Recommendations and best practices for Azure Active Directory B2C
The following best practices and recommendations cover some of the primary aspects of integrating Azure Active Directory (Azure AD) B2C into existing or new application environments.
|Choose user flows for most scenarios||The Identity Experience Framework of Azure AD B2C is the core strength of the service. Policies fully describe identity experiences such as sign-up, sign-in, or profile editing. To help you set up the most common identity tasks, the Azure AD B2C portal includes predefined, configurable policies called user flows. With user flows, you can create great user experiences in minutes, with just a few clicks. Learn when to use user flows vs. custom policies.|
|App registrations||Every application (web, native) and API that is being secured must be registered in Azure AD B2C. If an app has both a web and native version of iOS and Android, you can register them as one application in Azure AD B2C with the same client ID. Learn how to register OIDC, SAML, web, and native apps. Learn more about application types that can be used in Azure AD B2C.|
|Move to monthly active users billing||Azure AD B2C has moved from monthly active authentications to monthly active users (MAU) billing. Most customers will find this model cost-effective. Learn more about monthly active users billing.|
Planning and design
Define your application and service architecture, inventory current systems, and plan your migration to Azure AD B2C.
|Architect an end-to-end solution||Include all of your applications' dependencies when planning an Azure AD B2C integration. Consider all services and products that are currently in your environment or that might need to be added to the solution (for example, Azure Functions, customer relationship management (CRM) systems, Azure API Management gateway, and storage services). Take into account the security and scalability for all services.|
|Document your users' experiences||Detail all the user journeys your customers can experience in your application. Include every screen and any branching flows they might encounter when interacting with the identity and profile aspects of your application. Include usability, accessibility, and localization in your planning.|
|Choose the right authentication protocol||For a breakdown of the different application scenarios and their recommended authentication flows, see Scenarios and supported authentication flows.|
|Pilot a proof-of-concept (POC) end-to-end user experience||Start with our Microsoft code samples and community samples.|
|Create a migration plan||Planning ahead can make migration go more smoothly. Learn more about user migration.|
|Usability vs. security||Your solution must strike the right balance between application usability and your organization's acceptable level of risk.|
|Move on-premises dependencies to the cloud||To help ensure a resilient solution, consider moving existing application dependencies to the cloud.|
|Migrate existing apps to b2clogin.com||The deprecation of login.microsoftonline.com will go into effect for all Azure AD B2C tenants on 04 December 2020. Learn more.|
|Use Identity Protection and Conditional Access||Use these capabilities for significantly greater control over risky authentications and access policies. Azure AD B2C Premium P2 is required. Learn more.|
|Tenant size||You need to plan with Azure AD B2C tenant size in mind. By default, Azure AD B2C tenant can accommodate 1.25 million objects (user accounts and applications). You can increase this limit to 5.25 million objects by adding a custom domain to your tenant, and verifying it. If you need a bigger tenant size, you need to contact Support.|
|Use Identity Protection and Conditional Access||Use these capabilities for greater control over risky authentications and access policies. Azure AD B2C Premium P2 is required. Learn more.|
During the implementation phase, consider the following recommendations.
|Edit custom policies with the Azure AD B2C extension for Visual Studio Code||Download Visual Studio Code and this community-built extension from the Visual Studio Code Marketplace. While not an official Microsoft product, the Azure AD B2C extension for Visual Studio Code includes several features that help make working with custom policies easier.|
|Learn how to troubleshoot Azure AD B2C||Learn how to troubleshoot custom policies during development. Learn what a normal authentication flow looks like and use tools for discovering anomalies and errors. For example, use Application Insights to review output logs of user journeys.|
|Leverage our library of proven custom policy patterns||Find samples for enhanced Azure AD B2C customer identity and access management (CIAM) user journeys.|
Test and automate your Azure AD B2C implementation.
|Account for global traffic||Use traffic sources from different global address to test the performance and localization requirements. Make sure all the HTMLs, CSS, and dependencies can meet your performance needs.|
|Functional and UI testing||Test the user flows end-to-end. Add synthetic tests every few minutes using Selenium, VS Web Test, etc.|
|Pen-testing||Before going live with your solution, perform penetration testing exercises to verify all components are secure, including any third-party dependencies. Verify you've secured your APIs with access tokens and used the right authentication protocol for your application scenario. Learn more about Penetration testing and the Microsoft Cloud Unified Penetration Testing Rules of Engagement.|
|Load testing||Azure AD B2C can scale, but your application can scale only if all of its dependencies can scale. Load-test your APIs and CDN. Learn more about Resilience through developer best practices.|
|Throttling||Azure AD B2C throttles traffic if too many requests are sent from the same source in a short period of time. Use several traffic sources while load testing, and handle the
|Automation||Use continuous integration and delivery (CI/CD) pipelines to automate testing and deployments, for example, Azure DevOps.|
Manage your Azure AD B2C environment.
|Create multiple environments||For easier operations and deployment roll-out, create separate environments for development, testing, pre-production, and production. Create Azure AD B2C tenants for each.|
|Use version control for your custom policies||Consider using GitHub, Azure Repos, or another cloud-based version control system for your Azure AD B2C custom policies.|
|Use the Microsoft Graph API to automate the management of your B2C tenants||Microsoft Graph APIs:
Manage Identity Experience Framework (custom policies)
|Integrate with Azure DevOps||A CI/CD pipeline makes moving code between different environments easy and ensures production readiness always.|
|Custom policy deployment||Azure AD B2C relies on caching to deliver performance to your end users. When you deploy a custom policy using whatever method, expect a delay of up to 30 minutes for your users to see the changes. As a result of this behavior, consider the following practices when you deploy your custom policies:
- If you're deploying to a development environment, set the
- Deploy your updated policy files to a production environment when traffic in your app is low.
- When you deploy to a production environment to update existing policy files, upload the updated files with new name(s), and then update your app reference to the new name(s). You can then remove the old policy files afterwards.
- You can set the
|Integrate with Azure Monitor||Audit log events are only retained for seven days. Integrate with Azure Monitor to retain the logs for long-term use, or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment.|
|Setup active alerting and monitoring||Track user behavior in Azure AD B2C using Application Insights.|
Support and Status Updates
Stay up to date with the state of the service and find support options.
|Service updates||Stay up to date with Azure AD B2C product updates and announcements.|
|Microsoft Support||File a support request for Azure AD B2C technical issues. Billing and subscription management support is provided at no cost.|
|Azure status||View the current health status of all Azure services.|