Tutorial: Configure Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C

Organizations can use Microsoft Dynamics 365 Fraud Protection (DFP) to assess risk during attempts to create fraudulent accounts and sign-ins. Customers use Microsoft DFP assessment to block or challenge suspicious attempts to create new, fake accounts, or to compromise accounts.

In this tutorial, learn how to integrate Microsoft DFP with Azure Active Directory B2C (Azure AD B2C). There's guidance on how to incorporate the Microsoft DFP device fingerprinting and account creation, and sign-in assessment API endpoints, into an Azure AD B2C custom policy.

Learn more: Overview of Microsoft Dynamics 365 Fraud Protection

Prerequisites

To get started, you'll need:

Scenario description

Microsoft DFP integration includes the following components:

  • Azure AD B2C tenant: Authenticates the user and acts as a client of Microsoft DFP. Hosts a fingerprinting script collecting identification and diagnostic data of users who execute a target policy. It blocks or challenges sign-in or sign-up attempts based on the rule evaluation result returned by Microsoft DFP.
  • Custom UI templates: Customizes HTML content of the pages rendered by Azure AD B2C. These pages include the JavaScript snippet required for Microsoft DFP fingerprinting.
  • Microsoft DFP fingerprinting service: Dynamically embedded script that logs device telemetry and self-asserted user details to create a uniquely identifiable fingerprint for the user.
  • Microsoft DFP API endpoints: Provides the decision result and accepts a final status reflecting the operation undertaken by the client application. Azure AD B2C communicates with the Microsoft DFP endpoints using REST API connectors. API authentication occurs with a client_credentials grant to the Azure AD tenant in which Microsoft DFP is licensed and installed to obtain a bearer token.

The following architecture diagram shows the implementation.

Diagram of Microsoft Dynamics365 fraud protection architecture.

  1. The user arrives at a sign-in page, selects option to create a new account, and enters information. Azure AD B2C collects user attributes.
  2. Azure AD B2C calls the Microsoft DFP API and passes the user attributes.
  3. After Microsoft DFP API consumes the information and processes it, it returns the result to Azure AD B2C.
  4. Azure AD B2C receives information from the Microsoft DFP API. If failure occurs, an error message appears. With success, the user is authenticated and written into the directory.

Set up the solution

  1. Create a Facebook application configured to allow federation to Azure AD B2C.
  2. Add the Facebook secret you created as an Identity Experience Framework policy key.

Configure your application under Microsoft DFP

Set up your Azure AD tenant to use Microsoft DFP.

Set up your custom domain

In a production environment, use a custom domain for Azure AD B2C and for the Microsoft DFP fingerprinting service. The domain for both services is in the same root DNS zone to prevent browser privacy settings from blocking cross-domain cookies. This configuration isn't necessary in a non-production environment.

See the following table for examples of environment, service, and domain.

Environment Service Domain
Development Azure AD B2C contoso-dev.b2clogin.com
Development Microsoft DFP Fingerprinting fpt.dfp.microsoft-int.com
UAT Azure AD B2C contoso-uat.b2clogin.com
UAT Microsoft DFP Fingerprinting fpt.dfp.microsoft.com
Production Azure AD B2C login.contoso.com
Production Microsoft DFP Fingerprinting fpt.login.contoso.com

Deploy the UI templates

  1. Deploy the provided Azure AD B2C UI templates to a public facing internet hosting service such as Azure Blob Storage.
  2. Replace the value https://<YOUR-UI-BASE-URL>/ with the root URL for your deployment location.

Note

Later, you'll need the base URL to configure Azure AD B2C policies.

  1. In the ui-templates/js/dfp.js file, replace <YOUR-DFP-INSTANCE-ID> with your Microsoft DFP instance ID.
  2. Ensure CORS is enabled for your Azure AD B2C domain name https://{your_tenant_name}.b2clogin.com or your custom domain.

Learn more: UI customization documentation

Azure AD B2C configuration

Add policy keys for your Microsoft DFP client app ID and secret

  1. In the Azure AD tenant where Microsoft DFP is set up, create an Azure AD application and grant admin consent.
  2. Create a secret value for this application registration. Note the application client ID and client secret value.
  3. Save the client ID and client secret values as policy keys in your Azure AD B2C tenant.

Note

Later, you'll need the policy keys to configure Azure AD B2C policies.

Replace the configuration values

In the provided custom policies, find the following placeholders and replace them with the corresponding values from your instance.

Placeholder Replace with Notes
{Settings:Production} Whether to deploy the policies in production mode true or false
{Settings:Tenant} Your tenant short name your-tenant - from your-tenant.onmicrosoft.com
{Settings:DeploymentMode} Application Insights deployment mode to use Production or Development
{Settings:DeveloperMode} Whether to deploy the policies in Application Insights developer mode true or false
{Settings:AppInsightsInstrumentationKey} Instrumentation key of your Application Insights instance* 01234567-89ab-cdef-0123-456789abcdef
{Settings:IdentityExperienceFrameworkAppId}App ID of the IdentityExperienceFramework app configured in your Azure AD B2C tenant 01234567-89ab-cdef-0123-456789abcdef
{Settings:ProxyIdentityExperienceFrameworkAppId} App ID of the ProxyIdentityExperienceFramework app configured in your Azure AD B2C tenant 01234567-89ab-cdef-0123-456789abcdef
{Settings:FacebookClientId} App ID of the Facebook app you configured for federation with B2C 000000000000000
{Settings:FacebookClientSecretKeyContainer} Name of the policy key, in which you saved Facebook's app secret B2C_1A_FacebookAppSecret
{Settings:ContentDefinitionBaseUri} Endpoint in where you deployed the UI files https://<my-storage-account>.blob.core.windows.net/<my-storage-container>
{Settings:DfpApiBaseUrl} The base path for your DFP API instance, found in the DFP portal https://tenantname-01234567-89ab-cdef-0123-456789abcdef.api.dfp.dynamics.com/v1.0/
{Settings:DfpApiAuthScope} The client_credentials scope for the DFP API service https://api.dfp.dynamics-int.com/.default or https://api.dfp.dynamics.com/.default
{Settings:DfpTenantId} The ID of the Azure AD tenant (not B2C) where DFP is licensed and installed 01234567-89ab-cdef-0123-456789abcdef or consoto.onmicrosoft.com
{Settings:DfpAppClientIdKeyContainer} Name of the policy key-in which you save the DFP client ID B2C_1A_DFPClientId
{Settings:DfpAppClientSecretKeyContainer} Name of the policy key-in which you save the DFP client secret B2C_1A_DFPClientSecret

*You can set up application insights in an Azure AD tenant or subscription. This value is optional but recommended to assist with debugging.

Note

Add consent notification to the attribute collection page. Include notification that user telemetry and identity information is recorded for account protection.

Configure the Azure AD B2C policy

  1. Go to the Azure AD B2C policy in the Policies folder.
  2. Follow the instructions in custom policy starter pack to download the LocalAccounts starter pack.
  3. Configure the policy for the Azure AD B2C tenant.

Note

Update the provided policies to relate to your tenant.

Test the user flow

  1. Open the Azure AD B2C tenant and under Policies select Identity Experience Framework.
  2. Select your previously created SignUpSignIn.
  3. Select Run user flow.
  4. Application: The registered app (example is JWT).
  5. Reply URL: redirect URL.
  6. Select Run user flow.
  7. Complete the sign-up flow and create an account.

Tip

Microsoft DFP is called during the flow. If the flow is incomplete, confirm the user isn't saved in the directory.

Note

If using Microsoft DFP rule engine, update rules in the Microsoft DFP portal.

Next steps