Azure Active Directory B2C deployment plans

Azure Active Directory B2C (Azure AD B2C) is an identity and access management solution that can ease integration with your infrastructure. Use the following guidance to help understand requirements and compliance throughout an Azure AD B2C deployment.

Plan an Azure AD B2C deployment

Requirements

After migration, your applications can support modern identity protocols such as Open Authorization (OAuth) 2.0 and OpenID Connect (OIDC).

Stakeholders

Technology project success depends on managing expectations, outcomes, and responsibilities.

  • Identify the application architect, technical program manager, and owner
  • Create a distribution list (DL) to communicate with the Microsoft account or engineering teams
    • Ask questions, get answers, and receive notifications
  • Identify a partner or resource outside your organization to support you

Learn more: Include the right stakeholders

Communications

Communicate proactively and regularly with your users about pending and current changes. Inform them about how the experience changes, when it changes, and provide a contact for support.

Timelines

Help set realistic expectations and make contingency plans to meet key milestones:

  • Pilot date
  • Launch date
  • Dates that affect delivery
  • Dependencies

Implement an Azure AD B2C deployment

  • Deploy applications and user identities - Deploy client application and migrate user identities
  • Client application onboarding and deliverables - Onboard the client application and test the solution
  • Security - Enhance the identity solution security
  • Compliance - Address regulatory requirements
  • User experience - Enable a user-friendly service

Deploy authentication and authorization

Learn more with the Microsoft Identity PDF, Gaining expertise with Azure AD B2C, a course for developers.

Checklist for personas, permissions, delegation, and calls

  • Identify the personas that access to your application
  • Define how you manage system permissions and entitlements today, and in the future
  • Confirm you have a permission store and if there are permissions to add to the directory
  • Define how you manage delegated administration
    • For example, your customers' customers management
  • Verify your application calls an API Manager (APIM)
    • There might be a need to call from the IdP before the application is issued a token

Deploy applications and user identities

Azure AD B2C projects start with one or more client applications.

Application deployment checklist

  • Applications included in the CIAM deployment
  • Applications in use
    • For example, web applications, APIs, single-page web apps (SPAs), or native mobile applications
  • Authentication in use:
    • For example, forms federated with Security Assertion Markup Language (SAML), or federated with OIDC
    • If OIDC, confirm the response type: code or id_token
  • Determine where front-end and back-end applications are hosted: on-premises, cloud, or hybrid-cloud
  • Confirm the platforms or languages in use:
  • Verify where user attributes are stored
    • For example, Lightweight Directory Access Protocol (LDAP) or databases

User identity deployment checklist

Client application onboarding and deliverables

Use the following checklist for onboarding an application

Area Description
Application target user group Select among end customers, business customers, or a digital service.
Determine a need for employee sign-in.
Application business value Understand the business need or goal to determine the best Azure AD B2C solution and integration with other client applications.
Your identity groups Cluster identities into groups with requirements, such as business-to-consumer (B2C), business-to-business (B2B) business-to-employee (B2E), and business-to-machine (B2M) for IoT device sign-in and service accounts.
Identity provider (IdP) See, Select an identity provider. For example, for a customer-to-customer (C2C) mobile app use an easy sign-in process.
B2C with digital services has compliance requirements.
Consider email sign-in.
Regulatory constraints Determine a need for remote profiles or privacy policies.
Sign-in and sign-up flow Confirm email verification or email verification during sign-up.
For check-out processes, see How it works: Microsoft Entra multifactor authentication.
See the video Azure AD B2C user migration using Microsoft Graph API.
Application and authentication protocol Implement client applications such as Web application, single-page application (SPA), or native.
Authentication protocols for client application and Azure AD B2C: OAuth, OIDC, and SAML.
See the video Protecting Web APIs with Microsoft Entra ID.
User migration Confirm if you'll migrate users to Azure AD B2C: Just-in-time (JIT) migration and bulk import/export.
See the video Azure AD B2C user migration strategies.

Use the following checklist for delivery.

Area Description
Protocol information Gather the base path, policies, and metadata URL of both variants.
Specify attributes such as sample sign-in, client application ID, secrets, and redirects.
Application samples See, Azure Active Directory B2C code samples.
Penetration testing Inform your operations team about pen tests, then test user flows including the OAuth implementation.
See, Penetration testing and Penetration testing rules of engagement.
Unit testing Unit test and generate tokens.
See, Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials.
If you reach the Azure AD B2C token limit, see Azure AD B2C: File Support Requests.
Reuse tokens to reduce investigation on your infrastructure.
Set up a resource owner password credentials flow in Azure Active Directory B2C. You shouldn't use ROPC flow to authenticate users in your apps.
Load testing Learn about Azure AD B2C service limits and restrictions.
Calculate the expected authentications and user sign-ins per month.
Assess high load traffic durations and business reasons: holiday, migration, and event.
Determine expected peak rates for sign-up, traffic, and geographic distribution, for example per second.

Security

Use the following checklist to enhance application security.

Conditional Access and Microsoft Entra ID Protection

Compliance

To help comply with regulatory requirements and enhance back-end system security you can use virtual networks (VNets), IP restrictions, Web Application Firewall, and so on. Consider the following requirements:

  • Your regulatory compliance requirements
    • For example, Payment Card Industry Data Security Standard (PCI DSS)
    • Go to pcisecuritystandards.org to learn more about the PCI Security Standards Council
  • Data storage into a separate database store
    • Determine whether this information can't be written into the directory

User experience

Use the following checklist to help define user experience requirements.

  • Identify integrations to extend CIAM capabilities and build seamless end-user experiences
  • Use screenshots and user stories to show the application end-user experience
    • For example, screenshots of sign-in, sign-up, sign-up/sign-in (SUSI), profile edit, and password reset
  • Look for hints passed through by using query string parameters in your CIAM solution
  • For high user experience customization, consider a using front-end developer
  • In Azure AD B2C, you can customize HTML and CSS
  • Implement an embedded experience by using iframe support:

Monitoring auditing, and logging

Use the following checklist for monitoring, auditing, and logging.

Resources

Next steps

Recommendations and best practices for Azure Active Directory B2C