Yuma 4×4

Media and Communications

Customer Identity Management with Azure AD – On.NET

Customer Identity Management with Azure AD – On.NET


>>Today on, ON.NET show
we’re going to be learning about Azure AD B2C, which allows you
to add identities to your app easily. Come watch. Save the date for.NET Conf 2018, on September 12-14..NET
Conf is a free, three-day virtual developer event co-organized by the .NET
community and Microsoft. You’ll enjoy a wide selection of live sessions that feature speakers from the community
and the .NET product teams. Head over to www.dotnetconf.net to learn more and save the date.>>Welcome to
another episode of ON.NET. Today, we’re going
to be talking about Azure AD B2C with Pirog. Okay. How about you introduce yourself and then we
can dig into the topic. So, what the heck
is Azure AD B2C.>>Absolutely. Thank
you for having me here.>>No problem.>>I am a Product
Manager or Program Manager working on the
Azure Active Directory B2C Team. What this service is,
for Azure, is a way for you to add an identity
system into your applications. So, that customers
can sign in, right. So, let me start
off with example. Real Madrid is using->>That’s a soccer team, right?>>That is a soccer team.
That’s the football team.>>Okay. Yeah.>>From Madrid, and
what they’ve done on their application,
the Realmadrid.com, they’re using
our sign in service, the Azure AD B2C sign in service, to allow fans to sign in. Then once they do,
the application Realmadrid.com, would effectively get
their information coming from Azure, but going to the application.>>Right. Because
when I login into my Office 365 email account that Microsoft provides me as an employee or into SharePoint, also, Microsoft provides
me as an employee. There I’m using Azure AD that’s what I’m opting
against, right?>>That’s right. Yeah.>>Because that’s
the employee scenario.>>Exactly.>>This is not that, right?>>No.>>So, this is for?>>The consumers, the customers, the citizens, if
you’re a government.>>Right.>>It’s for the person out there, who wants to just sign
up for an application.>>Right. So, like for
the Microsoft store for example, you can log in and have
an account and buy laptops and copies of
Office presumably.>>Yeah, exactly.>>They could use Azure AD B2C.>>Yeah. So, in fact, I’ll would jump into
another example. We have another Danish company
who’s using B2C. You can see they have a customized experience that’s completely different
from Real Madrid. So, it’s a completely
white label. They designed the experience
that they want and if you want, you can have it
in 36 different languages as well as of today.>>Okay. Is that
how many languages your strings are localized in?>>Yeah. Actually
they can customize the string completely. So, if they wanted to create their own language and they
specify it, go for it.>>Okay.>>Yeah.>>Right. So, there’s
no real limitations.>>Exactly.>>Do you provide an
out-of-the-box off UI or no?>>We do. We do. I
can show you that.>>But I assume that’s not it.>>That’s not it.
So, what they did was they took the HTML CSS. They provided their own HTML CSS and that’s what we we render.>>Okay. You guys are
totally cool with that?>>Yeah, absolutely.>>Okay. Awesome.
Just keep on going.>>Cool. So, just
to kind of quickly summarize what B2C
is it’s allowing customers of organizations to
bring their own identities, to allow them to sign in to
you- say your applications. If you Real Madrid customers
could bring their Twitter, their Facebook identities and actually just sign
into Realmadrid.com. If you were a government then you for a government
as a citizen, you could use your government
ID as a way to sign in. It’s allowing Governments and all of these organizations to scale very quickly as
the organization scale. You’re not hindered by the fact that it’s growing quickly, it’s going viral, and oh, crap, your database can’t
handle these users.>>Right. So here, Let me ask a super fundamental question, which is we already have
this Active Directory System, there’s obviously existing
active directory, but Azure Active Directory
has existed for what 5-6 years now
or maybe longer. We already have
that why didn’t we just use that for Real Madrid, for example, to sign
up their customers? Why do we need
something different? Or how are they different?>>Yeah. So, there are
two main reasons why. First is scale. Typically, if you look
at in your organization, look at the number of
employees they have. It’s rare for it to be
in the millions whereas organizations get hit hundreds of millions
if not billions.>>I’m assume US post office.>>Absolutely, right. Absolutely. Then the other thing is this the ability to customize. The flexibility of being able to customize the user experience, the whole branding
of it, the look, and feel not that we’re presenting that
this is Microsoft, but presenting that
this is your own brand. That’s the biggest appeal
for using B2C.>>I see. So, it’s
kind of more oriented to the ISV market sort of thing.>>Exactly.>>Makes sense. Okay. So,
that’s kind of a value prop. Maybe we should talk more about, a littlemore about the flow
of how the system works.>>Okay, yeah. So,
imagine this scenario. Let’s just call it Contoso, where there are
three applications that Contoso’s building
a gaming application, billing application,
music application. Say, there’s a user named John. John comes through the gaming application and wants to sign it. He clicks sign in and
what will happen is that John will be
redirected to the service, the Azure AD B2C service, where he will be presented
with options and how John wants to sign in. Once he does, he’s sign
in and successfully, a token will be issued
back to the application. Now the cool part is
this unlocks SSO. So, if he were to go back
to the gaming application, the billing application,
the music application he doesn’t need to sign in again.>>Right. SSO, we
mean Single sign-on.>>Absolutely.>>Yeah. Right.>>All of this, is configured in B2C using a concept
we call Policy. It’s really the crux of it all. It’s hey, there’s a user
flow that I want to build. It has a different UI experience. It has certain token lifetimes. How do I configure all of that? We configure it through Policies.>>Okay.>>Yeah.>>Makes sense. So it looks
like on the slide here that you have a federation
system as well. So it’s not just
this case of like, oh, you have to create
a Microsoft account, like we’ve kind of
had in the past. Basically, there is at least Facebook and
Google I see listed there that you can just sign in with those and then you’re
already part of the system. Are there more than
just those two?>>Yeah. There’s quite a few
actually I can show it to you by taking you to our portal. All of the options that
we have available. So, what you’re looking at here is the management experience
for Azure AD B2C. If people worked on
identity providers. I have four configured already. One is for Google, one
is from Microsoft, Microsoft accounts, and
one is for Facebook. Then I have another one that’s a very custom OpenID Connect identity provider
that I’ve configure, which is connecting to
an Azure AD’s tenant, an Azure AD service.>>Okay. Is that the case if, going back to
the Real Madrid example. I was a Real Madrid employee. I’m president of Real Madrid and I logged onto the website. Can I then log in with
my [email protected] email address that actually
opts to get Azure AD.>>Exactly.>>Okay. That’s
actually pretty cool.>>Yeah. So, the whole idea is why should you have
multiple identities? Use one identity, go
around the world, do everything you need to
do with that identity. There are absolutely more
identity providers you can add. So, today just out-of-the-box in addition to those
four you can LinkedIn, Amazon, and some other ones
that we haven’t preview.>>Okay. It looks like
there are some that are more Asia oriented.>>Exactly. Some Chinese
identity providers?>>Yeah. Awesome.>>For the Chinese markets.>>Yeah. We like that.>>Yeah. In fact, I can quickly walk you
through the portal and kind of give you the laid out of the whole experience.>>Great.>>The first thing you’d want to do is create an application. In fact, let me walk you
through a demo here. The demo we’re going
to build is an application.NET Core
2.0 application. By clicking on file, new project, and creating this application. You’ll have B2C
already configured.>>Okay. Wow.>>Good. Yeah. So, the first
thing I’d say is go to File, New, and click on Project. Let’s select the.NET
ASP Core Application. I’m going to give it a DemoApp. Okay.>>Very unique name.>>Right. It’s the most common
name available. All right. So, what I’m doing here is, I’m changing the way
authentication works. I’m configuring
how the project on what middlewares should
be added to this system. I’m going to select individual
accounts because you as an individual are looking to sign in to end this application, as an individual looking to sign into the Real
Madrid app in a sense. So, instead of saying store
the users in the app meaning, in a directory or
in a store object, in a file object that
has to in a sense even scale now with as
the application scales.>>I get it.>>I’m going to store
it in the Cloud, with B2C and what
I’m going to provide here is my tenant name, the directory where all the
users will be stored. I’m going to provide
the application ID. This is how you identify this application to
Azure Active Directory B2C.>>Okay.>>So, I’m going to go over here, create this application.>>Right. This application ID, would you consider
that to be a secret?>>It is not a secret.>>It’s not a secret.>>It’s just an identifier.>>Okay.>>You can generate secrets
but that’s a different one.>>Okay.>>Inside the reply URL which
is where the token will be sent back to after
the user signs then, I’m going to specify what the application would
like me to specify. So, I’ll take “Copy”,
hit “Paste” in here. Because this is a web app
that I’m creating, I’m going to simply click
“Yes” over here and that’s it. I’m going to hit “Save
It” and hit “Create”. So I’ve created, I registered
this application with B2C. I’ve as I showed you earlier, also configured
a few identity providers. The way I would do
this is I would just go to their
proper websites their, developer consoles and register an application there
they’re just the way I did.>>Understood. I’ve
done that before.>>Cool. Yeah. Now,
the last thing that is critical, which is what I was talking about this policy is how you’re
creating these experiences. There are multiple kinds of policies but in
this particular demo, I’m going to create two kinds. One is a signup or sign
in experience and the other I’m going to create is
a password reset experience. Got it?>>Both of those sound important.>>Yeah. So, very quickly I’m going to
do it out-of-the-box. I’m going to give it
a name SUSIdemo demo, and then the identity
providers I’ll just say, “Hey, I want users to be able
to sign with their MSA, Google and Facebook accounts.” For the attributes, the sign
up attributes I’ll say, “Hey, when you do sign up, please give me your display name, what would you like me to
call you?” I hit “Okay”.>>I see. So, this is effectively the information that
the application gets.>>Exactly. Well, sign up attribute is the information that we collect during sign up. The, “Hey, get user, give us the information about you that you want us to know.” Right? So, it could be, “Hey, give me your gamer tag, give me your street address, give me your shoe size.”.>>I see. So, is
this the information from the federated system
that B2C collects?>>That’s right too.>>Okay.>>So, we will also
look at, “Hey, the federated system is giving us all this information
we will stored it. ” But in addition to that perhaps Facebook doesn’t
have your shoe size, then we’ll say, “Okay, well we don’t have
your shoe size then, can you give us that
information too?”.>>Okay.>>Cool. But here, where you were going back to
earlier, application claims. This is where I actually
specify what is that information that should be sent back to the application.>>Okay. So, these are
two different things.>>Two different things.>>Now, I assume. Do these not necessarily
have to overlap?>>They do not.>>Okay.>>Yeah.>>I mean sometimes
you just want to collect a lot of
information during sign up but certain applications, different applications use
different amounts of data.>>Okay.>>Cool. Here is where
I would trigger just by switch of a button
I can turn on MFA. I won’t do it right now, but.>>Right.>>By clicking on, every
time the user signs in, they’ll have to use
their phone to sign in.>>Right now, if that’s on, that’s going to affect
the sign up experience as well. Right?>>That I can control. In this case, this is a sign
up or sign in policy, so it will trigger in both cases, at sign up and during sign in. But if I wanted to have a different experience during
the sign up versus sign in, I would create
two different policies here. I would create a sign
up experience and then independently to that I would create a sign
in experience. For one or the other I can
enable or disable MFA.>>I see. Okay. I
think I get that.>>Yeah. Then that’s it. I’m not going to customize my UI, I’m just going to take
the default template.>>Right. The way just what
we were talking about before, whether there was one.>>Exactly. What I would
have done in this case now, I would have done
the same exact thing by going through
our password reset. But I’m just going to take an existing one that I already have.>>Great.>>So, I will take
this information. So, for the reset password
policy I put it here. For the sign up, sign
in I don’t remember it was a SUSIdemo, and I hit “Okay”.>>Yeah, you’ve done this before.>>Oops. We specify for that too.>>Oh yeah, we didn’t
talk about them.>>Yeah, I didn’t copy
the application ID. So, let me go back
to the applications, “Demo App” Here’s
the ID but I’ll use this nifty feature to copy
over the application ID. I guess I did not copy.
Please copy and then hit.>>Okay there we go.>>Okay. Now, it’s going to generate
a web application for me and when it’s done, now
it’s going to generate it, and when it’s done, I’ll have a working.Net Core
Application that has the ability for users to sign in. Just takes a few seconds.>>Now, did this add any NuGet
packages in the process?>>It does. It adds
all the packages it needs in order to build a middleware and get
the right middleware.>>Okay. Could you show us
the dependencies known?>>Yeah.>>Which seems like it’s still doing something, yeah NuGet.>>So, I think.Net Core, I think it’s all that
it needs really. Let me just hit “Run”, and if it needs to
get any packages.>>Okay.>>It should automatically
get them for me. Seems like it doesn’t
need any more. Well, it has.Net Core on.>>Okay. It looks like it resolved all
those dependencies.>>Yeah, exactly.>>I was a little
worried about that. If there’s still those little
yellow warning signals.>>Yeah.>>But those are gone.>>Yeah. So, as you can tell, I mean adding building and sign in is very trivial,
we’ll be able to see. You don’t need to do
much and it takes away the headache of having to manage all these
user identities, especially in this day and age where privacy is such a big deal. There are new regulations
coming out like, let the Cloud, let B2C handle all those
worries. Why should you?>>Right. Because at
the very base of this, this is Identity as a Service.>>Exactly. Exactly.
In particular, its’a customer
identity as a service.>>Yeah, right.
Okay, there it is.>>Right. So, I have
a running application. I would go ahead
and click sign in.>>Okay. This is kind
of the magic moment.>>Exactly. What it does is it goes to the URL that you can, it goes through the URL
that specified this is B2C. I did not actually
give the ability as one of the identity
providers to sign in using email address password.>>Okay.>>But I did, if you remember select Facebook, Google, and MSA.>>Okay.>>So I’m going to just go ahead and select say, Facebook. I think I’m already signed into Facebook, so what’s
going to happen, is it’s going to Facebook. Facebook will say.>>Yeah, I get that.>>You’ll sign in,
I’ll go federate back to the application.>>It’s already worked.>>It works, yeah. B2C and then B2C will send the token
back to the application.>>Right. So, we have seen
the whole experience tonight. So, you must talk to
customers about this.>>Absolutely.>>What has the reaction been?>>The reaction is,
I mean there is definitely a lot of excitement. In fact, we’ve grown tremendously month over
month over the last year. It’s an exciting place. It’s especially with GDPR and
all these new regulations. There’s a lot of investment
being made in this area.>>Yeah, I can imagine.>>That’s why it’s
a very exciting product and I love being on it.>>So, you missed one of
the last thing which is, how much does this cost?>>Absolutely. Glad you asked. So, the pricing you believe it or not is it’s essentially free if
you’re playing it. By essentially, I mean for the first 50,000 users
that are stored per month and for the first
50,000 authentication per month, there’s no fee to it.>>Wow!>>After that, it’s
a few pennies and after that.>>It’s pretty reasonable.>>It’s very reasonable,
I can tell you that. There is one slight thing that you do need to worry about, if you are doing MFA, it will charge you three cents
for every authentication.>>Right.>>But that is only on
a successful authentication.>>Okay. So, that’s
basically when that text message gets sent out.>>Exactly.>>Actually, here’s
a good question. We were talking
about text messages but obviously Microsoft also provides the Authenticator app which you and I
presumably both use.>>Right.>>Does B2C work with
the Authenticator app?>>So, today, it does not.>>Okay.>>We are working on enabling that capability fairly soon.>>Okay, because I think
people would like that.>>In fact, it won’t
just be just MFA, not just the Azure Authenticator app, It could
be any Authenticator app.>>Sure.>>Yeah.>>But that scenario.>>That scenario will
definitely be enabled. So, today, it’s mostly
you get a text message and you look at it
and you’re like okay cool, let me sign in.>>Yeah.>>But that’s about it.>>Okay. Awesome. So, basically, we covered what the service
does and what it’s for. We covered what
the developer experiences at least the base experience, it’s a mixture of using the portal and basically
the wizard in VS. I presume we have some docs.>>Yeah.>>That exist somewhere.>>Absolutely. So,
one thing actually to add to that as you’re mentioning. Even though it’s two components, the best part is now you
will never have to deploy your app again if
you want it to just change in your sign
in experience, right? So, you’re calling onto this different service
and say you choose to change the UI for that particular experience. You don’t need to
deploy the new app.>>That’s a separate thing.>>Exactly, because it’s
calling out a REST API, it’s doing a web call and
you’re going somewhere else.>>Right. Say you only
had Google as one of your federated partners and/or sign in providers and you
wanted to add Facebook.>>Exactly.>>Then that’s also
just a back-end change.>>Exactly. It’s all
just a change in the policy and the application will never know what changed.>>Awesome.>>Yeah.>>Okay. Well, I think we’ve
pretty much covered it.>>Absolutely. So, if
you are interested, I mean there’s documentation
aka.ms/aadb2c. We love getting our questions. We love answering questions
in Stack Overflow, it helps the rest of
the community as well.>>For sure.>>Then for feedback,
there’s always user voice.>>Okay.>>Thank you for having me again.>>Awesome, okay.>>Do you like having me here?>>Yeah. Well, this has
been another episode of the ON.NET show. We learned about
Azure AD B2C from Parakh and you can add all this to your application
today. Thanks for watching.

6 thoughts on “Customer Identity Management with Azure AD – On.NET

  1. Very nice video. I was wondering if the ability to use the Page UI sustomization is also available and free for Azure B2C users. I was checking this link but it is a little bit confusing https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding Could you please clafiry, thanks.

  2. "Real Madrid … That's a soccer team, right?" Asking that kind of question, you can only be from the USA. BTW, nice presentation.

Leave comment

Your email address will not be published. Required fields are marked with *.