Fine grained access policy for Azure Media Services resources ?

Question

I have a web platform that distributes videos which are stored on Azure using Azure Media Services. Some of these videos might be premium and they need to be bought by users. I want to make sure that only the users that bought that video are able to access it, after they log in the app even If they share the direct link of the video with other people. Other people which access the direct link of the video should not ne able to access the video. I tried using SAS tokens that expire after a while, but while they are not expired the videos can still be shared and watched with other people by distributing the link to the video. I have made some research but is still not clear for me how the flow of the authorization should be and what to use.

I need fine grained access policy, basically when one user access a link, to be able to determine if he should be able to access that specific resource, I think using a role policy cannot be a solution.

What strategy could I use ?

Thanks.

Answer 1

It's not recommended to add your customers directly to your Azure AD tenant. Instead, you can use Azure AD B2C (Business to Customer) to authenticate your customers.

Azure AD B2C is a cloud identity service that allows you to customize and control how your customers sign up, sign in, and manage their profiles when using your web platform. With Azure AD B2C, you can create a separate identity store for your customers, and they can use their existing social media or email accounts to sign into your web platform.

Here's how you can use Azure AD B2C with Azure Media Services:

1. Create an Azure AD B2C tenant and register your web platform as an application in Azure AD B2C.
2. Configure Azure Media Services to use Azure AD B2C for authentication and authorization.
3. Create a security group in Azure AD B2C for users who have purchased premium videos.
4. Grant the security group access to the premium videos in Azure Media Services.
5. In your web platform, use Azure AD B2C to authenticate users and obtain an access token.
6. When a user requests a premium video, your web platform should use the access token to request a SAS token from Azure Media Services.
7. Azure Media Services will use the access token to verify that the user is a member of the security group that has access to the premium video.
8. Azure Media Services will generate a SAS token that is valid only for that user and for a limited time.
9. Your web platform can use the SAS token to grant the user access to the premium video.

By using Azure AD B2C, you can ensure that your customers are authenticated securely and that their personal information is kept separate from your Azure AD tenant.