How to enable secure user authentication with advanced flows in Azure AD B2C

Many of our clients are enjoying the benefits of Azure AD B2C authentication (‘B2C’) for their public-facing websites. It offers a secure, robust ecosystem for customised single sign-on flows (also called policies or user journeys) across websites based on any technology, and brings many out-of-the box features to the table, such as social login and MFA.

But if you’re using B2C, are you missing a trick by using out-of-the-box user flows?

Picture a typical sign-up journey for a new user who has an existing relationship with your organisation. For example:

• You are a membership organisation – your user is an existing member, signing up to use the website for the first time.
• You sell financial services – your customer has purchased an insurance policy from you by phone – and now wants to login to your website to see their policy documents.
• You are a retailer – your customer already has a relationship via a loyalty scheme or promotion – and wants to order online for the first time.

All of these cases require your website to associate the new user credentials with the existing user record in your back office – and to do this, you will need some sort of user verification.

You could deploy the standard sign-up journey from Microsoft, and then do the user verification on your website(s).

But why not incorporate verification into the Azure AD B2C journey, so that it sits inside Azure AD B2C’s secure authentication framework – and outside of your (possibly multiple) websites?

Thinking outside of the B2C box

The B2C out-of-the-box user flows give you a lot to work with – look and feel customisation, social logins, MFA and custom fields – but they won’t give you the opportunity to make API calls to your back-office systems.

This means that you can capture something like membership number – but you would be unable to check it against your membership database, or, indeed, validate it against other information about the user.

This is where ‘advanced’ or ‘custom’ flows come in (find out more about B2C flows here).

Let’s take the case of the membership organisation.

In this real-life case, paid-up members are able to access various website features including tools to assist with continuing professional development (CPD).

Members who want to use the website for the first time obviously need to prove that they are members before taking advantage of CPD and other tools.

So, how do you do this within a B2C user flow?

1. Create your API

First of all, you need to create a Web API (application programming interface) which can answer the question “Given this information about me, am I a member?”.

So, it will need to take some inputs (for example membership number and date of birth) and provide a Yes/No answer by looking in your CRM system or equivalent. Of course, this Web API needs to be reliable and appropriately secured.

2. Link the user flow

Within the user flow, your B2C partner will create a number of ‘orchestration steps’, which are essentially tiny computer programs – they can receive inputs, process data, and output to the next step.

Your user flow will need an orchestration step, which calls the Web API you have created, and, depending on the result, flows nicely onto the next step (or raises an error).

3. Success!

Your user flow will, of course, need to ask the user for (in this case) their date of birth and membership number, and, if all is well, receive a success message from the API. Ultimately, it will return a token to your website containing the (verified) membership number.

On the strength of this piece of information, your websites can then offer the user all of the appropriate membership tools.

Conclusion

If you’re looking at deploying third-party single sign-on (SSO) for the security or reliability, or just to save time building a decent authentication system, B2C will do all of that for you – but look beyond the feature list and you will find other benefits which may well save you time and help to further secure your user journeys.