Apr 14, 2023, Infrastructure

All you need to know about authentication with Azure AD B2C

Patryk Starostka .NET Developer
Contemporary, highly digitized times coerce a higher level of security for any system and application connected to the internet. Every organization needs to make sure that their customers feel safe while using the offered software, knowing that their data won’t leak into wrong places. However, passwords are not the only way to authenticate users, and - more than that - they aren’t always enough. The variety of authentication methods is pretty vast, so it’s surely a great idea to get to know them better, and furthermore - implement a chosen process into your application. Today we’ll take a closer look at authentication with Azure AD B2C.

What is authentication and why is it important?

Authentication is a fundamental security mechanism used to protect sensitive information and prevent unauthorized access to systems and data. It prevents financial losses, data breaches and keeps your company’s reputation intact.

The process focuses on verifying the identity of a user, system, or device which typically involves presenting some form of credentials, such as a password or a fingerprint. Why is it so important? Because by implementing strong authentication processes, you can make sure that your company’s data is secure and your customers’ information is properly protected. This is especially valid in today’s digital age where cyber threats are becoming more sophisticated and frequent. 

Authentication vs Logging in

As authentication may be sometimes treated as a more professional word for logging in, you need to know that these are two separate processes. And here’s why:


  • Verifies the identity of a user or system

  • Occurs before logging in

  • Can occur without logging in (e.g. checking if an API key is valid)

  • Ensures that the person or system trying to access the resource is authorized to do so

Logging in:

  • Provides the necessary credentials (e.g. username and password) to gain access to a system or application

  • Occurs after authentication

  • Can’t occur without authentication

  • Allows a user to prove their identity and gain access to the resource.

Authentication vs Authorization

Both abbreviated to “auth”, authentication and authorization ARE NOT the same thing and CAN’T be used interchangeably. 


  • Verifies the identity of a user or system

  • Determines whether a user is who they claim to be

  • Provides access to a system or application


  • Determines what actions an authenticated user can perform

  • Determines whether a user has necessary permissions to access a particular resource or perform a particular action

  • Controls access to specific resources within a system or application

What is Azure Active Directory B2C?

Azure Active Directory B2C is a cloud solution that enables the creation and management of authentication and authorization for end-customer applications and services.

Its most popular features include:

  • Single Sign-On (SSO): Allows users to log in to multiple applications with a single set of credentials, reducing resistance and improving security.

  • Identity Management: Manages and maintains user identity information, including password reset and account recovery.

  • Social Identity Providers: Supports popular social identity providers such as Facebook, Google and Microsoft to provide a seamless registration and login experience for users.

  • Customization: Enables customization of registration and login pages, including personalization and localization, to provide a consistent and personalized experience for users.

  • Compliance and security: Supports standard security protocols for authentication and authorization, and meets various regulatory compliance requirements, such as GDPR

Digging deeper into the Single Sign-On

As mentioned above, Single Sign-On (SSO) is a feature in Azure Active Directory B2C that allows users to log in to multiple applications using a single set of credentials. Instead of remembering different usernames and passwords for each system, they are able to log in once with their preferred credentials and access all connected apps without having to log in again. This improves the user experience by reducing friction and making it easier to access the platform they need.

SSO also helps improve security by reducing the number of passwords that have to be remembered and reducing the risk of password-related security breaches. In addition, SSO helps organizations enforce password policies and make sure that used passwords are strong and secure.

However! If you lose this single set of credentials, you’ll lose access to everything. Keep that in mind. 

Here’s an example of what can happen when losing one set of credentials:

In recent weeks, there have been frequent attacks against Google Accounts. Multiple YouTubers lost their profiles, because the attackers stole their data – but not passwords or usernames, which is even stranger. Hackers sent emails to the companies behind those Google Accounts with a phishing link. Typically a fake invoice that employers have to download or a document that has to be immediately checked and confirmed. After opening the file, the attack begins.

Hackers run multiple scripts that scavenge your whole computer and look for your browser data. They then clone your browser, and with that, clone your active access token to Google account. They don’t even have to log in anymore. They can use this token to access every single resource related to that account and change passwords, delete data and even block the whole account or company. Multiple YouTube accounts were shut down because of that.

What’s the moral of this story? Don’t click on suspicious links and use Multi-Factor Authentication whenever possible. Azure B2C pushes new applications to use this by default.


Azure AD B2C Policy Types

Okay, so we have already discussed authentication, authorization, signing in and all the surrounding stuff that makes auth possible. But how can you actually start with Azure AD B2C? What paths can you follow?

First thing you need to know is that it offers two methods of defining how users interact with applications: pre-defined User Flows or fully configurable Custom Policies. And here’s what they really are.

User Flows

A User Flow in Azure AD B2C is a pre-built, configurable template that guides users through the authentication process and enables them to sign in to your application. 

Custom policies

Custom Policies in Azure AD B2C are highly configurable and customizable rules that define the authentication and authorization process for your application, providing greater control and flexibility than pre-built User Flows.

They are defined using XML, and consist of a set of building blocks that establish the sequence of steps in the authentication process. These building blocks include technical profiles, claims transformations, validation technical profiles, and orchestration steps.

User Flows vs Custom Policies

User Flows

  • Simple implementation

  • No need for custom development (but you still need someone to set everything up)

  • Support for a range of identity providers

  • Customizable branding and user interface

  • Ability to slightly configure behavior of each page

  • Can be set up in a few clicks in Azure Portal, but there are drawbacks, but there is only so much you can do with the out-of-the-box scenarios.

Custom Policies

  • Provide a flexible and customizable authentication and authorization process for your app

  • Tailored to your organization’s specific requirements

  • Support for a range of identity providers and customization options

  • Greater control over the user interface and authentication flow

  • Ability to infinitely configure behavior of each page and User Journey with Custom Policy Files

Custom Policy files

Custom Policy files can be divided into:

  • Basic files
    – Base
    – Localization
    – Extensions

  • Files with own scenarios and own extensions

Example of use:

One of our clients wanted us to implement more security measures to be compliant with local laws. One of them was to hash users’ data. Using Custom Policies it was quite straightforward as we could implement reusable Technical Profiles that call a Hashing API when signing up, signing in and when doing anything with that user’s account. 

It involved multiple external APIs to hash the data and store users’ data based on market region, because different regions mean different laws we had to follow.

And guess what? End users don’t even know that it’s happening. They get a seamless experience and all the magic happens behind the scenes.

Azure AD B2C - most common authentication scenarios

Sign-up and sign-in


Password reset and account recovery


Social or external identity provider


Self-service profile management


These scenarios can be customized and combined with other authentication methods to create a tailored authentication and authorization process for your application.

Azure AD B2C Pros

  • Azure AD B2C is a cloud-based service which means it can be easily scaled to meet changing demands

  • It provides a range of authentication options and protocols, making it flexible and adaptable to different use cases and scenarios

  • It offers a user-friendly interface and can be easily integrated with existing applications and systems

  • It provides a high level of security and compliance with industry standards such as GDPR and HIPAA

  • It supports multi-factor authentication, device registration, and risk-based authentication which helps increase security and reduce the risk of fraud and data breaches

  • It provides detailed reporting and analytics, enabling organizations to monitor usage and identify potential issues or threats

  • It’s really cost effective – first 50,000 MAU are free

  • It provides multiple MFA options such as SMS, Phone, Email and Authenticator Apps

Azure AD B2C Cons

  • Customizing the user interface and workflows requires advanced coding skills

  • Additional costs associated with sending SMS and phone based MFA codes – $0.03 per code

  • A relatively high learning curve and can be complex to configure and manage.

  • Additional development effort and resources to integrate with legacy systems or third-party applications.

Azure AD B2C Summary

How important is it really to have a proper authentication mechanism?

Having a proper authentication mechanism is extremely important for any organization that wants to protect its sensitive data, applications, and resources from unauthorized access. Need more reasons? Here they are:

  • It helps ensure that only authorized users can access sensitive data, such as customer information, financial records and so on. Without proper authentication measures in place, this data could be easily compromised or stolen.

  • Hackers often use stolen or compromised credentials to gain access to an organization’s network or systems. Proper authentication measures, such as multi-factor authentication or strong password policies, can help prevent these attacks and reduce the risk of data breaches.

  • Many regulations and standards, such as GDPR, require organizations to implement strong authentication measures to protect sensitive data and maintain compliance. Their lack can result in legal or financial penalties.

  • Customers want to know that their personal information is being protected when they do business with an organization. Implementing strong authentication measures can help build trust and confidence in the organization’s ability to protect sensitive data.

Is it worth it to jump straight into Custom Policies?

Putting it simply – yes. Custom Policies offer a high degree of customization and flexibility that may be necessary for your organization’s unique or complex authentication requirements. While there is a high learning curve associated with implementing them, the benefits may outweigh the costs in the long run. 

  • You have complete control over the authentication flow and can customize every aspect to meet your organization’s specific needs. This can be especially beneficial if you have unique or complex authentication requirements that cannot be met with pre-built User Flows.

  • You’re able to create a seamless and intuitive authentication experience that aligns with your organization’s branding and user expectations. This can lead to higher user adoption and satisfaction, as well as fewer support requests and user errors.

  • You can implement more advanced security measures, such as conditional access policies, multi-factor authentication, and risk-based authentication. This can help reduce the risk of data breaches and cyber attacks.

  • You’re able to create reusable authentication components that can be shared across multiple applications or services, saving time and resources in the future.

Can I set up a system like this on my own?

Setting up an authentication system on your own may seem like a cost-effective idea, but it can actually lead to several issues down the line. You might want to consider hiring professionals, and here’s why:

  • Authentication systems are complex and require a high level of expertise to set up properly. Professionals have the skills and knowledge necessary to design, implement, and maintain a secure authentication system that meets your organization’s needs.

  • Authentication systems handle sensitive data and play a critical role in protecting your organization from cyber attacks. Professionals can help make sure that your system is properly secured and meets industry best practices and compliance requirements.

  • Every organization has unique authentication requirements. Professionals can help you design and implement a system that is tailored to your specific needs, which can lead to a better user experience and increased security.

  • While hiring professionals may seem expensive upfront, it can actually save you money in the long run. Professionals can help you avoid costly mistakes and ensure that your authentication system is set up properly from the beginning, which can help reduce the risk of downtime, data breaches, and other issues.

If you’re thinking about setting up an authentication system with Azure AD B2C, we’ll gladly help. We have a vast expertise on the matter, and we’re happy to support our clients in keeping their processes safe and sound. We can consult, implement, and maintain the most suitable solution that will meet your business goals and enhance your customer experience.