Build a global identity solution with region-based approach
In this article, we describe the scenarios for region-based design approach. Before starting to design, it's recommended that you review the capabilities, and performance of both funnel and region-based design approach.
The designs account for:
- Local Account sign up and sign in
- Federated account sign up and sign in
- Authenticating local accounts for users signing in from outside their registered region, supported by cross tenant API based authentication.
- Authenticating federated accounts for users signing in from outside their registered region, supported by cross tenant API based look up
- Prevents sign up from multiple different regions
- Applications in each region have a set of endpoints to connect with
Local account authentications
The following use cases are typical in a global Azure AD B2C environment. The local account use cases also cover accounts where the user travels. Each provides a diagram and workflow steps for each use case.
Local user sign-up
This use case demonstrates how a user from their home country/region performs a sign-up with an Azure AD B2C Local Account.
User from Europe, Middle East, and Africa (EMEA) attempts to sign up at myapp.fr. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
User lands at the EMEA tenant.
The user attempts to sign up. The sign-up process checks the global lookup table to determine if the user exists in any of the regional Azure AD B2C tenants.
The user isn't found in the global lookup table. The user's account is written into Azure AD B2C, and a record is created into the global lookup table to track the region in which the user signed-up.
The regional tenant issues a token back to the app.
Existing local user attempts sign up
This use case demonstrates how a user re-registering the same email from their own country/region, or a different region, is blocked.
User from EMEA attempts to sign up at myapp.fr. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
User lands at the EMEA tenant.
The user attempts to sign up. The sign-up process checks the global lookup table to determine if the user exists in any of the regional Azure AD B2C tenants.
The user's email is found in the global lookup table, indicating the user has registered this email in the solution at some prior point in time.
The user is presented with an error, indicating their account exists.
Local user sign-in
This use case demonstrates how a user from their home country/region performs a sign-in with an Azure AD B2C local account.
User from EMEA attempts to sign in at myapp.fr. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
User lands at the EMEA tenant.
User enters their credentials at the regional tenant.
The regional tenant issues a token back to app.
The user is signed in to the app.
Traveling user sign-in
This use case demonstrates how a user can travel across regions and maintain their user profile and credentials stored in their regional tenant respective to their sign-up.
User from North America (NOAM) attempts to sign in at myapp.fr, since they are on holiday in France. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
User lands at the EMEA tenant.
User enters their credentials at the regional tenant.
The regional tenant performs a lookup into the global lookup table, since the user's email wasn't found in the EMEA Azure AD B2C directory.
The user's email is located to have been signed up in NOAM Azure AD B2C tenant.
The EMEA Azure AD B2C tenant performs a Microsoft Entra ROPC flow against the NOAM Azure AD B2C tenant to verify credentials.
Note
This call will also fetch a token for the user to perform a Graph API call. The EMEA Azure AD B2C tenant performs a Graph API call to the NOAM Azure AD B2C tenant to fetch the user's profile. This call is authenticated by the access token for Graph API acquired in the last step.
The regional tenant issues a token back app.
Local user forgot password
This use case demonstrates how a user can reset their password when they are within their home country/region.
User from EMEA attempts to sign in at myapp.fr. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
The user arrives at the EMEA Azure AD B2C tenant and selects forgot password. The user enters and verifies their email.
Email lookup is performed to determine which regional tenant the user exists in.
The user provides a new password.
The new password is written into the EMEA Azure AD B2C tenant.
The regional tenant issues a token back to the app.
Traveling user forgot password
This use case demonstrates how a user can reset their password when they're traveling away from the region in which they registered their account.
User from NOAM attempts to sign in at myapp.fr, since they are on holiday in France. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
The user arrives at the EMEA Azure AD B2C tenant and selects forgot password. The user enters and verifies their email.
Email lookup is performed to determine which regional tenant the user exists in.
The email is found to exist in the NOAM Azure AD B2C tenant. The user provides a new password.
The new password is written into the NOAM Azure AD B2C tenant through a Graph API call.
The regional tenant issues a token back to the app.
Local user password change
This use case demonstrates how a user can change their password after they've logged into the region in which they registered their account.
User from EMEA attempts selects change password after logging into myapp.fr.
The user arrives at the EMEA Azure AD B2C tenant, and the Single-Sign On (SSO) cookie set allows the user to change their password immediately.
New password is written to the users account in the EMEA Azure AD B2C tenant.
The regional tenant issues a token back to the app.
Traveling user password change
This use case demonstrates how a user can change their password after they've logged in, away from the region in which they registered their account.
Users from NOAM attempts select change password after logging into myapp.fr.
The user arrives at the EMEA Azure AD B2C tenant, and the SSO cookie set allows the user to change their password immediately.
The users email is found to be in the NOAM tenant after checking the global lookup table.
The new password is written to the users account in the NOAM Azure AD B2C tenant by MS Graph API call.
The regional tenant issues a token back to the app.
Federated Identity Provider authentications
The following use cases show examples of using federated identities to sign up or sign in as an Azure AD B2C client.
Local federated ID sign-up
This use case demonstrates how a user from their local region signs up to the service using a federated ID.
User from EMEA attempts to sign up at myapp.fr. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
User lands at the EMEA tenant.
User selects to sign in with a federated identity provider.
Perform a lookup into the global lookup table.
If account linking is in scope: Proceed if the federated IdP identifier nor the email that came back from the federated IdP doesn't exist in the lookup table.
If account linking is not in scope: Proceed if the federated IdP identifier that came back from the federated IdP doesn't exist in the lookup table.
Write the users account to the EMEA Azure AD B2C tenant.
The regional tenant issues a token back to the app.
Local federated user sign-in
This use case demonstrates how a user from their local region signs into the service using a federated ID.
User from EMEA attempts to sign in at myapp.fr. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
User lands at the EMEA tenant.
User selects to sign in with a federated identity provider.
Perform a lookup into the global lookup table and confirm the user's federated ID is registered in EMEA.
The regional tenant issues a token back to the app.
Traveling federated user sign-in
This scenario demonstrates how a user located away from the region in which they signed up from, performs a sign-in to the service using a federated IdP.
User from NOAM attempts to sign in at myapp.fr. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
User lands at the EMEA tenant.
User selects to sign in with a federated identity provider.
Note
Use the same App Id from the App Registration at the Social IdP across all Azure AD B2C regional tenants. This ensures that the ID coming back from the Social IdP is always the same.
Perform a lookup into the global lookup table and determine the user's federated ID is registered in NOAM.
Read the account data from the NOAM Azure AD B2C tenant using MS Graph API.
The regional tenant issues a token back to the app.
Account linking with matching criteria
This scenario demonstrates how users will be able to perform account linking when a matching criterion is satisfied (usually email address).
User from EMEA attempts to sign in at myapp.fr. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
User lands at the EMEA tenant.
User selects to sign in with a federated identity provider/social IdP.
A lookup is performed into the global lookup table for the ID returned from the federated IdP.
Where the ID doesn't exist, but the email from the federated IdP does exist in EMEA Azure AD B2C, it's an account linking scenario.
Read the user from the directory, and determine which authentication methods are enabled on the account. Present a screen for the user to sign in with an existing authentication method on this account.
Once the user proves they own the account in Azure AD B2C, add the new social ID to the existing account, and add the social ID to the account in the global lookup table.
The regional tenant issues a token back to the app.
Traveling user account linking with matching criteria
This scenario demonstrates how users will be able to perform account linking when they're away from the region.
User from NOAM attempts to sign in at myapp.fr. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
User lands at the EMEA tenant.
User selects to sign in with a federated identity provider/social IdP.
A lookup is performed into the global lookup table for the ID returned from the federated IdP.
Where the ID doesn't exist, and the email from the federated IdP exists in another region, it's a traveling user account linking scenario.
Create an id_token_hint link asserting the users currently collected claims. Bootstrap a journey into the NOAM Azure AD B2C tenant using federation. The user will prove that they own the account via the NOAM Azure AD B2C tenant.
Note
This method is used to re-use existing account linking logic in the home tenant and reduce external API calls to manipulate the identities collection. A custom policy sample which utilizes id_token_hint can be found here.
Once the user proves they own the account in Azure AD B2C, add the new social ID to the existing account by making a Graph API call to the NOAM Azure AD B2C tenant. Add the social ID to the account in the global lookup table.
The regional tenant issues a token back to the app.