AD B2C: Security Questionnaire For Audit

Question

Hi,
We have Websites, AD B2C and SSO, APIs, Database all hosted in Azure. Our Services are controlled by our IT team. For the Audit purpose We need to answer various question from our vendor. Few questions for which I can't find an answer are as below:

1. Are the AD B2C accounts geo replicated. if yes how can I know what is geo replicated region/country?
2. How the user name and password are sent to server when we user AD B2C authentication for our websites?
3. How the passwords are stored on AD B2C?
4. What are the security measure are taken from Microsoft to safe user's data in AD B2C? Do we have some certifications like ISO27001?
5. What are the protocols used in SSO implemented using AD B2C?

Answers to above question will help a lot. Thanks in Advance.

• Ankit

Answer 1

Hi @Ankit Kumar , thanks for your question.

1. Yes, by default all Azure resources are. In the event of a failure, your data will transferred to the closest region.
2. If you're asking about authentication protocols, we use OpenID Connect and OAuth 2.0.
3. We use password hash synchronization.
4. We have an immense amount of compliance requirements, globally and regionally. ISO27001 is included in that. Here's a small blog post detailing how we keep your data safe.
5. For SSO we can use the SAML protocol.

Please let me know if you have any questions and I can help you further!

If this answer helped you please mark it as "Verified" so other users can reference it.

Thank you,
James