Azure AD B2C - ROPC and IP Blacklisting

Bhushan Gawale 331 Reputation points
2022-09-09T08:08:02.043+00:00

Hi Team,

This is in the context of ROPC flows of Azure AD B2C.

As specified in the documentation here - it mentions that

In a server-side API call, only the server’s IP address is used. If a dynamic threshold of failed authentications is exceeded, the identity protection system may identify a repeated IP address as an attacker.

We have few queries below

  • Can traffic originating from within the Azure region be also considered as a potential attack on B2C infrastructure and will result in getting the IP blacklisted? E.g. if it is an Azure-hosted function app making ROPC calls to AAD B2C, would its outbound IP address be blacklisted too?
  • Where can we find more information about the thresholds before any IP gets blacklisted by B2C infra?
  • While ROPC is a suggested strategy for B2C to B2C user migration, how does it work in that scenario, given that it is also a server-to-server ROPC call? Is it because it is controlled within Azure, with both the source and destination being AAD B2C services, that the limitation of blacklisting IP does not apply to it?

Note: We are already probing options to obtain this information from relevant Microsoft teams, but it is going in circles and there is no clear answer provided by official Azure support channels, making it difficult for customers to make any architectural decisions, and it has come to the point where customers are considering replacing Azure AD B2C and looking for something else as their primary IDAM solution.

Can someone from right team take a look at this and respond please?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,214 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Shweta Mathur 30,301 Reputation points Microsoft Employee
    2022-09-14T11:25:37.267+00:00

    Hi @@Bhushan Gawale

    Thanks for your time and patience throughout this issue. Please find my response inline.

    Can traffic originating from within the Azure region be also considered as a potential attack on B2C infrastructure and will result in getting the IP blacklisted? E.g. if it is an Azure-hosted function app making ROPC calls to AAD B2C, would its outbound IP address be blacklisted too?

    Yes, all cloud providers do have internal protections and are configured with appropriate security. If we see, one of the founding principles of Zero Trust is assumes breach and verifies each request as though it originated from an uncontrolled network. Public cloud infrastructure is constantly being used or abused to start attacks. So any traffic originating from any network is considered malicious traffic and will get IP blacklisted.

    Where can we find more information about the thresholds before any IP gets blacklisted by B2C infra?

    There is no fixed IP Range that can hold to for IP restrictions. ROPC supports only mobile apps running in a native operating system. Any ROPC calls from the browser will end up getting blocked.

    While ROPC is a suggested strategy for B2C to B2C user migration, how does it work in that scenario, given that it is also a server-to-server ROPC call? Is it because it is controlled within Azure, with both the source and destination being AAD B2C services, that the limitation of blacklisting IP does not apply to it?

    ROPC is never recommended. This is just the sample provided for ROPC call. You can’t use B2C ROPC for server to server because they will get throttled. You must use B2C client credential flow recently introduced in B2C for these server to server calls.

    Hope this will help.

    Thanks,
    Shweta

    -----------------------------------

    Please remember to "Accept Answer" if answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.