[MUSIC] Adam Stoffel: Hi. My name is Adam Stoffel. Karen Schoen: And my name is Karen Schoen. Adam and I are part of the Customer Experience team within Microsoft Identity Engineering. We focus on external identities and help our customers build and deploy identity solutions for customers and partners. Today, we’ll take a look at Azure Active Directory B2C, our consumer identity and access management solution. Adam: Azure Active Directory B2C is a white label authentication solution which enables businesses, governments, and other organizations to provide their customers, consumers, or citizens with access to public facing web and mobile applications using the identities that they already have. Customers can use their preferred social identity, enterprise identity, or local accounts with a username and password to get single sign on access to any application. The entire experience can be completely branded and customized so that it blends seamlessly with each application. B2C can also centralize the collection of user profile and preference information and capture detailed analytics information about behavior and sign up conversion. By serving as a central authentication authority for all your applications, B2C provides you with a way to build a single sign on solution for any API, web, or mobile application. Microsoft will act as the secure front door to any of these applications and we’ll worry about the safety and scalability of the authentication platform. We will handle things like denial of service, password spray, and brute force attacks, so that you can focus on your core business and stay out of the identity business.B2C uses standard spaced authentication protocols like OpenID Connect, OAuth 2, and XAML so that it can integrate with almost any modern application or commercial off the shelf software. We offer out of the box support for integrating many different third party identity providers including social identities, developer accounts from GitHub, and you can bring any other external identity provider which supports a standard protocol. In addition to providing an enterprise grade security platform, B2C is also an extremely customizable solution which fits in perfectly with any consumer facing application. With B2C, you can enrich social and third party identity provider information with custom registration fields and user attributes and add multi-factor authentication to any user flow. You can also customize every page using HTML, CSS, and JavaScript so that the B2C experience looks and feels exactly like it’s apart of the web or mobile application. The power of Azure AD B2C lies in the identity experience framework. This framework is an extremely powerful orchestration engine which can be used to build almost any authentication, user registration, profile editing, or account recovery experience that you can imagine. The IEF gives you the ability to construct user journeys out of any combination of steps, such as federation with other identity providers, first party or third party multi-factor authentication challenges, collecting additional user input, and integration with external systems using rest API communication. Each of these user journeys is defined by a policy and you can build as many or as few polices as you need in order to enable the best user experience for your business. Now, let's take a look at how Azure AD B2C actually integrates into a web application. Here we have WoodGrove Groceries. They're a modern, 21st century grocery store, so they sell their goods online to their customers. They're using Azure AD B2C to authenticate their customers and have designed their sign-in and sign up policies to offer a seamless and secure user experience. If we click on sign-in, we’re presented with a few different options for sign-in and here we’ll follow the individual customers flow, that’s what’s using Azure AD B2C. When I click sign-in here, their website redirects me over to Azure AD B2C and presents me with a policy with a few different options for sign-in. I can use a social account or I can sign-in with a local account using an email address and a password. Let's sign up for a local account here. When I click sign up, I can see that there's a few different pieces of information that WoodGrove Groceries wants to collect about me. As usual, I need to provide my email address. And we’ll go ahead and do an inline verification on this email address. B2C will send a verification code to that email and I’ll need to provide that verification code right here. This enables us to verify that the user actually owns that email so that they can use it later on for things like password reset and account recovery. Of course, I also need to provide a password. We can see here that we’re doing an automate check for complexity of the password. And we’re also collecting a few other pieces of information: a display name and in this situation an account ID, which is a great example of how we can collect custom user attributes and a B2C registration flow. Those custom attributes can also have verification logic, so we have an inline verification logic right here and we need to agree to a terms of service in order to get signed in. So, let go ahead and I’ll check that I agree to that terms of service. And now I need to provide my verification code that I got sent via email. And great, we’re verified. I’ll go ahead and I’ll click create. And well see that this policy is actually stopping me. There's one other verification that’s done here in this policy and that is by calling a rest API. We actually send that account number that was provided to a rest API to verify whether that’s the correct data. In this situation, the rest API has returned an error message and says that that account number is not quite right. For the purposes of our demo, we need to make sure that our account number ends with a five. So, let me update that. Great. Now I can proceed. My account’s been created. And the next thing that I'm asked to do is enroll in multi-factor authentication. So, let's go ahead and do that. With B2C, I can do multi-factor authentication challenges via either text message or SMS or phone call. I’ll send a code here to verify via SMS. Great. Now I verified my MFA enrollment and I'm redirected back to the application. Here, when I'm back in this demo, there's a few other interesting things that we can show. For example, I can show how we link a social account to this identity. When I click on link a social account, I'm taken back to B2C and asked which social provider I’d like to associate with my existing identity. In this case, I’ll add a Facebook account. Now that I've linked my Facebook account to this identity, Azure Active Directory B2C knows that I'm the same user and I can use either credential to get logged in, my Facebook account or the username and password that I set up. B2C has also updated my profile information with data from that third party identity provider. And you can see, for example, that my profile photo from Facebook has now been populated into Azure AD B2C. I'm going to go ahead and get logged out and then log back in so that I can show you one other interesting feature of Azure AD B2C. I’ll once and I’ll sign in with that same account that I just used. I’ll use Facebook this time to get logged in. Here we can see that on this second authentication attempt, Azure AD B2C has invoked progressive profiling. Progressive profiling allows you to collect additional attributes from the user on subsequent logins and you can configure this many ways. You might do this based on a certain amount of time having passed since a previous authentication or it could be a certain number of authentications that have happened. There's flexibility there in that custom policy framework for you to choose how to invoke that progressive profiling behavior. Here I’ll say that I have allergies to a couple different types of food, for example, to dairy and nuts. And we can see how that data will be collected and stored in my B2C profile so that it can exposed to the applications. In this situation, that information’s been added to my authentication token and here I can see how the application has actually changed its behavior in response to that updated information. In this situation, the application is displaying some warning icons here showing me that I may be allergic to certain kinds of products. The other thing that I’ll call out is you may have noticed that during this sign-in attempt, I wasn’t prompted to perform an MFA challenge. That’s because in this demo, we’ve set up our policy to use step up multi-factor authentication. With step up multi-factor authentication, we can actually make the user experience a little bit more seamless and also save money on the cost of those MFA transactions. In this situation, the only time I’ll be asked to perform a multi-factor challenge is when I perform a more sensitive operation. So, for example, in this demo, we’ll see that when I go to complete the purchase, that’s when I’ll be asked for multi-factor authentication. When I click complete purchase, the application can see that my current authentication context does not have a strong authentication claim in it and I'm sent back to B2C so that I can perform that step up authentication challenge. Once I complete that multi-factor challenge, I'm taken back to the application with an updated authentication context which includes the fact that I've strongly authenticated myself. Karen: Thank you Adam. I hope this video has helped you learn more about Azure AD B2C. Adam: Watch the next video to find out more about how to set up Azure AD B2C, the simplicity of built in user journeys, and the power of custom polices. [MUSIC]
