Azure Active Directory B2C has been advertised as a potential game changer for business to consumer organisations. Built on Microsoft’s leading cloud identity platform, Azure AD, businesses can improve consumer connections whilst offering enterprise-grade security for their identities. With improving the customer experience and data protection competing for primacy in most organisations, it’s clearly an attractive proposition.
I was lucky enough to attend the B2C Airlift in Amsterdam with a small contingent of OCG colleagues. With Microsoft gurus José Rojas and Brandon Murdoch, we were trained on how to customise and configure the service, and briefed on some of Microsoft’s plans for the future…
Examples of HOW Azure AD B2C COULD BENEFIT your business
Picture a large retail company which has grown through acquisition. Let’s call it Alta Crystal Insurance. The business currently provides services to its customers via a number of different web portals that sit on different domains. As a result, it’s going to be interested in:
- A single sign-on for each customer, so they don’t have to log into multiple websites to transact business with the company
- Single sign-off for enhanced security
- A unified and branded sign-in experience
- A unified ‘forgotten my password’ experience
- An industry-standard level of security for the login process
- MFA (multi-factor authentication) for higher-level authentication
- Social login (BYOID – bring your own identity)
- A massively scalable and available user database
- Authenticate via a standard user name/password combination, via social identity providers (Facebook, Google, etc.), or via a custom identity provider
- Verify the user’s identity via ‘attribute validators’
- Add additional information about the user via ‘attribute providers’
- Force the user to use multi-factor authentication (MFA).
The Azure portal gives IT administrators a place to manage all of the B2C settings, including setting up applications to be able to interact with B2C, determining the policies in use and the customisations for each policy.
The user experience
The custom HTML is served by a web server of your choice, so you can essentially produce the equivalent of any normal page on your site with dynamic content. During the Amsterdam training I produced a fairly simple ‘sign up or sign in’ page for the fictional business Alta Crystal Insurance – with additional social IDP login buttons as you can see below (in this case, everything below the banner is inserted into the page by B2C):
Emails and text produced by the B2C user journey (for example, during multi-factor authentication) can also be branded for your organisation.
Extending the service
You can extend B2C by plugging in various components, for example:
- Attribute validators
You can develop these services to check whether attributes provided by the user are valid – and you can configure the policies to make a call to your service to check. So, for example, a user can provide their insurance policy number as part of sign-up and you can prevent the user from continuing if this number does not match what you know.
- IDPs (Identity Providers)
Besides being able to plug in ‘social’ IDPs such as Facebook and Google, you can also write your own IDP to authenticate the user in the way that you want.
- Attribute providers
These work in a similar way to attribute validators, but they provide information about the user based on other information – for example, you could provide the user’s loyalty card points having been provided with their email address.
What I’m most excited about
While all of the technology is very useful (and it was interesting getting to grips with it), the following points were the most impressive for me:
- Microsoft is putting a huge investment in cloud security. Proactive security measures, such as locking out known blacklisted identities, are crucial. This makes B2C safer than trying to manage authentication on-premises.
- The maintenance of everything I’ve mentioned above comes with your subscription – it’s IDaaS (Identity as a Service).
- As a result of the trust framework, the user’s journey through the authentication process is highly configurable. They can rely on sources of information and validation.
And there’s more to come!
Microsoft is working on further customisation options, including multi-language support for the public-facing policy pages (‘sign up’, ‘sign in’, etc.). While this is an obvious sign of an early-release product, the thinking behind the trust framework has been phenomenal. This is based on solid identity principles gleaned from Microsoft’s and others’ hard work over decades in the business of identity.