The Azure Active Directory (Azure AD) service is part of cloud services, namely, Azure Cognitive Service from Microsoft. Azure AD B2C, about which I will speak in detail later, allows users to outsource customer identity management for companies, web, and mobile applications.
Creating custom mechanisms for distributed authorization seems to be a waste of time and money today. Azure AD B2C is addressing this issue.
Azure AD B2C provides a single sign-on function and multi-factor authentication. Let's take a look at this solution from the perspective of UX design and user flow.
Azure AD as a part of Microsoft cloud service
I should emphasize at the outset that Azure AD B2C is based on mature and proven technology — Microsoft Active Directory — which has been known in the environment of network administrators since 1999. As with every mature technology, it has its strong and weak sides.
In my opinion, this weak side includes a certain lack of flexibility (as in most technologies from the company based in Redmond). Unlike classic AD service (even in the cloud version), B2C is mainly characterized by adaptation to the reality of SaaS applications in the form of full support for OpenID.
Azure AD B2C supports over 2800 pre-integrated applications in software as a service model (SaaS). I decided to check how the tool from Microsoft that offers identity management really works.
Azure AD Service: first-time login
Suppose we adopt the technology in an existing application, especially if it's monolithic, without support for OAuth2. In that case, we need to prepare for the change in authentication and authorization flow in our app.
In the case of new products, I suggest adapting to the assumptions of Azure AD B2C flow from the beginning. Thanks to this, you will avoid unnecessary workload and delays related to attempting to change the behavior of the cloud solution.
The first problem I encountered during the analysis was the limited ability to personalize individual elements of the service.
Azure AD and a domain
The user logs into a system by navigating to a dedicated login site of Azure AD.
A big surprise for me was that there is currently no way to change the domain users encounter during the authorization process. In other words, instead of going to "thedomainofmyproduct.com," they go to a different URL address.
In my opinion, this could be negatively received by an informed user. A quick glance at the user community of Azure AD revealed that I'm not alone in my negative opinion.
Azure AD Service: e-mail addresses and content of automatic messages
At various stages of the authorization process, there may be a need to send an e-mail or a text message to the user. Azure AD, unfortunately, doesn't provide the option to personalize these e-mail addresses or message templates.
In this day and age, it's a strange approach. It complicates the consistency of branding and external communication of the target solution.
I also encountered some minor issues regarding inconsistencies with the assumed flow, which I wrote about below.
Custom Multi-Factor Authentication logic
The registration of the second element of the authentication occurs during the first login into a system, not during registration. This is dictated by security requirements and results from common attack vectors.
A developer does not influence the level of complexity of authorization codes. I also don't have complete information on the availability of the ability to use SMS authentication outside the US and Canada.
Azure AD and custom logic for blocking accounts (smart lockout)
Let's move on to the issue of login and security. As a cloud service, Azure AD has advanced logic for account blocking based on detecting undesired behavior. The administrator can only configure the basic parameters of this mechanism.
It's about the number of unsuccessful login attempts and the time for which the account will be blocked after exceeding a set number of incorrect logins. I will add that the admin can't unblock the blocked account — this operation can only be performed by the user during the password restoration process.
It results from security requirements, and the administrator doesn't have a direct influence on the algorithms of this mechanism.
AZURE AD Service: RBAC
Among the undoubted advantages of the service, I also include all the machinery involved in the authorization of users' actions. Similar solutions usually focus only on the authorization of the user and the determination of access levels, and RBAC is at the discretion of the application and programmers.
Azure AD B2C provides vast capabilities in this regard — I couldn't come up with a test scenario or use case that I couldn't realize with the role system of Azure AD B2C. Role management is intuitive, fully customizable and scalable, and available at the solution API level.
Logging in Azure: security straight from the cloud
The main advantage of Azure AD B2C (and other cloud-based solutions) is a very high level of security, incomparably higher than in any other authorization system provided by default within software frameworks.
ISO/IEC 27001— an international standard announced on October 14, 2005, which standardizes information security management systems.
If we care about the security of the data of our users, if we want to meet the best industry standards in terms of security (ISO 27001), then we definitely should choose such a solution.
Azure AD is available in several pricing plans | Photo: commons.wikimedia.org
Azure AD and microservices
In my view, in the age of applications based on microservices and all kinds of PaaS, writing custom mechanisms for distributed authorization without a strong business justification is simply a waste.
Let's remember that in the era of GDPR, high threat and knowledge of cybercriminals, industrial espionage, and increasingly higher awareness of users regarding the protection of their personal data, our products should be created from the beginning based on the secure by design idea.
Services like Microsoft Azure AD B2C are very powerful tools that allow us to realize these assumptions at the lowest possible cost, even in small programming projects.
How secure is logging in with Azure AD?
The vast range of monitoring tools and security audits allow the Azure AD B2C service to provide complete control over the crucial part of our application which is a system of users and permissions. Let's remember that creating a first iteration of an application is only the beginning of the long life of every programming project.
Further down the life cycle, it's crucial to ensure continuity of service for our users, ensure the integrity of their data, and report all security breaches.
Meanwhile, most business owners aren't aware of the complications resulting from the obligation to provide information on GDPR.
Whenever a critical situation arises without good and extensive reporting tools and a security audit mechanism, we're exposed to substantial financial and branding losses, which can lead to the closing of business (particularly in the early stages of existence).
Azure platforms in any business
Microsoft Active Directory B2C is a mature and proven solution that will positively influence the security level of many web and mobile applications.
It's relatively simple to implement by every development team regardless of size.
Unfortunately, as it's the case in most solutions from Redmond, it turns out that it's a little "square" and sometimes clunky. If we don't care much about extensive branding customization of the user registration and login process and we like the Microsoft approach or use other solutions within Azure, we can confidently get into this technology.
I suggest considering and analyzing AWS Cognito as an alternative with a more extensive range of UX customization options (and because of my personal preferences).
Azure AD B2C service is free during the first month (with 50 000 active users). Later it can cost a maximum of €0.00211 per month. Although keep in mind that we pay a separate fee for multi-factor authentication and SMS/phone events, i.e., €0.026 per SMS/phone event. The exact price list is published on Microsoft's website.
Hero shot: Pxfuel.com