适用于 Azure Active Directory B2C 的建议和最佳做法Recommendations and best practices for Azure Active Directory B2C

以下最佳做法和建议涵盖了将 Azure Active Directory (Azure AD) B2C 集成到现有或新的应用程序环境时的一些主要方面。The following best practices and recommendations cover some of the primary aspects of integrating Azure Active Directory (Azure AD) B2C into existing or new application environments.

基本Fundamentals

最佳做法Best practice 说明Description
选择大多数方案的用户流Choose user flows for most scenarios Azure AD B2C 的 Identity Experience Framework 是该服务的核心优势。The Identity Experience Framework of Azure AD B2C is the core strength of the service. 策略充分描述了标识体验,例如注册、登录或配置文件编辑。Policies fully describe identity experiences such as sign-up, sign-in, or profile editing. 为了帮助你设置最常见的标识任务,Azure AD B2C 门户中提供了称作“用户流”的预定义可配置策略。To help you set up the most common identity tasks, the Azure AD B2C portal includes predefined, configurable policies called user flows. 使用用户流,只需按几下鼠标就能快速创建极佳的用户体验。With user flows, you can create great user experiences in minutes, with just a few clicks. 了解用户流与自定义策略的使用时机Learn when to use user flows vs. custom policies.
应用注册App registrations 必须在 Azure AD B2C 中注册每个要保护的应用程序(Web、本机)和 API。Every application (web, native) and API that is being secured must be registered in Azure AD B2C. 如果应用具有 iOS 和 Android 的 Web 版与本机版,则你可以使用相同的客户端 ID 在 Azure AD B2C 中将其注册为一个应用程序。If an app has both a web and native version of iOS and Android, you can register them as one application in Azure AD B2C with the same client ID. 了解如何注册 OIDC、SAML、Web 和本机应用Learn how to register OIDC, SAML, web, and native apps. 详细了解可在 Azure AD B2C 中使用的应用程序类型Learn more about application types that can be used in Azure AD B2C.
转移到月度活跃用户计费模式Move to monthly active users billing Azure AD B2C 已从月度活跃身份验证计费模式转移到月度活跃用户 (MAU) 计费模式。Azure AD B2C has moved from monthly active authentications to monthly active users (MAU) billing. 大多数客户会发现这种模式更具性价比。Most customers will find this model cost-effective. 详细了解月度活跃用户计费Learn more about monthly active users billing.

规划和设计Planning and design

定义应用程序和服务体系结构、盘点当前系统,并计划迁移到 Azure AD B2C。Define your application and service architecture, inventory current systems, and plan your migration to Azure AD B2C.

最佳做法Best practice 说明Description
构建端到端解决方案Architect an end-to-end solution 规划 Azure AD B2C 集成时,请考虑到应用程序的所有依赖项。Include all of your applications' dependencies when planning an Azure AD B2C integration. 考虑环境中当前存在的或者可能需要添加到解决方案的所有服务和产品,例如 Azure Functions、客户关系管理 (CRM) 系统、Azure API 管理网关和存储服务。Consider all services and products that are currently in your environment or that might need to be added to the solution, for example, Azure Functions, customer relationship management (CRM) systems, Azure API Management gateway, and storage services. 考虑所有服务的安全性和可伸缩性。Take into account the security and scalability for all services.
阐述用户体验Document your users' experiences 详细说明客户可以在应用程序中体验到的所有用户旅程。Detail all the user journeys your customers can experience in your application. 包括客户在与应用程序的标识和配置文件交互时,可能会看到的每个屏幕和任何分支流。Include every screen and any branching flows they might encounter when interacting with the identity and profile aspects of your application. 在规划中包括可用性、可访问性和本地化。Include usability, accessibility, and localization in your planning.
选择适当的身份验证协议Choose the right authentication protocol 有关不同应用程序方案的细节及其建议的身份验证流,请参阅方案和支持的身份验证流For a breakdown of the different application scenarios and their recommended authentication flows, see Scenarios and supported authentication flows.
试运行概念证明 (POC) 端到端用户体验Pilot a proof-of-concept (POC) end-to-end user experience 请从我们的 Microsoft 代码示例社区示例着手。Start with our Microsoft code samples and community samples.
创建迁移计划Create a migration plan 提前规划能够使迁移更顺利地进行。Planning ahead can make migration go more smoothly. 详细了解用户迁移Learn more about user migration.
可用性与安全性Usability vs. security 解决方案必须致力于在应用程序可用性与组织可接受的风险级别之间取得适当的平衡。Your solution must strike the right balance between application usability and your organization's acceptable level of risk.
将本地依赖项转移到云中Move on-premises dependencies to the cloud 为了帮助确保解决方案具有复原能力,请考虑将现有的应用程序依赖项转移到云中。To help ensure a resilient solution, consider moving existing application dependencies to the cloud.
将现有应用迁移到 b2clogin.cnMigrate existing apps to b2clogin.cn 2020 年 12 月 4 日,适用于所有 Azure AD B2C 租户的 login.partner.microsoftonline.cn 将正式弃用。The deprecation of login.partner.microsoftonline.cn will go into effect for all Azure AD B2C tenants on 04 December 2020. 了解详细信息Learn more.
使用标识保护和条件访问Use Identity Protection and Conditional Access 使用这些功能可以更好地控制有风险的身份验证和访问策略。Use these capabilities for significantly greater control over risky authentications and access policies. 需要 Azure AD B2C Premium P2。Azure AD B2C Premium P2 is required.

实现Implementation

在实施阶段,请考虑以下建议。During the implementation phase, consider the following recommendations.

最佳做法Best practice 说明Description
使用 Visual Studio Code 的 Azure AD B2C 扩展编辑自定义策略Edit custom policies with the Azure AD B2C extension for Visual Studio Code Visual Studio Code 市场下载 Visual Studio Code 以及社区开发的此扩展。Download Visual Studio Code and this community-built extension from the Visual Studio Code Marketplace. 尽管 Visual Studio Code 的 Azure AD B2C 扩展不是 Microsoft 官方产品,但其中的多项功能可帮助简化自定义策略的处理。While not an official Microsoft product, the Azure AD B2C extension for Visual Studio Code includes several features that help make working with custom policies easier.
了解如何排查 Azure AD B2C 问题Learn how to troubleshoot Azure AD B2C 了解如何在开发期间排查自定义策略问题Learn how to troubleshoot custom policies during development. 了解常规身份验证流的大致形式,并使用相应的工具来发现异常和错误。Learn what a normal authentication flow looks like and use tools for discovering anomalies and errors.
利用我们的经受验证的自定义策略模式库Leverage our library of proven custom policy patterns 查找多个增强型 Azure AD B2C 客户标识和访问管理 (CIAM) 用户旅程的示例Find samples for several enhanced Azure AD B2C customer identity and access management (CIAM) user journeys.

测试Testing

测试并自动化 Azure AD B2C 的实施。Test and automate your Azure AD B2C implementation.

最佳做法Best practice 说明Description
考虑全局流量Account for global traffic 使用来自不同全局地址的流量源来测试性能和本地化要求。Use traffic sources from different global address to test the performance and localization requirements. 确保所有 HTMLs、CSS 和依赖项符合性能需求。Make sure all the HTMLs, CSS, and dependencies can meet your performance needs.
功能和 UI 测试Functional and UI testing 测试端到端的用户流。Test the user flows end-to-end. 使用 Selenium、VS Web Test 等工具每隔几分钟添加一次综合测试。Add synthetic tests every few minutes using Selenium, VS Web Test, etc.
渗透测试Pen-testing 在推出解决方案之前执行渗透测试演练,以验证所有组件(包括任何第三方依赖项)是否安全。Before going live with your solution, perform penetration testing exercises to verify all components are secure, including any third-party dependencies. 验证是否已使用访问令牌保护了 API,并为应用程序方案使用了适当的身份验证协议。Verify you've secured your APIs with access tokens and used the right authentication protocol for your application scenario. 详细了解渗透测试,以及 Microsoft 云渗透测试统一参与规则Learn more about Penetration testing and the Microsoft Cloud Unified Penetration Testing Rules of Engagement.
A/B 测试A/B Testing 先在外部让少量的随机用户体验你的新功能,然后再将其推出到整个用户群。Flight your new features with a small, random set of users before rolling out to your entire population. 在 Azure AD B2C 中启用 JavaScript 后,可与 Optimizely、Clarity 等 A/B 测试工具相集成。With JavaScript enabled in Azure AD B2C, you can integrate with A/B testing tools like Optimizely, Clarity, and others.
负载测试Load testing Azure AD B2C 可以缩放,但应用程序仅在其所有依赖项均可缩放时才能缩放。Azure AD B2C can scale, but your application can scale only if all of its dependencies can scale. 对 API 和 CDN 进行负载测试。Load-test your APIs and CDN.
限制Throttling 如果在短时间内从同一个源发送了过多的请求,Azure AD B2C 会限制流量。Azure AD B2C throttles traffic if too many requests are sent from the same source in a short period of time. 执行负载测试时请使用多个流量源,并在应用程序中适当处理 AADB2C90229 错误代码。Use several traffic sources while load testing, and handle the AADB2C90229 error code gracefully in your applications.
自动化Automation 使用持续集成和交付 (CI/CD) 管道将测试和部署自动化。Use continuous integration and delivery (CI/CD) pipelines to automate testing and deployments.

操作Operations

管理 Azure AD B2C 环境。Manage your Azure AD B2C environment.

最佳做法Best practice 说明Description
创建多个环境Create multiple environments 为了更轻松地实施操作和部署,请创建单独的环境用于开发、测试、预生产和生产。For easier operations and deployment roll-out, create separate environments for development, testing, pre-production, and production. 为每个环境创建 Azure AD B2C 租户。Create Azure AD B2C tenants for each.
对自定义策略使用版本控制Use version control for your custom policies 考虑对 Azure AD B2C 自定义策略使用 GitHub、Azure Repos 或其他基于云的版本控制系统。Consider using GitHub, Azure Repos, or another cloud-based version control system for your Azure AD B2C custom policies.
使用 Microsoft Graph API 将 B2C 租户管理自动化Use the Microsoft Graph API to automate the management of your B2C tenants Microsoft Graph API:Microsoft Graph APIs:
管理 Identity Experience Framework(自定义策略)Manage Identity Experience Framework (custom policies)
“键”Keys
用户流User Flows
与 Azure DevOps 集成Integrate with Azure DevOps CI/CD 管道可在不同环境之间轻松移动代码,并确保在所有时间都能实现生产就绪。A CI/CD pipeline makes moving code between different environments easy and ensures production readiness at all times.
与 Azure Monitor 集成Integrate with Azure Monitor 审核日志事件仅保留七天。Audit log events are only retained for seven days. 与 Azure Monitor 集成,以保留日志供长期使用,或者将其与第三方安全信息和事件管理 (SIEM) 工具相集成,以获取有关环境的见解。Integrate with Azure Monitor to retain the logs for long-term use, or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment.
设置有效警报和监视Setup active alerting and monitoring 使用 Application Insights 在 Azure AD B2C 中跟踪用户行为。Track user behavior in Azure AD B2C using Application Insights.

支持和状态更新Support and Status Updates

随时关注服务状态并查找支持选项。Stay up to date with the state of the service and find support options.

最佳做法Best practice 说明Description
服务更新Service updates 随时关注 Azure AD B2C 产品更新和公告。Stay up to date with Azure AD B2C product updates and announcements.
Microsoft 支持部门Microsoft Support 遇到 Azure AD B2C 技术问题时请提出支持请求。File a support request for Azure AD B2C technical issues. 计费和订阅管理支持免费提供。Billing and subscription management support is provided at no cost.
Azure 状态Azure status 查看所有 Azure 服务的当前运行状况。View the current health status of all Azure services.