Configuring Azure AD B2C for Customer Identity Protection

Configuring Azure AD B2C for Customer Identity Protection

05/01/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring and using Azure AD B2C (Business-to-Consumer) to protect and manage customer identities. In a digital world where customer experience is paramount, offering a secure, intuitive and customizable registration and login process is crucial. Azure AD B2C is a Customer Identity and Access Management (CIAM) solution that allows your customers to sign up and sign in to your applications and APIs using their social identities (such as Google, Facebook) or local accounts [1].

Introduction

Customer identity is the foundation of the modern digital experience. Web and mobile applications need a robust system to manage the registration, login and profiles of millions of customers, ensuring security, scalability and compliance with privacy regulations. Developing and maintaining an internal CIAM system is complex, expensive and prone to security errors. Solutions like Azure AD B2C eliminate this complexity by providing a platform-as-a-service (PaaS) that handles all aspects of customer identity management [2].

Azure AD B2C extends the capabilities of Azure Active Directory to meet the specific needs of consumer-facing applications. It allows organizations to completely customize the customer identity experience, from login and registration pages to the attributes that are collected. Additionally, it integrates with advanced security features such as multi-factor authentication (MFA), Conditional Access, and Identity Protection to protect customer accounts against common threats such as brute force attacks and compromised credentials [3].

This practical guide will cover prerequisites, B2C concepts, how to create and configure a B2C tenant, register applications, configure customizable user flows (registration, login, profile editing, password reset), how to integrate with applications and how to test and validate authentication. Step-by-step instructions, practical examples, and concise explanations will be provided so that the reader can implement, test, and validate these features. In addition, security tips, compliance checks and best practices will be discussed to ensure that your customers' identities are protected and managed efficiently, autonomously, professionally and reliably.

Why is Azure AD B2C crucial for protecting customer identities?

  • Enhanced Customer Experience: Provides social login options and full user interface customization, resulting in a fluid and consistent user experience.
  • Robust Security: Integrates enterprise-grade security features such as MFA, Conditional Access, and Identity Protection to protect customer accounts from attacks.
  • Scalability and Reliability: Designed to handle millions of users and billions of authentications, ensuring high availability and performance.
  • Compliance: Helps meet data privacy regulations such as GDPR and LGPD through control over the storage and processing of customer data.
  • Cost Reduction: Eliminates the need to build and maintain a complex internal identity infrastructure.
  • Flexibility: Supports a wide range of authentication protocols (OpenID Connect, OAuth 2.0, SAML) and can be integrated with virtually any application.

Prerequisites

To configure Azure AD B2C, you will need the following items:

  1. Active Azure Subscription: An Azure subscription to create and manage resources.
  2. Administrative Access: An account with the role of Global Administrator or User Administrator in the Azure subscription.
  3. Azure AD B2C Tenant: A new Azure AD B2C tenant, which is a separate directory from your corporate Azure AD tenant.

Step by Step: Configuring Azure AD B2C

Let's create a B2C tenant, register an application and configure a user flow.

1. Creating an Azure AD B2C Tenant

A B2C tenant is a separate directory that stores your customers' identities.

  1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
  2. Log in with an account that has the permissionss necessary.
  3. In the top search field, type Azure Active Directory B2C and select it from the results.

  4. Click + Create a new Azure AD B2C tenant.

  5. Create a B2C tenant:

    • Tenant Type: Azure AD B2C Tenant.
    • Organization name: Give a name for your organization (ex: MyCompanyB2C).
    • Initial domain name: Choose a unique domain name (ex: mycompanyab2c.onmicrosoft.com).
    • Country/Region: Select your country/region.
    • Subscription: Select your Azure subscription.
    • Resource group: Create a new resource group (ex: rg-b2c) or select an existing one.

  6. Click Review + create and then Create.

    • Explanation: B2C tenant creation may take a few minutes. Once created, you will need to switch to this new B2C directory to manage it.

2. Registering an Application in Azure AD B2C

Each application that will use Azure AD B2C for authentication needs to be registered.

  1. In the Azure portal, make sure you are on the Azure AD B2C tenant (use the directory selector in the top right corner).
  2. In the left navigation pane, select Application Registrations under Manage.

  3. Click + New registration.

  4. Register an application:

    • Name: Give a name for your application (ex: WebApp-MinhaEmpresa).
    • Supported account types: Select Accounts in any organizational directory or identity provider directory (to authenticate users with user flows).
    • Redirect URI (optional): Select Web and enter the URL where the authentication token will be sent after login (e.g. https://localhost:5001/signin-oidc for local development or the production URL of your application).
    • Permissions: Check Grant admin consent for openid and offline_access permissions.

  5. Click Register.

  6. After registration, note the Application ID (client) and Directory ID (tenant). You will need them to configure your application.

3. Creating User Flows

User flows are predefined, customizable identity experiences for registration, login, profile editing, and password reset.

  1. In the left navigation pane of your Azure AD B2C tenant, select User Flows under Policies.

  2. Click +New User Flow.

  3. Create a user flow:

    • User flow type: Select Register and sign in.
    • Version: Recommended.
    • Name: Give a name (ex: B2C_1_signup_signin).
    • Identity Providers: Select Local Account Email (and others like Google, Facebook if you want to integrate social providers).
    • User Attributes and Token Claims: Select the attributes you want to collect during registration (e.g. Email Address, Given Name, Last Name) and the claims that will be included in the token.
    • Multi-Factor Authentication (MFA): Disabled (for this example, but can be enabled for extra security).
    • Conditional Access: Disabled (for this example).

  4. Click Create.

  5. Repeat the process to create other user flows, such as Password Reset (e.g. B2C_1_password_reset) and Profile Edit (e.g. B2C_1_profile_edit).

    • Explanation: User flows are the backbone of the customer identity experience. They define the sequence of screens and interactions that a user will have during the authentication process. You can customize the appearance and behavior of these flows.

4. Customizing the User Interface (UI) of User Flows

You can customize the appearance of the login and registration pages to match your application's branding.

  1. In the left navigation pane of your Azure AD B2C tenant, select User Flows.
  2. Click on the user flow you created (ex: B2C_1_signup_signin).
  3. In the left navigation pane, select Page Layouts.

  4. You can customize the layout of each page (ex: Unified Login Page, Local Account Signup Page) using custom CSS or HTML to match your brand.

    • Explanation: For advanced customization, you can host your own HTML/CSS/JavaScript files on an Azure blob storage and reference themthem here.

5. Integrating Azure AD B2C with an Application

Integration involves configuring your application to use Azure AD B2C for authentication. The process varies depending on the platform and framework of your application. We will use a conceptual example for a web application.

  1. Configure the Application to Use OpenID Connect: Your application will need to use an OpenID Connect client to communicate with Azure AD B2C.

  2. Configuration Parameters: You will need the following parameters from your B2C tenant and registered application:

    • Client ID (Application ID): The ID of your registered application (ex: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
    • B2C Tenant ID (Tenant ID): The name of your B2C tenant (ex: mycompanyab2c.onmicrosoft.com).
    • User Flow Name (Policy Name): The name of the user flow you want to use for login (ex: B2C_1_signup_signin).
    • Redirect URI: The URL you configured in the application registration (ex: https://localhost:5001/signin-oidc).

    • OpenID Connect Metadata Endpoint: This endpoint provides the B2C configuration information. The format is typically https://<tenant_name_b2c>.b2clogin.com/<tenant_name_b2c>.onmicrosoft.com/<userflow_name>/v2.0/.well-known/openid-configuration.

    • Configuration example (pseudocode for an ASP.NET Core web application): csharp // Startup.cs or Program.cs services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(options => { Configuration.Bind("AzureAdB2C", options); options.Instance = "https://minhaempresab2c.b2clogin.com"; options.Domain = "mycompanyab2c.onmicrosoft.com"; options.ClientId = "<CLIENT_ID_DA_APLICACAO>"; options.SignUpSignInPolicyId = "B2C_1_signup_signin"; options.CallbackPath = "/signin-oidc"; options.SignedOutCallbackPath = "/signout-oidc"; options.ClientSecret = "<CUSTOMER_SEGREDO_SE_USADO>"; // Only for web apps that are not SPAs });

    • Explanation: The Microsoft.Identity.Web library simplifies integration of Azure AD B2C with .NET applications. For other platforms, there are equivalent SDKs and libraries.

Validation and Testing

It is crucial to test the authentication process and user experience.

1. Testing the Registration and Login User Flow

  1. Scenario: Access your web application configured to use Azure AD B2C. Try registering a new user and then log in with the newly created account.
  2. Expected Action: You should be redirected to the Azure AD B2C registration/login page, be able to create an account, log in, and be redirected back to your application successfully.
  3. Verification:
    • In the Azure portal, in your B2C tenant, navigate to Users under Manage. The new user should appear in the list.
    • Check Azure AD B2C audit logs to confirm registration and login events.

2. Testing Password Reset

  1. Scenario: Try to reset a user's password using the password reset user flow.
  2. Expected Action: The user should be able to reset their password and log in with the new password.
  3. Verification:
    • Check the Azure AD B2C audit logs to confirm the password reset event.

3. Checking audit logs in Azure AD B2C

  1. In the Azure portal, in your B2C tenant, navigate to Azure Active Directory > Monitoring > Audit logs.
  2. Filter the logs by Category = Core Directory and Activity = Sign-in or Sign-up.
  3. Check the event details to confirm the success of authentication operations.

Security Tips and Best Practices

  • Enable MFA: Always enable multi-factor authentication (MFA) for login user flows, especially for accounts with privileges or access to sensitive data. MFA is one of the most effective defenses against credential compromise attacks.
  • Use Conditional Access: Integrate Azure AD B2C with Conditional Access to enforce risk-based security policies, such as requiring MFA for logins from unknown locations or non-compliant devices [3].
  • Identity Protection:Use Azure AD B2C Identity Protection features to detect and remediate identity risks, such as leaked credentials or anomalous logins.
  • Secure UI Customization: When customizing login/registration pages, ensure that custom HTML/CSS/JavaScript does not introduce security vulnerabilities (e.g. XSS). Use secure blob storage with correctly configured CORS.
  • Restrict User Attributes: Collect only those user attributes that are strictly necessary for your application and business. This minimizes the risk of data exposure and helps with compliance.
  • Log Monitoring: Continuously monitor Azure AD B2C audit logs and sign-in logs to detect suspicious activity or attempted attacks.
  • Client Secret Rotation: If your application uses a client secret, be sure to rotate it regularly and store it securely (e.g. Azure Key Vault).
  • Integration with Social Providers: When integrating social identity providers such as Google or Facebook, configure them correctly and follow each provider's security guidelines.

Common Troubleshooting

  • Error when creating B2C tenant:
    • Check that you have the necessary permissions in your Azure subscription.
    • Make sure the initial domain name is unique and not in use.
  • Redirection error after login/registration:
    • Verify that the Redirect URI configured in the application registration in Azure AD B2C exactly matches the return URL of your application.
    • Make sure the protocol (HTTP/HTTPS) and port are correct.
  • User flow does not work or displays error:
    • Verify that the user flow was created correctly and that identity providers and user attributes are selected.
    • Test the user flow directly from the Azure portal (on the user flow page, click Run user flow) to isolate the issue.
    • Check audit logs for error messages.
  • UI customization is not applied:
    • Check that the URLs of custom CSS/HTML files are correct and publicly accessible (if hosted on blob storage).
    • Make sure CORS is configured correctly on your blob storage to allow access from the b2clogin.com domain.
    • Clear your browser cache to ensure the latest changes are loaded.
  • Application integration issues:
    • Check that the Customer ID, B2C Tenant ID and User Flow Name are configured correctly in your application.
    • Make sure the authentication libraries in your application are up to date.
    • Check your application logs for authentication error messages.

Conclusion

Azure AD B2C is a powerful and flexible solution for managing and protecting your customers' identities, offering an improved user experience and robust security. By delegating the complexity of identity management to Microsoft, organizations can focus on their core business, ensuring their customer data is secure and compliant. Careful implementation of user flows, integration with security best practices, and continuous monitoring are critical to maximizing the benefits of Azure AD B2C. With this practical guide, security professionals and IT administrators will be well-equipped to configure, validate, and manage Azure AD B2C, protecting their customers' identities and strengthening the overall security posture of their applications.

References:

[1] Microsoft Learn. Azure Active Directory B2C documentation. Disponível em: https://learn.microsoft.com/pt-br/azure/active-directory-b2c/ [2] Microsoft Learn. Best practices for Azure AD B2C. Available at: https://learn.microsoft.com/pt-br/azure/active-directory-b2c/best-practices [3] Microsoft Learn. Identity Protection and Conditional Access in Azure AD B2C. Available at: https://learn.microsoft.com/pt-br/azure/active-directory-b2c/conditional-access-identity-protection-overview [4] Microsoft Learn. Register a web application in Azure Active Directory B2C. Available at: https://learn.microsoft.com/pt-br/azure/active-directory-b2c/tutorial-register-applications [5] Microsoft Learn. Create user flows and custom policies - Azure Active Directory B2C. Available at: https://learn.microsoft.com/pt-br/azure/active-directory-b2c/tutorial-create-user-flows [6] Microsoft Learn. Configure authentication in a sample web application using Azure AD B2C. Available at: https://learn.microsoft.com/pt-br/azure/active-directory-b2c/configure-authentication-sample-web-app [7] Microsoft Learn. Investigate risks with Identity Protection in Azure AD B2C. Available at: https://learn.microsoft.com/pt-br/azure/active-directory-b2c/identity-protection-investigate-risk