>> Today on, ON.NET show
we're going to be learning
about
Azure AD B2C,
which allows you
to add identities
to your app easily. Come watch.
Save the date for.NET Conf 2018,
on September 12-14..NET
Conf is a free,
three-day virtual developer event
co-organized by the .NET
community and Microsoft.
You'll enjoy a wide selection
of live sessions that feature
speakers from the community
and the .NET product teams.
Head over to www.dotnetconf.net
to learn more and save the date.
>> Welcome to
another episode of ON.NET.
Today, we're going
to be talking about
Azure AD B2C with Pirog.
Okay. How about you introduce
yourself and then we
can dig into the topic.
So, what the heck
is Azure AD B2C.
>> Absolutely. Thank
you for having me here.
>> No problem.
>> I am a Product
Manager or Program
Manager working on the
Azure Active Directory B2C Team.
What this service is,
for Azure, is a way
for you to add an identity
system into your applications.
So, that customers
can sign in, right.
So, let me start
off with example.
Real Madrid is using-
>> That's a soccer team, right?
>> That is a soccer team.
That's the football team.
>> Okay. Yeah.
>> From Madrid, and
what they've done
on their application,
the Realmadrid.com,
they're using
our sign in service,
the Azure AD B2C sign in service,
to allow fans to sign in.
Then once they do,
the application Realmadrid.com,
would effectively get
their information
coming from Azure,
but going to the application.
>> Right. Because
when I login into
my Office 365 email account
that Microsoft provides me as
an employee or into SharePoint,
also, Microsoft provides
me as an employee.
There I'm using Azure AD
that's what I'm opting
against, right?
>> That's right. Yeah.
>> Because that's
the employee scenario.
>> Exactly.
>> This is not that, right?
>> No.
>> So, this is for?
>> The consumers, the customers,
the citizens, if
you're a government.
>> Right.
>> It's for the person out there,
who wants to just sign
up for an application.
>> Right. So, like for
the Microsoft store for example,
you can log in and have
an account and buy
laptops and copies of
Office presumably.
>> Yeah, exactly.
>> They could use Azure AD B2C.
>> Yeah. So, in fact,
I'll would jump into
another example.
We have another Danish company
who's using B2C.
You can see they have
a customized experience that's
completely different
from Real Madrid.
So, it's a completely
white label.
They designed the experience
that they want and if
you want, you can have it
in 36 different languages
as well as of today.
>> Okay. Is that
how many languages
your strings are localized in?
>> Yeah. Actually
they can customize
the string completely.
So, if they wanted to create
their own language and they
specify it, go for it.
>> Okay.
>> Yeah.
>> Right. So, there's
no real limitations.
>> Exactly.
>> Do you provide an
out-of-the-box off UI or no?
>> We do. We do. I
can show you that.
>> But I assume that's not it.
>> That's not it.
So, what they did
was they took the HTML CSS.
They provided their own HTML CSS
and that's what we we render.
>> Okay. You guys are
totally cool with that?
>> Yeah, absolutely.
>> Okay. Awesome.
Just keep on going.
>> Cool. So, just
to kind of quickly
summarize what B2C
is it's allowing
customers of organizations to
bring their own identities,
to allow them to sign in to
you- say your applications.
If you Real Madrid customers
could bring their Twitter,
their Facebook identities and
actually just sign
into Realmadrid.com.
If you were a government then
you for a government
as a citizen,
you could use your government
ID as a way to sign in.
It's allowing Governments and
all of these organizations to
scale very quickly as
the organization scale.
You're not hindered by the fact
that it's growing quickly,
it's going viral, and oh,
crap, your database can't
handle these users.
>> Right. So here, Let me ask
a super fundamental question,
which is we already have
this Active Directory System,
there's obviously existing
active directory,
but Azure Active Directory
has existed for
what 5-6 years now
or maybe longer.
We already have
that why didn't we
just use that for Real Madrid,
for example, to sign
up their customers?
Why do we need
something different?
Or how are they different?
>> Yeah. So, there are
two main reasons why.
First is scale.
Typically, if you look
at in your organization,
look at the number of
employees they have.
It's rare for it to be
in the millions whereas
organizations get hit
hundreds of millions
if not billions.
>> I'm assume US post office.
>> Absolutely, right.
Absolutely. Then the other thing
is this the ability to customize.
The flexibility of being able to
customize the user experience,
the whole branding
of it, the look,
and feel not that
we're presenting that
this is Microsoft,
but presenting that
this is your own brand.
That's the biggest appeal
for using B2C.
>> I see. So, it's
kind of more oriented
to the ISV market sort of thing.
>> Exactly.
>> Makes sense. Okay. So,
that's kind of a value prop.
Maybe we should talk more about,
a littlemore about the flow
of how the system works.
>> Okay, yeah. So,
imagine this scenario.
Let's just call it Contoso,
where there are
three applications
that Contoso's building
a gaming application,
billing application,
music application.
Say, there's a user named John.
John comes through the gaming
application and wants to sign it.
He clicks sign in and
what will happen is
that John will be
redirected to the service,
the Azure AD B2C service,
where he will be presented
with options and
how John wants to sign in.
Once he does, he's sign
in and successfully,
a token will be issued
back to the application.
Now the cool part is
this unlocks SSO.
So, if he were to go back
to the gaming application,
the billing application,
the music application
he doesn't need to sign in again.
>> Right. SSO, we
mean Single sign-on.
>> Absolutely.
>> Yeah. Right.
>> All of this, is configured in
B2C using a concept
we call Policy.
It's really the crux of it all.
It's hey, there's a user
flow that I want to build.
It has a different UI experience.
It has certain token lifetimes.
How do I configure all of that?
We configure it through Policies.
>> Okay.
>> Yeah.
>> Makes sense. So it looks
like on the slide here
that you have a federation
system as well.
So it's not just
this case of like, oh,
you have to create
a Microsoft account,
like we've kind of
had in the past.
Basically, there is at
least Facebook and
Google I see listed
there that you can just sign
in with those and then you're
already part of the system.
Are there more than
just those two?
>> Yeah. There's quite a few
actually I can show it to
you by taking you to our portal.
All of the options that
we have available.
So, what you're looking at here
is the management experience
for Azure AD B2C.
If people worked on
identity providers.
I have four configured already.
One is for Google, one
is from Microsoft,
Microsoft accounts, and
one is for Facebook.
Then I have another one that's
a very custom OpenID Connect
identity provider
that I've configure,
which is connecting to
an Azure AD's tenant,
an Azure AD service.
>> Okay. Is that the case if,
going back to
the Real Madrid example.
I was a Real Madrid employee.
I'm president of Real Madrid
and I logged onto the website.
Can I then log in with
my rich@realmadrid.com
email address that actually
opts to get Azure AD.
>> Exactly.
>> Okay. That's
actually pretty cool.
>> Yeah. So, the whole idea
is why should you have
multiple identities?
Use one identity, go
around the world,
do everything you need to
do with that identity.
There are absolutely more
identity providers you can add.
So, today just out-of-the-box
in addition to those
four you can LinkedIn,
Amazon, and some other ones
that we haven't preview.
>> Okay. It looks like
there are some that
are more Asia oriented.
>> Exactly. Some Chinese
identity providers?
>> Yeah. Awesome.
>> For the Chinese markets.
>> Yeah. We like that.
>> Yeah. In fact,
I can quickly walk you
through the portal
and kind of give you the
laid out of the whole experience.
>> Great.
>> The first thing you'd want to
do is create an application.
In fact, let me walk you
through a demo here.
The demo we're going
to build is an
application.NET Core
2.0 application.
By clicking on file, new project,
and creating this application.
You'll have B2C
already configured.
>> Okay. Wow.
>> Good. Yeah. So, the first
thing I'd say is go to File,
New, and click on Project.
Let's select the.NET
ASP Core Application.
I'm going to give it a DemoApp.
Okay.
>> Very unique name.
>> Right. It's the most common
name available. All right.
So, what I'm doing here is,
I'm changing the way
authentication works.
I'm configuring
how the project on
what middlewares should
be added to this system.
I'm going to select individual
accounts because you as
an individual are looking to
sign in to end this application,
as an individual looking to
sign into the Real
Madrid app in a sense.
So, instead of saying store
the users in the app meaning,
in a directory or
in a store object,
in a file object that
has to in a sense even
scale now with as
the application scales.
>> I get it.
>> I'm going to store
it in the Cloud,
with B2C and what
I'm going to provide
here is my tenant name,
the directory where all the
users will be stored.
I'm going to provide
the application ID.
This is how you identify
this application to
Azure Active Directory B2C.
>> Okay.
>> So, I'm going to go over here,
create this application.
>> Right. This application ID,
would you consider
that to be a secret?
>> It is not a secret.
>> It's not a secret.
>> It's just an identifier.
>> Okay.
>> You can generate secrets
but that's a different one.
>> Okay.
>> Inside the reply URL which
is where the token will be
sent back to after
the user signs then,
I'm going to specify what
the application would
like me to specify.
So, I'll take "Copy",
hit "Paste" in here.
Because this is a web app
that I'm creating,
I'm going to simply click
"Yes" over here and that's it.
I'm going to hit "Save
It" and hit "Create".
So I've created, I registered
this application with B2C.
I've as I showed you earlier,
also configured
a few identity providers.
The way I would do
this is I would
just go to their
proper websites their,
developer consoles and register
an application there
they're just the way I did.
>> Understood. I've
done that before.
>> Cool. Yeah. Now,
the last thing that is critical,
which is what I was talking about
this policy is how you're
creating these experiences.
There are multiple kinds
of policies but in
this particular demo,
I'm going to create two kinds.
One is a signup or sign
in experience and the
other I'm going to create is
a password reset experience.
Got it?
>> Both of those sound important.
>> Yeah. So, very
quickly I'm going to
do it out-of-the-box.
I'm going to give it
a name SUSIdemo demo,
and then the identity
providers I'll just say, "Hey,
I want users to be able
to sign with their MSA,
Google and Facebook accounts."
For the attributes, the sign
up attributes I'll say,
"Hey, when you do sign up,
please give me your display name,
what would you like me to
call you?" I hit "Okay".
>> I see. So, this is effectively
the information that
the application gets.
>> Exactly. Well, sign up
attribute is the information
that we collect during sign up.
The, "Hey, get user,
give us the information about you
that you want us to know."
Right? So, it could be, "Hey,
give me your gamer tag,
give me your street address,
give me your shoe size.".
>> I see. So, is
this the information
from the federated system
that B2C collects?
>> That's right too.
>> Okay.
>> So, we will also
look at, "Hey,
the federated system is giving us
all this information
we will stored it. "
But in addition to that perhaps
Facebook doesn't
have your shoe size,
then we'll say, "Okay,
well we don't have
your shoe size then,
can you give us that
information too?".
>> Okay.
>> Cool. But here,
where you were going back to
earlier, application claims.
This is where I actually
specify what is
that information that should be
sent back to the application.
>> Okay. So, these are
two different things.
>> Two different things.
>> Now, I assume.
Do these not necessarily
have to overlap?
>> They do not.
>> Okay.
>> Yeah.
>> I mean sometimes
you just want to
collect a lot of
information during
sign up but certain applications,
different applications use
different amounts of data.
>> Okay.
>> Cool. Here is where
I would trigger just by
switch of a button
I can turn on MFA.
I won't do it right now, but.
>> Right.
>> By clicking on, every
time the user signs in,
they'll have to use
their phone to sign in.
>> Right now, if that's on,
that's going to affect
the sign up experience as well.
Right?
>> That I can control.
In this case, this is a sign
up or sign in policy,
so it will trigger in both cases,
at sign up and during sign in.
But if I wanted to have
a different experience during
the sign up versus sign in,
I would create
two different policies here.
I would create a sign
up experience and then
independently to that I
would create a sign
in experience.
For one or the other I can
enable or disable MFA.
>> I see. Okay. I
think I get that.
>> Yeah. Then that's it.
I'm not going to customize my UI,
I'm just going to take
the default template.
>> Right. The way just what
we were talking about before,
whether there was one.
>> Exactly. What I would
have done in this case now,
I would have done
the same exact thing
by going through
our password reset.
But I'm just going to take an
existing one that I already have.
>> Great.
>> So, I will take
this information.
So, for the reset password
policy I put it here.
For the sign up, sign
in I don't remember it
was a SUSIdemo, and I hit "Okay".
>> Yeah, you've done this before.
>> Oops. We specify for that too.
>> Oh yeah, we didn't
talk about them.
>> Yeah, I didn't copy
the application ID.
So, let me go back
to the applications,
"Demo App" Here's
the ID but I'll use
this nifty feature to copy
over the application ID.
I guess I did not copy.
Please copy and then hit.
>> Okay there we go.
>> Okay. Now, it's
going to generate
a web application for
me and when it's done, now
it's going to generate it,
and when it's done, I'll have a
working.Net Core
Application that has
the ability for users to sign in.
Just takes a few seconds.
>> Now, did this add any NuGet
packages in the process?
>> It does. It adds
all the packages
it needs in order to build
a middleware and get
the right middleware.
>> Okay. Could you show us
the dependencies known?
>> Yeah.
>> Which seems like it's still
doing something, yeah NuGet.
>> So, I think.Net Core,
I think it's all that
it needs really.
Let me just hit "Run",
and if it needs to
get any packages.
>> Okay.
>> It should automatically
get them for me.
Seems like it doesn't
need any more.
Well, it has.Net Core on.
>> Okay. It looks like
it resolved all
those dependencies.
>> Yeah, exactly.
>> I was a little
worried about that.
If there's still those little
yellow warning signals.
>> Yeah.
>> But those are gone.
>> Yeah. So, as you can tell,
I mean adding building and
sign in is very trivial,
we'll be able to see.
You don't need to do
much and it takes away
the headache of having
to manage all these
user identities,
especially in this day and age
where privacy is such a big deal.
There are new regulations
coming out like, let the Cloud,
let B2C handle all those
worries. Why should you?
>> Right. Because at
the very base of this,
this is Identity as a Service.
>> Exactly. Exactly.
In particular,
its'a customer
identity as a service.
>> Yeah, right.
Okay, there it is.
>> Right. So, I have
a running application.
I would go ahead
and click sign in.
>> Okay. This is kind
of the magic moment.
>> Exactly. What it does is it
goes to the URL that you can,
it goes through the URL
that specified this is B2C.
I did not actually
give the ability as
one of the identity
providers to sign in
using email address password.
>> Okay.
>> But I did, if you remember
select Facebook, Google, and MSA.
>> Okay.
>> So I'm going to just go ahead
and select say, Facebook.
I think I'm already signed into
Facebook, so what's
going to happen,
is it's going to Facebook.
Facebook will say.
>> Yeah, I get that.
>> You'll sign in,
I'll go federate
back to the application.
>> It's already worked.
>> It works, yeah. B2C and then
B2C will send the token
back to the application.
>> Right. So, we have seen
the whole experience tonight.
So, you must talk to
customers about this.
>> Absolutely.
>> What has the reaction been?
>> The reaction is,
I mean there is
definitely a lot of excitement.
In fact, we've grown
tremendously month over
month over the last year.
It's an exciting place.
It's especially with GDPR and
all these new regulations.
There's a lot of investment
being made in this area.
>> Yeah, I can imagine.
>> That's why it's
a very exciting
product and I love being on it.
>> So, you missed one of
the last thing which is,
how much does this cost?
>> Absolutely. Glad you asked.
So, the pricing you
believe it or not is it's
essentially free if
you're playing it.
By essentially, I mean for the
first 50,000 users
that are stored
per month and for the first
50,000 authentication
per month, there's no fee to it.
>> Wow!
>> After that, it's
a few pennies and after that.
>> It's pretty reasonable.
>> It's very reasonable,
I can tell you that.
There is one slight thing
that you do need to worry about,
if you are doing MFA,
it will charge you three cents
for every authentication.
>> Right.
>> But that is only on
a successful authentication.
>> Okay. So, that's
basically when
that text message gets sent out.
>> Exactly.
>> Actually, here's
a good question.
We were talking
about text messages
but obviously Microsoft also
provides the Authenticator app
which you and I
presumably both use.
>> Right.
>> Does B2C work with
the Authenticator app?
>> So, today, it does not.
>> Okay.
>> We are working on enabling
that capability fairly soon.
>> Okay, because I think
people would like that.
>> In fact, it won't
just be just MFA,
not just the Azure
Authenticator app, It could
be any Authenticator app.
>> Sure.
>> Yeah.
>> But that scenario.
>> That scenario will
definitely be enabled.
So, today, it's mostly
you get a text message
and you look at it
and you're like
okay cool, let me sign in.
>> Yeah.
>> But that's about it.
>> Okay. Awesome. So, basically,
we covered what the service
does and what it's for.
We covered what
the developer experiences
at least the base experience,
it's a mixture of using the
portal and basically
the wizard in VS.
I presume we have some docs.
>> Yeah.
>> That exist somewhere.
>> Absolutely. So,
one thing actually to
add to that as you're mentioning.
Even though it's two components,
the best part is now you
will never have to deploy
your app again if
you want it to just
change in your sign
in experience, right?
So, you're calling onto
this different service
and say you choose
to change the UI for
that particular experience.
You don't need to
deploy the new app.
>> That's a separate thing.
>> Exactly, because it's
calling out a REST API,
it's doing a web call and
you're going somewhere else.
>> Right. Say you only
had Google as one of
your federated partners and/or
sign in providers and you
wanted to add Facebook.
>> Exactly.
>> Then that's also
just a back-end change.
>> Exactly. It's all
just a change in
the policy and the application
will never know what changed.
>> Awesome.
>> Yeah.
>> Okay. Well, I think we've
pretty much covered it.
>> Absolutely. So, if
you are interested,
I mean there's documentation
aka.ms/aadb2c.
We love getting our questions.
We love answering questions
in Stack Overflow,
it helps the rest of
the community as well.
>> For sure.
>> Then for feedback,
there's always user voice.
>> Okay.
>> Thank you for having me again.
>> Awesome, okay.
>> Do you like having me here?
>> Yeah. Well, this has
been another episode
of the ON.NET show.
We learned about
Azure AD B2C from
Parakh and you can add all
this to your application
today. Thanks for watching.
