Open in app

Sign in

Write

Sign in

Rory Braybrook
Tech Feed
Published in
3 min readSep 11, 2017

--

Azure AD B2C — the successor to ACS

Much like Mark Twain, reports of the death of Microsoft’s Access Control Service (ACS) have been greatly exaggerated.

Azure AD B2C has been touted as the successor but it’s never been obvious how this should be done.

The advent of custom policies gives us a clear path as to how to achieve this.

Custom policies allows B2C to connect to any other Identity provider via OpenID Connect (OIDC) or SAML 2.0. (WS-Federation is on the road-map).

This is all done via XML files that define the protocol e.g. the signing certificate, the clientID, endpoints etc.

There are some guides:

To configure this assumes a decent knowledge of Identity. As per the documentation:

Custom policy editing is not for everyone. The learning curve is demanding, the startup time is longer, and future changes to custom policies will require similar expertise to maintain.”

The key for using B2C as an ACS replacement is to use it as a bridge to the Identity providers you want rather than using the basic B2C functionality itself.

As per the diagram, we are not using B2C for registration or password self-service. It’s just a cloud bridge to other Identity providers in the same way that ACS provides this functionality.

The application still has to hook up to B2C using the policy but the policy in this case to tied into the custom policies.

The user will essentially see a “Home Realm Discovery” screen when they login and from this they can select the custom provider they want.

If it’s social you are after, you could:

  • Manually add the providers
  • Use the inbuilt providers. Currently Facebook, Google+, LinkedIn, Microsoft, Amazon, Twitter (preview), WeChat (preview), Weibo (preview), and QQ (Preview).
  • Link into one of the IDaaS providers that have a raft of these already configured.

Auth0 e.g. has many and from a NZ perspective where we get a lot of Asian visitors, it allows the Asian socials.

If you did want to use the richness of B2C and also use the bridge facility, one use case springs to mind.

As per the FAQ, you cannot mix Azure AD and Azure AD B2C tenants. To amplify:

“ Azure AD and Azure AD B2C are separate product offerings and cannot coexist in the same tenant. An Azure AD tenant represents an organization. An Azure AD B2C tenant represents a collection of identities to be used with relying party applications. With custom policies , Azure AD B2C can federate to Azure AD allowing authentication of employees in an organization.”

Hopefully, this provides a path for you to prepare for the inevitable day when ACS is turned off.

Authentication
Azure Active Directory
Identity
Auth0

--

--

Rory Braybrook
Tech Feed

Written by Rory Braybrook

708 Followers
Writer for

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams