Azure AD B2C explained: What we’ve learned so far

Azure Active Directory B2C has been advertised as a potential game changer for business to consumer organisations. Built on Microsoft’s leading cloud identity platform, Azure AD, businesses can improve consumer connections whilst offering enterprise-grade security for their identities. With improving the customer experience and data protection competing for primacy in most organisations, it’s clearly an attractive proposition.

I was lucky enough to attend the B2C Airlift in Amsterdam with a small contingent of OCG colleagues. With Microsoft gurus José Rojas and Brandon Murdoch, we were trained on how to customise and configure the service, and briefed on some of Microsoft’s plans for the future…


Examples of HOW Azure AD B2C COULD BENEFIT your business

Picture a large retail company which has grown through acquisition. Let’s call it Alta Crystal Insurance. The business currently provides services to its customers via a number of different web portals that sit on different domains. As a result, it’s going to be interested in:

  • A single sign-on for each customer, so they don’t have to log into multiple websites to transact business with the company
  • Single sign-off for enhanced security
  • A unified and branded sign-in experience
  • A unified ‘forgotten my password’ experience
  • An industry-standard level of security for the login process
  • MFA (multi-factor authentication) for higher-level authentication
  • Social login (BYOID – bring your own identity)
  • A massively scalable and available user database

Authentication requirements


A number of apps can be easily configured to talk to B2C for authentication – for those that aren’t, there are a bunch of libraries for mainstream languages, such as C# and JavaScript. Once integrated, the apps will redirect to B2C whenever a user wants to log in. After performing its function, B2C will return a set of ‘claims’ that the application can understand. During the login process, B2C can do any of the following:

  • Authenticate via a standard user name/password combination, via social identity providers (Facebook, Google, etc.), or via a custom identity provider
  • Verify the user’s identity via ‘attribute validators’
  • Add additional information about the user via ‘attribute providers’
  • Force the user to use multi-factor authentication (MFA).

The portal


The Azure portal gives IT administrators a place to manage all of the B2C settings, including setting up applications to be able to interact with B2C, determining the policies in use and the customisations for each policy.

The user experience

Web pages, which B2C presents to the user, can be customised according to your own organisation’s branding. Customisation can include JavaScript – although, at the time of writing, it will need to be whitelisted by Microsoft.

The custom HTML is served by a web server of your choice, so you can essentially produce the equivalent of any normal page on your site with dynamic content. During the Amsterdam training I produced a fairly simple ‘sign up or sign in’ page for the fictional business Alta Crystal Insurance – with additional social IDP login buttons as you can see below (in this case, everything below the banner is inserted into the page by B2C):


Emails and text produced by the B2C user journey (for example, during multi-factor authentication) can also be branded for your organisation.

Extending the service

You can extend B2C by plugging in various components, for example:

  • Attribute validators

You can develop these services to check whether attributes provided by the user are valid – and you can configure the policies to make a call to your service to check. So, for example, a user can provide their insurance policy number as part of sign-up and you can prevent the user from continuing if this number does not match what you know.

  • IDPs (Identity Providers)

Besides being able to plug in ‘social’ IDPs such as Facebook and Google, you can also write your own IDP to authenticate the user in the way that you want.

  • Attribute providers

These work in a similar way to attribute validators, but they provide information about the user based on other information – for example, you could provide the user’s loyalty card points having been provided with their email address.

What I’m most excited about

While all of the technology is very useful (and it was interesting getting to grips with it), the following points were the most impressive for me:

  • Microsoft is putting a huge investment in cloud security. Proactive security measures, such as locking out known blacklisted identities, are crucial. This makes B2C safer than trying to manage authentication on-premises.
  • The maintenance of everything I’ve mentioned above comes with your subscription – it’s IDaaS (Identity as a Service).
  • As a result of the trust framework, the user’s journey through the authentication process is highly configurable. They can rely on sources of information and validation.

And there’s more to come!

Microsoft is working on further customisation options, including multi-language support for the public-facing policy pages (‘sign up’, ‘sign in’, etc.). While this is an obvious sign of an early-release product, the thinking behind the trust framework has been phenomenal. This is based on solid identity principles gleaned from Microsoft’s and others’ hard work over decades in the business of identity.

View the key benefits of Azure AD B2C and find out how you can make the business case for Microsoft Azure in your organisation.