Azure AD and Azure AD B2C

Providing Users With Secure Access To The Resources They Need

One of the biggest challenges related to building applications is security. The key problems involve authenticating users and giving them access only to the required functionalities/parts of the application.

Let’s talk about how we can achieve this goal using Azure AD and Azure AD B2C.

Key points:

  • How to provide access to applications for an organization’s employees, partners and customers?
  • Which Azure cloud services to use to build a unified access platform?
  • How to use Azure AD identity services to provide the same user experience for everyone during the login process?

Our scenario

As a company, we own many different applications. We then have our employees, partners and customers, all of whom need access to some systems. We need to manage authentication for all of these types of users.

For some apps, we would like to grant access for employees and partner businesses. For others, we want to allow customers to create their own accounts. In all these cases, we can leverage services available in the Azure cloud, to build a platform offering unified access.

Which Azure cloud services can be helpful when it comes to user identity management?

I mentioned that as a company we can own different kinds of apps – desktop, mobile or web. We have to be able to secure and control access to all of them. Of course, we could create our own identity service, but the cost of building and maintaining it would be considerable.

A better idea is to use Azure cloud services. This way you can easily manage external access. Let’s see which components we’ll need for this.

What is Azure Active Directory?

Azure Active Directory (in short – Azure AD) is a cloud identity provider service, or Identity as a Service (IdaaS), provided by Microsoft. Its primary purpose is to provide authentication and authorization for applications in the cloud.

Developers can build apps and secure them with Azure AD. In this case, an application can be developed for a single organization (single-tenant) or as a general service (multi-tenant) accessible by any company using Azure AD.

In short – Azure AD is meant for businesses to allow their users to work with cloud applications. We have our corporate users there, logging in with our domain name, and it is dedicated to our organization.

If you’re new to Azure AD, Azure AD B2B and Azure AD B2C services, check out our guide for more information. Read it here

What is Azure Active Directory B2B?

Azure Active Directory B2B (Business-to-Business) is not a separate service. It is one of the features available in the Azure AD. It allows a company to invite members from other organizations to share application access.

When we invite a user to our application, they get access using their Azure AD account. There’s no need to create another account for them. No need for a new password. They simply sign on to our application with their credentials.

Let’s imagine that we have the web application and we would like to invite partners to collaborate. We can just send them an invitation and they will be able to sign in using their accounts.

What is Azure Active Directory B2C?

Azure Active Directory B2C (Business-to-Consumer) is a separate service from Azure AD. Built on the same technology, it is designed for a different scenario.

The main difference is that it is not for business users. Its function is to allow anyone to sign up as a service user with their email address or social media provider like Facebook, Google or LinkedIn.

The purpose of Azure AD B2C is to allow companies to build a cloud identity directory for their customers.

Watch the following video to learn more about the service.

Azure Functions

Azure Functions are very useful when it comes to creating automatic triggers for specific tasks like calling another Azure service when a file in an Azure Storage Account is deleted.

They can also be a good choice for integrating with Azure AD B2C, to provide additional user attributes from the external store during the login process.

Now it’s time to see how we can use them all in practice!

A Unified Access Platform in action

Together with my team at Predica, we faced a lot of questions from our clients about how to efficiently build a unified identity platform. They wanted to provide a similar login experience for employees, partners, and customers, and not have to manage multiple services.

Unified Access Platform: Example login screen using Azure AD B2C

Sample login and registration page using Azure AD B2C

We have recently built precisely that kind of solution for one of our clients. Here is how we used each service.

Federating Azure AD and Azure B2C

Many companies already have an Azure AD tenant configured. All internal user (employee) accounts are stored there. With Azure AD B2B feature enabled, organizations are able to provide access for external partners.

We wanted to keep this configuration without modifications, so we decided to federate Azure AD with Azure AD B2C. Federation is a collection of domains that have established trust.

In our scenario, Azure AD B2C tenant trusts the Azure AD tenant, so users can sign in using their existing accounts from the Azure Active Directory.

Single authentication gateway using Azure Active Directory B2C

We used Azure AD B2C to provide a single authentication gateway for all different user types – employees, partners and customers.

With Azure AD B2C, we were able to set up login and registration pages (as presented in the image above) for multiple web apps.

We also federated the Azure AD B2C tenant with external identity provider – in this case, Facebook. This way, users can use their social media accounts to access the service.

Setting up user profile with Azure Functions

Azure Functions were really helpful when it came to retrieving additional information about some users for the purpose of account creation. One of the most useful features of Azure AD B2C is the ability to call external services (REST APIs) to get the necessary data. Once gathered, it is then passed on to the application inside the access token.

Want more expert content? Leave your email address to get our industry insights every two weeks! Sign me up

Solution architecture

The following diagram presents a sample solution where we federated Azure AD with Azure AD B2C to provide access for a company’s employees and partners.

Unified access platform architecture

Architecture diagram for our unified access platform (click to view full-size)

Business users can click the “Internal/Partner” button (presented on the login screen) to be redirected to their organization’s Azure AD login page. Individual customers can either create a new account using the registration button or sign in using a Facebook account.

Custom B2C authorization

For some users, we were also able to create an additional store with information about their permissions using Azure Functions and Azure SQL database. This can be very helpful when we want to (or already do) keep additional data about users outside of the Azure AD B2C.

Please note that Azure AD B2C is a service that only provides authentication. It does not support user authorization. However, with the following approach, we can easily add it.

When a user signs in, Azure AD B2C calls an Azure Function with their ID. The Azure Function then sends a query to the Azure SQL database to retrieve information regarding their permissions.

Here is how the model works:

Unified access platform authentication model for Azure AD B2C

Custom authorization store with Azure AD B2C (click to view full-size)

Afterwards, this data is returned in an access token so the web app can check permissions and decide whether the user should have access to a specific functionality or not.

Access denied screen

User authorization verification in the web app

Summary

As you can see, building a Unified Identity Platform is relatively simple using Azure services. We can provide secure access for anyone we need, while making sure they only see the resources they are permitted to. If you need a solution like this and would like to discuss it, get in touch!

Key takeaways:

  1. With Azure AD B2C we can provide a unified access platform for various types of users – employees, partners, and customers.
  2. The Azure cloud offers identity services like Azure AD or Azure AD B2C which help to manage secure access.
  3. With Azure AD B2C, we can integrate our identity solution with external identity providers like Facebook or Google.
  4. Azure Functions can be used together with Azure AD B2C to verify user permissions in the external store related to authorization.
  5. Azure AD B2C only supports user authentication by default. Authorization mechanisms can be implemented using other Azure services.