Azure Active Directory B2C deployment plans
Azure Active Directory B2C (Azure AD B2C) is an identity and access management solution that can ease integration with your infrastructure. Use the following guidance to help understand requirements and compliance throughout an Azure AD B2C deployment.
Plan an Azure AD B2C deployment
Requirements
- Assess the primary reason to turn off systems
- For a new application, plan the design of the Customer Identity Access Management (CIAM) system
- See, Planning and design
- Identify customer locations and create a tenant in the corresponding datacenter
- Confirm your application types and supported technologies:
- Overview of the Microsoft Authentication Library (MSAL)
- Develop with open-source languages, frameworks, databases, and tools in Azure.
- For back-end services, use the client credentials flow
- To migrate from an identity provider (IdP):
- Select protocols
- If you use Kerberos, Microsoft Windows NT LAN Manager (NTLM), and Web Services Federation (WS-Fed), see the video, Application and identity migration to Azure AD B2C
After migration, your applications can support modern identity protocols such as Open Authorization (OAuth) 2.0 and OpenID Connect (OIDC).
Stakeholders
Technology project success depends on managing expectations, outcomes, and responsibilities.
- Identify the application architect, technical program manager, and owner
- Create a distribution list (DL) to communicate with the Microsoft account or engineering teams
- Ask questions, get answers, and receive notifications
- Identify a partner or resource outside your organization to support you
Learn more: Include the right stakeholders
Communications
Communicate proactively and regularly with your users about pending and current changes. Inform them about how the experience changes, when it changes, and provide a contact for support.
Timelines
Help set realistic expectations and make contingency plans to meet key milestones:
- Pilot date
- Launch date
- Dates that affect delivery
- Dependencies
Implement an Azure AD B2C deployment
- Deploy applications and user identities - Deploy client application and migrate user identities
- Client application onboarding and deliverables - Onboard the client application and test the solution
- Security - Enhance the identity solution security
- Compliance - Address regulatory requirements
- User experience - Enable a user-friendly service
Deploy authentication and authorization
- Before your applications interact with Azure AD B2C, register them in a tenant you manage
- For authorization, use the Identity Experience Framework (IEF) sample user journeys
- Use policy-based control for cloud-native environments
- Go to
openpolicyagent.org
to learn about Open Policy Agent (OPA)
- Go to
Learn more with the Microsoft Identity PDF, Gaining expertise with Azure AD B2C, a course for developers.
Checklist for personas, permissions, delegation, and calls
- Identify the personas that access to your application
- Define how you manage system permissions and entitlements today, and in the future
- Confirm you have a permission store and if there are permissions to add to the directory
- Define how you manage delegated administration
- For example, your customers' customers management
- Verify your application calls an API Manager (APIM)
- There might be a need to call from the IdP before the application is issued a token
Deploy applications and user identities
Azure AD B2C projects start with one or more client applications.
- The new App registrations experience for Azure Active Directory B2C
- Refer to Azure Active Directory B2C code samples for implementation
- Set up your user journey based on custom user flows
Application deployment checklist
- Applications included in the CIAM deployment
- Applications in use
- For example, web applications, APIs, single-page web apps (SPAs), or native mobile applications
- Authentication in use:
- For example, forms federated with Security Assertion Markup Language (SAML), or federated with OIDC
- If OIDC, confirm the response type: code or id_token
- Determine where front-end and back-end applications are hosted: on-premises, cloud, or hybrid-cloud
- Confirm the platforms or languages in use:
- For example ASP.NET, Java, and Node.js
- Verify where user attributes are stored
- For example, Lightweight Directory Access Protocol (LDAP) or databases
User identity deployment checklist
- Confirm the number of users accessing applications
- Determine the IdP types needed:
- For example, Active Directory Federation Services (AD FS)
- See, Active Directory Federation Services
- Outline the claim schema required from your application, Azure AD B2C, and IdPs if applicable
- See, ClaimsSchema
- Determine the information to collect during sign-in and sign-up
Client application onboarding and deliverables
Use the following checklist for onboarding an application
Area | Description |
---|---|
Application target user group | Select among end customers, business customers, or a digital service. Determine a need for employee sign-in. |
Application business value | Understand the business need or goal to determine the best Azure AD B2C solution and integration with other client applications. |
Your identity groups | Cluster identities into groups with requirements, such as business-to-consumer (B2C), business-to-business (B2B) business-to-employee (B2E), and business-to-machine (B2M) for IoT device sign-in and service accounts. |
Identity provider (IdP) | See, Select an identity provider. For example, for a customer-to-customer (C2C) mobile app use an easy sign-in process. B2C with digital services has compliance requirements. Consider email sign-in. |
Regulatory constraints | Determine a need for remote profiles or privacy policies. |
Sign-in and sign-up flow | Confirm email verification or email verification during sign-up. For check-out processes, see How it works: Microsoft Entra multifactor authentication. |
Application and authentication protocol | Implement client applications such as Web application, single-page application (SPA), or native. Authentication protocols for client application and Azure AD B2C: OAuth, OIDC, and SAML. |
User migration | Confirm if you'll migrate users to Azure AD B2C: Just-in-time (JIT) migration and bulk import/export. |
Use the following checklist for delivery.
Area | Description |
---|---|
Protocol information | Gather the base path, policies, and metadata URL of both variants. Specify attributes such as sample sign-in, client application ID, secrets, and redirects. |
Application samples | See, Azure Active Directory B2C code samples. |
Penetration testing | Inform your operations team about pen tests, then test user flows including the OAuth implementation. See, Penetration testing and Penetration testing rules of engagement. |
Unit testing | Unit test and generate tokens. See, Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials. Reuse tokens to reduce investigation on your infrastructure. Set up a resource owner password credentials flow in Azure Active Directory B2C. You shouldn't use ROPC flow to authenticate users in your apps. |
Load testing | Learn about Azure AD B2C service limits and restrictions. Calculate the expected authentications and user sign-ins per month. Assess high load traffic durations and business reasons: holiday, migration, and event. Determine expected peak rates for sign-up, traffic, and geographic distribution, for example per second. |
Security
Use the following checklist to enhance application security.
- Authentication method, such as multifactor authentication:
- Multifactor authentication is recommended for users that trigger high-value transactions or other risk events. For example, banking, finance, and check-out processes.
- Confirm use of anti-bot mechanisms
- Confirm needed conditional postures as part of sign-in or sign-up
Compliance
To help comply with regulatory requirements and enhance back-end system security you can use virtual networks (VNets), IP restrictions, Web Application Firewall, and so on. Consider the following requirements:
- Your regulatory compliance requirements
- For example, Payment Card Industry Data Security Standard (PCI DSS)
- Go to pcisecuritystandards.org to learn more about the PCI Security Standards Council
- Data storage into a separate database store
- Determine whether this information can't be written into the directory
User experience
Use the following checklist to help define user experience requirements.
- Use screenshots and user stories to show the application end-user experience
- For example, screenshots of sign-in, sign-up, sign-up/sign-in (SUSI), profile edit, and password reset
- Look for hints passed through by using query string parameters in your CIAM solution
- For high user experience customization, consider a using front-end developer
- In Azure AD B2C, you can customize HTML and CSS
- See, Guidelines for using JavaScript
- For a single-page application, use a second sign-in HTML page that loads into the
<iframe>
element
Monitoring auditing, and logging
Use the following checklist for monitoring, auditing, and logging.
- Monitoring
- Auditing and logging
Resources
- Register a Microsoft Graph application
- Manage Azure AD B2C with Microsoft Graph
- Manage Azure AD B2C custom policies with Azure PowerShell
Next steps
Recommendations and best practices for Azure Active Directory B2C