Spark the future.

Chris Padgett

Building consumer apps with Azure AD B2C CLD333

Agenda1. What and why of Azure AD B2C2. Demo

Create an Azure AD B2C directory

3. Accounts, apps, auth and policies4. Demo

Develop an Azure AD B2C app

5. Account attributes, Graph API, pricing and what is next

What and why of Azure AD B2C

What is Azure AD B2CA consumer identity and access management serviceIntegrates across your modern platformsHighly available and scales to hundreds of millions of consumersSupports a customisable experience for consumers

Why B2C is same as B2E… but different

Consumer IDAM Enterprise IDAMA larger number of accounts with shorter sessions

A smaller numbers of accounts with longer sessions

More control of the identity data and lifecycle

Less control of the identity data and lifecycle

Expectation is a customer experience

Actuality is an office experience

The identity interactions are matched to a specific journey

The identity interactions are matched to “work”

Demo: Create an Azure AD B2C directory

Accounts, apps, auth and policies

Consumer accountsConsumers can create new “local” accountsWith an email address or a user ID

Consumers can link existing external accountsFrom Amazon, Facebook, Google and LinkedIn

All accounts can be protected using multi-factor authenticationLocal passwords can be reset using self-service password reset

App integrationAn app definition must be added to an Azure AD B2C directoryApps must be developed using the Azure AD v2.0 app model and ADAL v4 (experimental)Azure AD B2C supports OpenID Connect for web apps and OAuth 2.0 for native client appsThe consumer experiences are described by policies

Authentication requestsGET https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize ?response_type=code+id_token &client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 &redirect_uri=https%3A%2F%2Fwww.contoso.com%2F &scope=openid+offline_access &state=af0ifjsldkj &response_mode=form_post &nonce=n-0S6_WzA2Mj &p=b2c_1_sign_in

Policies

Policy

UIcustomisatio

ns

Identityproviders

Accountattributes

Tokenclaims

Multi-factorauthenticatio

n

Describe the sign up, sign in and profile editing experiencesInclude settings for UI customisations, identity providers, account attributes, token claims and multi-factor authenticationApplications can be integrated with multiple policies of different typesPolices are invoked using the "p" parameter for an authentication request

Demo: Developing an Azure AD B2C app

Account attributes, Graph API, pricing and what is next

Account attributesAzure AD B2C contains a built-in set of attributes for accountsi.e. Given Name, Surname, City, etc.

You can declare custom attributes for accountse.g. FavouriteColour

Custom attributes can be included in policiese.g. Collected during sign-up and issued during sign-in

They can be managed using Azure AD Graph API

Graph APIEnables management of consumer accounts and custom attributesApps must be developed using the Azure AD v1.0 app model and ADAL v2Invoked as an administrator account for interactive, run-once tasks or as a service account for background, continuous tasksScenarios include hosting your own sign-up and migrating accounts from an existing directory to Azure AD B2C

Creating a new local accountPOST https://graph.windows.net/<tenant>/users?api-version=betaAuthorization: Bearer eyJhbGci...Content-Type: application/json

{ "accountEnabled": false, "alternativeSignInNamesInfo": [ { "type": "emailAddress", "value": "chris.padgett@gmail.com" } ], "creationType": "NameCoexistence", "displayName": "Chris Padgett", "mailNickname": "chris.padgett", "passwordProfile": { "password": "P@ssword!", "forceChangePasswordNextLogin": false }, "passwordPolicies": "DisablePasswordExpiration"}

PricingFree during the public previewUsage will be billed based on the total number of both:Accounts: Users stored per month in the Azure AD B2C directoryAuthentications: Tokens issued per month for both authentication requests and refresh requestsMulti-factor authentications: Billed per user or application

A free tier will be available for developersThe first 50,000 users stored per month and the first 50,000 tokens issued per month will be free

Usage will be billed using a volume-based tiered model

Current preview limitationsProduction apps aren’t supportedClient Credentials and On-Behalf-Of grants aren’t supportedAccess tokens aren’t supportedThe sign-in, password reset and account verification experiences can only be customised using the company branding featureUser administration is only supported in the current portal.NET, Android, iOS and NodeJS SDKs are only supported

What is nextCustom domainsFull UX customisationsLocalisationMore support for external identity providersNew support for custom identity providersSign-up hooks

SummaryYour consumer apps create connections with consumersAzure AD B2C is a highly available and massively scaled service for managing your consumers’ identitiesAzure AD B2C provides the identity interactions that match a consumer journeyPolicies are “the secret sauce” that specify the identity interactions

Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

Continue your Ignite learning pathVisit Channel 9https://azure.microsoft.com/en-us/documentation/videos/azureadb2c/

Read Azure AD B2C tutorialshttps://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-overview/

Discover Azure AD B2C sampleshttps://github.com/AzureADQuickStarts

Contribute on User Voice to the public previewhttps://feedback.azure.com/forums/169401-azure-active-directory

© 2015 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered

trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,

AS TO THE INFORMATION IN THIS PRESENTATION.