Azure AD and Azure AD B2C Providing Users With Secure Access To The Resources They Need

One of the biggest challenges related to building applications is security. The key problems involve authenticating users and giving them access only to the required functionalities/parts of the application.

Let’s talk about how we can achieve this goal using Azure AD and Azure AD B2C.

Our scenario

As a company, we own many different applications. We then have our employees, partners and customers, all of whom need access to some systems. We need to manage authentication for all of these types of users.

For some apps, we would like to grant access for employees and partner businesses. For others, we want to allow customers to create their own accounts. In all these cases, we can leverage services available in the Azure cloud, to build a platform offering unified access.

Which Azure cloud services can be helpful when it comes to user identity management?

I mentioned that as a company we can own different kinds of apps – desktop, mobile or web. We have to be able to secure and control access to all of them. Of course, we could create our own identity service, but the cost of building and maintaining it would be considerable.

A better idea is to use Azure cloud services. This way you can easily manage external access. Let’s see which components we’ll need for this.

What is Azure Active Directory?

Azure Active Directory (in short – Azure AD) is a cloud identity provider service, or Identity as a Service (IdaaS), provided by Microsoft. Its primary purpose is to provide authentication and authorization for applications in the cloud.

Developers can build apps and secure them with Azure AD. In this case, an application can be developed for a single organization (single-tenant) or as a general service (multi-tenant) accessible by any company using Azure AD.

In short – Azure AD is meant for businesses to allow their users to work with cloud applications. We have our corporate users there, logging in with our domain name, and it is dedicated to our organization.

What is Azure Active Directory B2B?

Azure Active Directory B2B (Business-to-Business) is not a separate service. It is one of the features available in the Azure AD. It allows a company to invite members from other organizations to share application access.

When we invite a user to our application, they get access using their Azure AD account. There’s no need to create another account for them. No need for a new password. They simply sign on to our application with their credentials.

Let’s imagine that we have the web application and we would like to invite partners to collaborate. We can just send them an invitation and they will be able to sign in using their accounts.

What is Azure Active Directory B2C?

Azure Active Directory B2C (Business-to-Consumer) is a separate service from Azure AD. Built on the same technology, it is designed for a different scenario.

The main difference is that it is not for business users. Its function is to allow anyone to sign up as a service user with their email address or social media provider like Facebook, Google or LinkedIn.

The purpose of Azure AD B2C is to allow companies to build a cloud identity directory for their customers.

Watch the following video to learn more about the service.

Azure Functions

Azure Functions are very useful when it comes to creating automatic triggers for specific tasks like calling another Azure service when a file in an Azure Storage Account is deleted.

They can also be a good choice for integrating with Azure AD B2C, to provide additional user attributes from the external store during the login process.

Now it’s time to see how we can use them all in practice!

A Multi-Access Identity Platform in action

Together with my team at Predica, we faced a lot of questions from our clients about how to efficiently build a unified identity platform. They wanted to provide a similar login experience for employees, partners, and customers, and not have to manage multiple services.

Sample login and registration page using Azure AD B2C

We have recently built precisely that kind of solution for one of our clients. Here is how we used each service.

Federating Azure AD and Azure B2C

Many companies already have an Azure AD tenant configured. All internal user (employee) accounts are stored there. With Azure AD B2B feature enabled, organizations are able to provide access for external partners.

We wanted to keep this configuration without modifications, so we decided to federate Azure AD with Azure AD B2C. Federation is a collection of domains that have established trust.

In our scenario, Azure AD B2C tenant trusts the Azure AD tenant, so users can sign in using their existing accounts from the Azure Active Directory.

Single authentication gateway using Azure Active Directory B2C

We used Azure AD B2C to provide a single authentication gateway for all different user types – employees, partners and customers.

With Azure AD B2C, we were able to set up login and registration pages (as presented in the image above) for multiple web apps.

We also federated the Azure AD B2C tenant with external identity provider – in this case, Facebook. This way, users can use their social media accounts to access the service.

Setting up user profile with Azure Functions

Azure Functions were really helpful when it came to retrieving additional information about some users for the purpose of account creation. One of the most useful features of Azure AD B2C is the ability to call external services (REST APIs) to get the necessary data. Once gathered, it is then passed on to the application inside the access token.

Solution architecture

The following diagram presents a sample solution where we federated Azure AD with Azure AD B2C to provide access for a company’s employees and partners.

Architecture diagram for our unified access platform (click to view full-size)

Business users can click the “Internal/Partner” button (presented on the login screen) to be redirected to their organization’s Azure AD login page. Individual customers can either create a new account using the registration button or sign in using a Facebook account.

Custom B2C authorization

For some users, we were also able to create an additional store with information about their permissions using Azure Functions and Azure SQL database. This can be very helpful when we want to (or already do) keep additional data about users outside of the Azure AD B2C.

Please note that Azure AD B2C is a service that only provides authentication. It does not support user authorization. However, with the following approach, we can easily add it.

When a user signs in, Azure AD B2C calls an Azure Function with their ID. The Azure Function then sends a query to the Azure SQL database to retrieve information regarding their permissions.

Here is how the model works:

Custom authorization store with Azure AD B2C (click to view full-size)

Afterwards, this data is returned in an access token so the web app can check permissions and decide whether the user should have access to a specific functionality or not.

User authorization verification in the web app

Summary

As you can see, building an identity platform is relatively simple using Azure services. We can provide secure access for anyone we need, while making sure they only see the resources they are permitted to. If you need a solution like this, read more about our Multi-Access Identity Platform.