Our experience with Azure Active Directory B2C. Challenges, pros, cons and future plans
In HelloFreshGO we are using Azure AD B2C for identity management and I wanted to share some insights and experiences from working with several parts of it.
First of all I must say that it is rather simple to start with the AD B2C. The customer journey of creating instances, adding identity providers, adding default user journeys (sign up, sign in) and adding return URLs in the AD B2C dashboard is very straightforward. The troubles appeared with more customized needs.
Highlights and Troubles
The documentation provided by Microsoft is robust, I was able to find most of the answers in the instructions alone. From tutorials on how to begin, to creating custom user flows, most of things are there. They also provide code samples on their github.
User flows and emails
We have started our integration with 2 user flows: sign in (default one) and password reset (custom one). Here I need to say that the default user flows provide full experience for the user inside Microsoft. For example signing up consists of going to AD B2C page and getting a verification email from them. For the custom user flows you can define what you need.
For sign in we have followed the instructions, that meant going to policies, creating a new user flow, selecting the type (Sign in), picking Identity Providers (Email in our case) and setting the return URLs to our page. In case we would like to add more identity providers in the future, the list is more than enough (Facebook, Google, Apple, LinkedIn and even your own Open ID providers). The sign in page is hosted on the Microsoft servers and they provide default templates but it’s also possible to customize templates by passing your own HTML(see screenshots below). This requires you to host the template. In our case we have public HTML files on our domain with CORS allowed for AD B2C.
The password reset proofed to be more complicated. We considered using the default user flow designed for password reset which consists of 3 steps: inserting your email, receiving an email from AD B2C, resetting your password. The problem we found was that in contrast to the pages, the email can be barely modified (logo, colors). The default templates are rather simple and stand out in terms of branding. The documentation suggests using 3rd party software in case of a need for more custom emails (such as SendGrid).
This issues pushed us to go with a mixed solutions. We use a custom AD B2C user flow only for the last step (changing the password). We are taking care of asking for email and sending it ourselves with a 3rd party solution.
Adding a custom user flow is a bit complex, it requires a definition of the flow in an xml format, described in the tutorial, later this xml needs to be uploaded to Identity Experience Framework in AD B2C instance. The experience can be very custom, to the point of defining the input fields with their text and setting a custom template and localization.
Use attributes and claims
AD B2C provides multiple default user attributes that can be accessed both in the Azure portal and later in JWT token as claims.
This allows for easy overview of the default user attributes but less so for the custom ones, because they are not visible or editable via user profiles in the portal.
Inside definitions of user flows it is possible to specify which attributes should accessed and added to a JWT token, here it’s possible to add the custom attributes. I haven’t seen a way however to modify custom attributes differently than by programmatically updating the user via our server application. Which is a setback.
AD B2C offers a solid identity management solution with many options for customization and restrictions of access to user data. I think in the future we can expand our product to cover manual registration for multiple types of clients with different user flows and appropriate claims defined.
A field we have not touched as much is monitoring and statistics. AD B2C offer integration with Azure Application Insights, so it surely will be interesting to add it to our monitors.