reading
• Implement people or group picker—
list/search users/groups
• Make authorization decisions
• Returning audit reports
Writing
• Updating user attributes
• Setting user password
• Provisioning/deprovisioning users
Add user as emailAddress
POST - https://graph.windows.net/<insert>.onmicrosoft.com/users?api-version=beta
{
"alternativeSignInNamesInfo": [
{ "type": "emaillAddress",
"value": "" }
],
"displayName": "David Tester 1",
"passwordProfile": { "password": "Test1234", "forceChangePasswordNextLogin": false },
"passwordPolicies": "DisablePasswordExpiration",
"accountEnabled": true,
"creationType": "NameCoexistence",
}43
Add user as userName
POST - https://graph.windows.net/<insert>.onmicrosoft.com/users?api-version=beta
{
"alternativeSignInNamesInfo": [
{ "type": "userName",
"value": "DavidTest" }
],
"displayName": "David Tester",
"passwordProfile": { "password": "Test1234", "forceChangePasswordNextLogin": false },
"passwordPolicies": "DisablePasswordExpiration",
"accountEnabled": true,
"creationType": "NameCoexistence"
}44
Get user by Logon ID
GET -https://graph.windows.net/<insert>.onmicrosoft.com/users?$filter=alternativeSignInNamesInfo/any(x:x/value eq 'David')&api-version=beta
45
Get Audit Events
GET - Audit data
https://graph.windows.net/<insert>.onmicrosoft.com/reports/auditEvents?api-version=beta
46
47
Initial state Approach Implication
Custom Store: User ID/password in
LDAP store or membership database
1. Transition using dual-write and
force password change on
existing system controlling the
SSPR page.
2. Transition using graph batch
update (requires either password
or reset password with user
notification.
A dual-write approach would be
utilized as a coexistence strategy
and would require custom password
and sign-up management. This
scenario doesn’t support social
identities.
SSPR available after full transition.
Social Providers
• Facebook as an IDP
• Google as an IDP
• Amazon as an IDP
• LinkedIn as an IDP
Transition by requiring new sign up Existing “application” would require
modification.
Features such as acquiring access
tokens for other purposes may not
be available.
COTS or OSS Product-specific and may require
custom sign up and user input
A WordPress plugin, for example,
may require some back-end
database association with the new
identity and the standard setup
procedures or move to Azure and
utilize Easy Auth
Apps
Analytics
CRM andMarketingAutomation
Business
Social IDs
Business & Government IDs
contoso
Customers
Azure AD B2C
Securely authenticate customerswith their preferred identity provider
Provide branded registration
and login experiences
Capture login, preference, and conversion data for customers
Built-in Policy
Ready-to-go templates for Sign-up,
Sign-in, Edit Profile, Reset Password.
Reach any user. Existing social
account or create a local account.
Pixel-perfect control. Your brand,
your HTML and CSS.
Socialaccounts
Customattributes
Customize withHTML and CSS
Multifactorauthentication
</>
Build apps quickly using built-in templates
User journeys
Openstandards
Optimize
Conversion
Conditional branching
User migration
Connect with REST
Build complex apps with custom policy
Custom Policy
Tailor every step of the user journey
Integrate with existing
infrastructure
Connect to or migrate from your
existing user stores
top related