Recommendations and best practices for Azure Active Directory B2C
The following best practices and recommendations cover some of the primary aspects of integrating Azure Active Directory (Azure AD) B2C into existing or new application environments.
Fundamentals
Best practice | Description |
---|---|
Create emergency access account | This emergency access account helps you gain access to your Azure AD B2C tenant in circumstances such as the only administrator is unreachable when the credential is needed. Learn how to create an emergency access account |
Choose user flows for most scenarios | The Identity Experience Framework of Azure AD B2C is the core strength of the service. Policies fully describe identity experiences such as sign-up, sign-in, or profile editing. To help you set up the most common identity tasks, the Azure AD B2C portal includes predefined, configurable policies called user flows. With user flows, you can create great user experiences in minutes, with just a few clicks. Learn when to use user flows vs. custom policies. |
App registrations | Every application (web, native) and API that is being secured must be registered in Azure AD B2C. If an app has both a web and native version of iOS and Android, you can register them as one application in Azure AD B2C with the same client ID. Learn how to register OIDC, SAML, web, and native apps. Learn more about application types that can be used in Azure AD B2C. |
Move to monthly active users billing | Azure AD B2C has moved from monthly active authentications to monthly active users (MAU) billing. Most customers will find this model cost-effective. Learn more about monthly active users billing. |
Follow Security best practices | There are continuous and evolving threats and attacks, and like all owned resources, your Azure AD B2C deployment should follow best practices for security, including guidance on implementing WAFs (defense against threats such as DDOS and Bots) and other defense in depth best guidance B2C Security Architecture. |
Planning and design
Define your application and service architecture, inventory current systems, and plan your migration to Azure AD B2C.
Best practice | Description |
---|---|
Architect an end-to-end solution | Include all of your applications' dependencies when planning an Azure AD B2C integration. Consider all services and products that are currently in your environment or that might need to be added to the solution (for example, Azure Functions, customer relationship management (CRM) systems, Azure API Management gateway, and storage services). Take into account the security and scalability for all services. |
Document your users' experiences | Detail all the user journeys your customers can experience in your application. Include every screen and any branching flows they might encounter when interacting with the identity and profile aspects of your application. Include usability, accessibility, and localization in your planning. |
Choose the right authentication protocol | For a breakdown of the different application scenarios and their recommended authentication flows, see Scenarios and supported authentication flows. |
Pilot a proof-of-concept (POC) end-to-end user experience | Start with our Microsoft code samples and community samples. |
Create a migration plan | Planning ahead can make migration go more smoothly. Learn more about user migration. |
Usability vs. security | Your solution must strike the right balance between application usability and your organization's acceptable level of risk. |
Move on-premises dependencies to the cloud | To help ensure a resilient solution, consider moving existing application dependencies to the cloud. |
Migrate existing apps to b2clogin.com | The deprecation of login.microsoftonline.com will go into effect for all Azure AD B2C tenants on 04 December 2020. Learn more. |
Use Identity Protection and Conditional Access | Use these capabilities for significantly greater control over risky authentications and access policies. Azure AD B2C Premium P2 is required. Learn more. |
Tenant size | You need to plan with Azure AD B2C tenant size in mind. By default, Azure AD B2C tenant can accommodate 1.25 million objects (user accounts and applications). You can increase this limit to 5.25 million objects by adding a custom domain to your tenant, and verifying it. If you need a bigger tenant size, you need to contact Support. |
Implementation
During the implementation phase, consider the following recommendations.
Best practice | Description |
---|---|
Edit custom policies with the Azure AD B2C extension for Visual Studio Code | Download Visual Studio Code and this community-built extension from the Visual Studio Code Marketplace. While not an official Microsoft product, the Azure AD B2C extension for Visual Studio Code includes several features that help make working with custom policies easier. |
Learn how to troubleshoot Azure AD B2C | Learn how to troubleshoot custom policies during development. Learn what a normal authentication flow looks like and use tools for discovering anomalies and errors. For example, use Application Insights to review output logs of user journeys. |
Leverage our library of proven custom policy patterns | Find samples for enhanced Azure AD B2C customer identity and access management (CIAM) user journeys. |
Testing
Test and automate your Azure AD B2C implementation.
Best practice | Description |
---|---|
Account for global traffic | Use traffic sources from different global address to test the performance and localization requirements. Make sure all the HTMLs, CSS, and dependencies can meet your performance needs. |
Functional and UI testing | Test the user flows end-to-end. Add synthetic tests every few minutes using Selenium, VS Web Test, etc. |
Pen-testing | Before going live with your solution, perform penetration testing exercises to verify all components are secure, including any third-party dependencies. Verify you've secured your APIs with access tokens and used the right authentication protocol for your application scenario. Learn more about Penetration testing and the Microsoft Cloud Unified Penetration Testing Rules of Engagement. |
A/B Testing | Flight your new features with a small, random set of users before rolling out to your entire population. With JavaScript enabled in Azure AD B2C, you can integrate with A/B testing tools like Optimizely, Clarity, and others. |
Load testing | Azure AD B2C can scale, but your application can scale only if all of its dependencies can scale. We recommend that you load-test your policy in production mode, that's set the DeploymentMode attribute in your custom policy file's <TrustFrameworkPolicy> element to Production . This setting ensures your performance during the test matches the production level performance. Load-test your APIs and CDN. Learn more about Resilience through developer best practices. |
Throttling | Azure AD B2C throttles traffic if too many requests are sent from the same source in a short period of time. Use several traffic sources while load testing, and handle the AADB2C90229 error code gracefully in your applications. |
Automation | Use continuous integration and delivery (CI/CD) pipelines to automate testing and deployments, for example, Azure DevOps. |
Operations
Manage your Azure AD B2C environment.
Best practice | Description |
---|---|
Create multiple environments | For easier operations and deployment roll-out, create separate environments for development, testing, pre-production, and production. Create Azure AD B2C tenants for each. |
Use version control for your custom policies | Consider using GitHub, Azure Repos, or another cloud-based version control system for your Azure AD B2C custom policies. |
Use the Microsoft Graph API to automate the management of your B2C tenants | Microsoft Graph APIs: Manage Identity Experience Framework (custom policies) Keys User Flows |
Integrate with Azure DevOps | A CI/CD pipeline makes moving code between different environments easy and ensures production readiness always. |
Deploy custom policy | Azure AD B2C relies on caching to deliver performance to your end users. When you deploy a custom policy using whatever method, expect a delay of up to 30 minutes for your users to see the changes. As a result of this behavior, consider the following practices when you deploy your custom policies: - If you're deploying to a development environment, set the DeploymentMode attribute in your custom policy file's <TrustFrameworkPolicy> element to Production . - Deploy your updated policy files to a production environment when traffic in your app is low. - When you deploy to a production environment to update existing policy files, upload the updated files with new name(s), and then update your app reference to the new name(s). You can then remove the old policy files afterwards. - You can set the DeploymentMode to Development in a production environment to bypass the caching behavior. However, we don't recommend this practice. If you Collect Azure AD B2C logs with Application Insights, all claims sent to and from identity providers are collected, which is a security and performance risk. |
Deploy app registration updates | When you modify your application registration in your Azure AD B2C tenant, such as updating the application's redirect URI, expect a delay of up to 2 hours (3600s) for the changes to take effect in the production environment. We recommend that you modify your application registration in your production environment when traffic in your app is low. |
Integrate with Azure Monitor | Audit log events are only retained for seven days. Integrate with Azure Monitor to retain the logs for long-term use, or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment. |
Setup active alerting and monitoring | Track user behavior in Azure AD B2C using Application Insights. |
Support and Status Updates
Stay up to date with the state of the service and find support options.
Best practice | Description |
---|---|
Service updates | Stay up to date with Azure AD B2C product updates and announcements. |
Microsoft Support | File a support request for Azure AD B2C technical issues. Billing and subscription management support is provided at no cost. |
Azure status | View the current health status of all Azure services. |