![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 37%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
3,267 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi 竜吾 鈴木,
General configuration before, during, and after the introduction of Azure AD B2C.
Before creating an Azure AD B2C tenant, you need to have an Azure subscription and an Azure account that has been assigned the Contributor role within the subscription or a resource group. You also need to add Microsoft.AzureActiveDirectory as a resource provider for the Azure subscription you're using. (See Prerequisites and considerations.) Once you have created a B2C tenant, you can add applications, create custom policies and user flows, assign admin roles, and create users.
As detailed in the documentation, to create an Azure AD B2C tenant, you need to sign in to the Azure portal, create a new Azure Active Directory B2C resource, and enter the following information:
- Organization name
- Initial domain name
- Country or region
- Subscription
- Resource group
There are some good video tutorials for this configuration as well.
What kind of products are commonly used?
Azure AD B2C integrates with many of the products that work with regular Azure AD, though some features are available for one and not the other. For notes about features that are not available in B2C, refer to Features and Limitations. (I also go over some of these differences here.) Azure AD B2C can be used with Azure Functions, customer relationship management (CRM) systems, Azure API Management gateway, and storage services, for instance. Azure AD B2C can federate with identity providers that support OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols. Customers use their preferred social, enterprise, or local account identities to sign into applications.
Examples of license types, functions of each license, comparison, and combinations with other products when implementing Azure AD B2C
The Premium P2 license includes all P1 license features and also comes with Identity Protection and Identity Governance controls, such as risk-based Conditional Access policies and Identity Protection reporting for Azure AD B2C. Premium P2 is required to create risky sign-in policies. Premium P1 tenants can create a policy that is based on location, application, user-based, or group-based policies. For questions about licensing and pricing, I would recommend reaching out to the Sales team for free support. https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2
Method/procedure to migrate from the old platform to Azure AD B2C, whether it is possible to migrate with OOTB from the management dashboard
For user migration, you will need to write an application or script that uses the Microsoft Graph API to create user accounts in Azure AD B2C. Here are some samples that achieve this. The one you choose will depend on your scenario:
- Just in time migration v1 - Azure AD B2C calls a REST API that validates the credential, and migrates the account with a Graph API call.
- Just in time migration v2 - Azure AD B2C calls a REST API to validate the credentials, return the user profile to B2C from an Azure Table, and B2C creates the account in the directory.
- Seamless-account-migration - Used when accounts have been pre-migrated into Azure AD B2C and you want to update the password on the account on the initial sign-in.
- B2C to B2C Migration - Migrate users from one B2C instance to another using just-in-time migration.
See:
Azure AD B2C | Seamless Migration
**
Difference between use of conditional access policy (P1) and use of risk-based conditional access policy (P2)**
Premium P1 tenants can create a policy that is based on location, application, user-based, or group-based policies. Premium P2 tenants can do everything the P1 tenants can do, but can also create policies based on sign-in risk or user risk. Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner, while user risk represents the probability that a given identity or account is compromised. You can choose to require MFA or block users based on whether the risk is low, medium, or high. Sign-ins are flagged as risky if they flag certain risk criteria such as atypical travel, suspicious IPs, suspicious browsers, and others, while Users are flagged as risky if they meet other criteria such as anonymous IP addresses or potentially compromised accounts. The risk criteria are documented here.
Content detected by Azure threat intelligence
Threat Intelligence is based on ingestion of threat indicators such as IP addresses, domains, URLs, email senders, and file hashes**.**
Whether it can be deployed on a private cloud
No. It is a public cloud based service.
User sign-in using enterprise IdP (Okta Workforce, Google Workforce, etc.)
Yes. See list of supported identity providers. See also: Add Google identity provider to a user flow and AAD B2C integration with OKTA when OKTA is external ID
Continue to use the existing authentication infrastructure (DB configured with SQL) and use only the authentication function of Azure AD B2C
Azure AD B2C is a cloud identity management solution, so it does not support SQL authentication. You can integrate Azure AD with SQL but not B2C.
Function list/comparison/difference between Azure AD B2C P1 and Azure AD B2C P2
See comparison written above. You can also refer to the pricing page or reach out to the licensing team. P2 includes Identity Protection and risk-based Conditional Access. B2C Premium P1 includes a subset of Azure AD Conditional Access features without the risk policies.
Is IP throttling detection, brute force detection, bot detection, and breached password detection possible? Which features are supported under which licenses, if any?
Smart lockout and password protection are activated by default and include brute-force detection. Bot detection and fraud prevention are enabled through the listed partner integrations. You can catch leaked credentials, password sprays, and suspicious password changes using the risk-detection policies which require the P2 license.
Is it possible to introduce without a custom policy?
Smart lockout is a tenant-wide setting and there is no custom policy for it. It is supported by user flows, custom policies, but you don't need to configure it since it is enabled by default. You only need the custom policies or user flows to allow users to sign up and sign in to your applications. You need user flows or custom policies to integrate conditional access polices. Conditional Access technical profile
Let me know if you have further questions.
If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar questions.