ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
31 January 2019

How to enable secure user authentication with advanced flows in Azure AD B2C

Profile photo for Marcus Idle - Head of CIAM.
Written by Marcus Idle

Enhance your verification process and take advantage of secure authentication for your customers.

Many of our clients are enjoying the benefits of Azure AD B2C authentication (‘B2C’) for their public-facing websites. It offers a secure, robust ecosystem for customised single sign-on flows (also called policies or user journeys) across websites based on any technology, and brings many out-of-the box features to the table, such as social login and MFA.

But if you’re using B2C, are you missing a trick by using out-of-the-box user flows?

Picture a typical sign-up journey for a new user who has an existing relationship with your organisation. For example:

  • You are a membership organisation – your user is an existing member, signing up to use the website for the first time.
  • You sell financial services – your customer has purchased an insurance policy from you by phone – and now wants to login to your website to see their policy documents.
  • You are a retailer – your customer already has a relationship via a loyalty scheme or promotion – and wants to order online for the first time.

All of these cases require your website to associate the new user credentials with the existing user record in your back office – and to do this, you will need some sort of user verification.

You could deploy the standard sign-up journey from Microsoft, and then do the user verification on your website(s).

But why not incorporate verification into the Azure AD B2C journey, so that it sits inside Azure AD B2C’s secure authentication framework – and outside of your (possibly multiple) websites?

Thinking outside of the B2C box

The B2C out-of-the-box user flows give you a lot to work with – look and feel customisation, social logins, MFA and custom fields – but they won’t give you the opportunity to make API calls to your back-office systems.

This means that you can capture something like membership number – but you would be unable to check it against your membership database, or, indeed, validate it against other information about the user.

This is where ‘advanced’ or ‘custom’ flows come in (find out more about B2C flows here).

Let’s take the case of the membership organisation.

In this real-life case, paid-up members are able to access various website features including tools to assist with continuing professional development (CPD).

Members who want to use the website for the first time obviously need to prove that they are members before taking advantage of CPD and other tools.

So, how do you do this within a B2C user flow?

1. Create your API

First of all, you need to create a Web API (application programming interface) which can answer the question “Given this information about me, am I a member?”.

So, it will need to take some inputs (for example membership number and date of birth) and provide a Yes/No answer by looking in your CRM system or equivalent. Of course, this Web API needs to be reliable and appropriately secured.

2. Link the user flow

Within the user flow, your B2C partner will create a number of ‘orchestration steps’, which are essentially tiny computer programs – they can receive inputs, process data, and output to the next step.

Your user flow will need an orchestration step, which calls the Web API you have created, and, depending on the result, flows nicely onto the next step (or raises an error).

3. Success!

Your user flow will, of course, need to ask the user for (in this case) their date of birth and membership number, and, if all is well, receive a success message from the API. Ultimately, it will return a token to your website containing the (verified) membership number.

On the strength of this piece of information, your websites can then offer the user all of the appropriate membership tools.


If you’re looking at deploying third-party single sign-on (SSO) for the security or reliability, or just to save time building a decent authentication system, B2C will do all of that for you – but look beyond the feature list and you will find other benefits which may well save you time and help to further secure your user journeys.

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

Profile photo for Marcus Idle - Head of CIAM.

About Marcus Idle

Head of CIAM and IP Development

Marcus Idle is our Head of External Identity. Expert in Microsoft’s Azure AD B2B and B2C technologies, Marcus is passionate about bringing cloud and external identity to life to solve business...


You may also like...


Azure AD B2B vs B2C: What are the key differences between Microsoft’s external access products?


How to reduce membership friction and stay secure with Azure AD B2C


Secure application sign-in with Azure AD B2C

Recent Blog Articles

View All
Related topics

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.