Building consumer apps with Azure AD B2C Chris Padgett CLD333

Agenda What and why of Azure AD B2C Demo Create an Azure AD B2C directory Accounts, apps, auth and policies Demo Develop an Azure AD B2C app Account attributes, Graph API, pricing and what is next

What and why of Azure AD B2C

What is Azure AD B2C A consumer identity and access management service Integrates across your modern platforms Highly available and scales to hundreds of millions of consumers Supports a customisable experience for consumers

Why B2C is same as B2E… but different Consumer IDAM Enterprise IDAM A larger number of accounts with shorter sessions A smaller numbers of accounts with longer sessions More control of the identity data and lifecycle Less control of the identity data and lifecycle Expectation is a customer experience Actuality is an office experience The identity interactions are matched to a specific journey The identity interactions are matched to “work”

Demo: Create an Azure AD B2C directory

Accounts, apps, auth and policies

Consumer accounts Consumers can create new “local” accounts With an email address or a user ID Consumers can link existing external accounts From Amazon, Facebook, Google and LinkedIn All accounts can be protected using multi-factor authentication Local passwords can be reset using self-service password reset

App integration An app definition must be added to an Azure AD B2C directory Apps must be developed using the Azure AD v2.0 app model and ADAL v4 (experimental) Azure AD B2C supports OpenID Connect for web apps and OAuth 2.0 for native client apps The consumer experiences are described by policies

Authentication requests GET https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize ?response_type=code+id_token &client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 &redirect_uri=https%3A%2F%2Fwww.contoso.com%2F &scope=openid+offline_access &state=af0ifjsldkj &response_mode=form_post &nonce=n-0S6_WzA2Mj &p=b2c_1_sign_in

Multi-factor authentication Policies Describe the sign up, sign in and profile editing experiences Include settings for UI customisations, identity providers, account attributes, token claims and multi-factor authentication Applications can be integrated with multiple policies of different types Polices are invoked using the "p" parameter for an authentication request Policy UI customisations Identity providers Account attributes Token claims Multi-factor authentication

Demo: Developing an Azure AD B2C app

Account attributes, Graph API, pricing and what is next

Account attributes Azure AD B2C contains a built-in set of attributes for accounts i.e. Given Name, Surname, City, etc. You can declare custom attributes for accounts e.g. FavouriteColour Custom attributes can be included in policies e.g. Collected during sign-up and issued during sign-in They can be managed using Azure AD Graph API

Graph API Enables management of consumer accounts and custom attributes Apps must be developed using the Azure AD v1.0 app model and ADAL v2 Invoked as an administrator account for interactive, run-once tasks or as a service account for background, continuous tasks Scenarios include hosting your own sign-up and migrating accounts from an existing directory to Azure AD B2C

Creating a new local account POST https://graph.windows.net/<tenant>/users?api-version=beta Authorization: Bearer eyJhbGci... Content-Type: application/json { "accountEnabled": false, "alternativeSignInNamesInfo": [ "type": "emailAddress", "value": "chris.padgett@gmail.com" } ], "creationType": "NameCoexistence", "displayName": "Chris Padgett", "mailNickname": "chris.padgett", "passwordProfile": { "password": "P@ssword!", "forceChangePasswordNextLogin": false }, "passwordPolicies": "DisablePasswordExpiration"

Pricing Free during the public preview Usage will be billed based on the total number of both: Accounts: Users stored per month in the Azure AD B2C directory Authentications: Tokens issued per month for both authentication requests and refresh requests Multi-factor authentications: Billed per user or application A free tier will be available for developers The first 50,000 users stored per month and the first 50,000 tokens issued per month will be free Usage will be billed using a volume-based tiered model

Current preview limitations Production apps aren’t supported Client Credentials and On-Behalf-Of grants aren’t supported Access tokens aren’t supported The sign-in, password reset and account verification experiences can only be customised using the company branding feature User administration is only supported in the current portal .NET, Android, iOS and NodeJS SDKs are only supported

What is next Custom domains Full UX customisations Localisation More support for external identity providers New support for custom identity providers Sign-up hooks

Summary Your consumer apps create connections with consumers Azure AD B2C is a highly available and massively scaled service for managing your consumers’ identities Azure AD B2C provides the identity interactions that match a consumer journey Policies are “the secret sauce” that specify the identity interactions

Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

Continue your Ignite learning path Visit Channel 9 https://azure.microsoft.com/en-us/documentation/videos/azureadb2c/ Read Azure AD B2C tutorials https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-overview/ Discover Azure AD B2C samples https://github.com/AzureADQuickStarts Contribute on User Voice to the public preview https://feedback.azure.com/forums/169401-azure-active-directory