ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
12 April 2019

Secure application sign-in with Azure AD B2C

Profile photo for Marcus Idle - Head of CIAM.
Written by Marcus Idle

In addition to smooth validation journeys and enabling single sign-on, Azure AD B2C also comes with a whole host of security benefits.

Here at ThirdSpace, one of the things we help clients with is to create authentication journeys (sign up, sign in, password reset) for public-facing websites and mobile apps, using Microsoft Azure AD B2C.

At a most basic level, this provides the public-facing website with a hassle-free way of logging in users – removing some of the burden from your website and reducing password reset issues.

At the login stage, your website diverts the user to B2C, and then when the authentication journey is completed, B2C returns an “ID token” to the website, containing information about the user (assuming the appropriate handshakes have occurred between B2C and the website).

But why would you spend money on a third-party service just to log the user in and give you back a token?

Demand more from your B2C experience!

One of the big attractions of single sign-on (SSO) as a service – or ‘Identity as a Service’ (IDaaS) as it is more commonly known – is the extra protection it provides both for your end users and for your organisation’s resources.

Building secure authentication journeys involves so much more than hashing the password and comparing it with your credentials database.

A basic pre-requisite is knowing that your login process is secure. Using an OpenID Connect solution – a tried and tested authentication protocol – rather than a home-grown solution is a good way of ensuring that you don’t just have a working login, but a secure one.

But after you’ve ticked that box, you need to consider how you protect against known threats.

“In December 2018, PHP versions 5.6 and 7.0, the underlying technology for 57% of all WordPress websites, stopped receiving security updates.”

Consider the average WordPress-based website. Many website owners do not apply patches, which means their websites become more and more vulnerable to new forms of attack. To make things worse, in December 2018, PHP versions 5.6 and 7.0 (the underlying technology for a staggering 57% of all WordPress websites) stopped receiving security updates.

Of course, many websites do not use established CMS platforms or web application frameworks as a basis for their login functionality – and these websites are far more exposed to threats because their vulnerabilities are not well known, publicised and patched.

Watch now – The magic behind external identity management

Watch now – The magic behind external identity management

Transform the way you provide access to your customers, partners and suppliers. Watch on-demand and learn:

  • The key differences between Azure AD B2B and B2C
  • How to sign in any user from your identity provider of choice
  • Which works best for you – B2B, B2C or a hybrid approach
Watch now

Websites should defend against problems such as:

  • Unvalidated input
  • SQL injection attacks
  • Race conditions
  • Cross-site scripting attacks
  • Cross-site request forgery
  • Token/session replay
  • Elevation of privilege

However, without a team of security experts who can keep up to date with the latest threats, it can be a losing battle.

And that’s just the baseline of threat protection.

What about measures such as:

  • Invalid password lock-out
  • Bot detection
  • Throttling of resources when faced with multiple requests from a single IP
  • Ability to verify a user’s identity via known facts or one-time codes
  • Identity verification using multiple factors such as phone or text (multi-factor authentication)

B2C understands the threat posed by the user

Azure AD B2C can do all of this, and thanks to their tireless identity and security research, Microsoft have developed machine learning tools which also understand and respond to the threat posed by the user logging in or signing up.

This means that if a user seems highly suspicious to the AI, due to their current or previous behaviour (or other data about their identity), then the AI can prevent them from logging in altogether – protecting your organisation and potentially protecting the real user behind the identity, if that identity has been stolen.

Does your CMS or your IDaaS, do this?

It’s all on tap

Implementing Azure AD B2C is relatively easy. Using the Azure Portal, you need to register your web application and point it at the built-in user flows (such as “sign up or sign in”). These take over the user experience at the point of login and return access and id tokens once the user has completed their authentication journey.

You’ll pay a fraction of a penny per authentication, but you won’t need to worry about any of the hardware – or about the security for the authentication process. In other words, B2C can take quite a lot off your hands.

Just by offloading the sign in journey to B2C, and before you’ve spent any money on scale or on complex user journeys, you’re getting the industrial-strength security protection offered by Microsoft’s machine learning tools and other B2C features.


As we’ve pointed out in other blog articles, B2C can do quite a bit more for you – from engaging users with social logins, to creating smooth validation journeys – but security is certainly the biggest selling point among the clients we’ve spoken to.

Microsoft is sometimes referred to as ‘the biggest IT security company on the planet’ and with B2C it is certainly making its presence felt in this area.

Azure AD B2C will give you state-of-the-art security – on tap.

Next, see Azure AD B2C in action in this webinar or explore our dedicated web page for more info.

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

Profile photo for Marcus Idle - Head of CIAM.

About Marcus Idle

Head of CIAM and IP Development

Marcus Idle is our Head of Customer Identity and Access Management and IP Development at ThirdSpace. He is responsible for projects involving external identities. Expert in Microsoft’s Azure AD B2B...


You may also like...


Azure AD B2B vs B2C: What are the key differences between Microsoft’s external access products?


How to reduce membership friction and stay secure with Azure AD B2C


Azure AD B2C: Built-in flows vs custom policies. Which is right for you?

Recent Blog Articles

View All
Related topics

The magic behind external identity management

Watch and learn how to transform the way you provide customer and partner access.

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.