TL;DR With Azure AD B2C we can authenticate users via a browser-based feature - we run the OpenID Connect flow in the browser, authenticate the user via the Authorization Code flow, and get the token. But what if we want to stay with the mobile application? On the Desktop application? With Entra External ID we can use the native authentication flow. PS> Native Authentication is in preview mode - it is not for production use! ...
Entra External ID for Customers is a new Azure Tenant type that allows you to create digital identities for your customers. Use cases B2B partners. You can create a dedicated customer tenant for your partners and give them access to your applications, manage users and groups in the tenant without partners’ access to your organisation (workforce tenant). Your data is fully secured and isolated. Online services and web shops for your retail. Full self-service is available to sign up/sign in and manage their accounts. You can also use social logins like Google or Facebook. Product pages, helpdesk and support. Keep customer engagement and provide them with the best experience. Cross-device authentication. User-friendly experience to log in on the TV screen, medical devices, or any other IoT where you can display a QR code or PIN to log in. What is Entra External ID for Customers? In simple words, it is a new tenant type. From now you can decide Workforce or Customer type. It is a new tenant type to create - so for customers, it is separate - and not connected with your organisation’s tenant. Please remember that the service is still in preview mode - but only till the 15th of May, so only limited features may be available. Service will be GA soon!! ...
B2B scenario Protect your applications and services with identity provider service based on the OpenID Connect with Identity Federations. Your solution is a ‘family’ of services and applications in the B2B model. Your partners have their identity provider—modern services like Entra ID, Octa, Auth0, and AWS Cognito. Use cases There will be no more duplicate accounts. You can use the partner identity to authenticate with our services. The email is a unique identifier, along with the password or another authentication method you provide as a partner. We hope that you can secure your accounts. When we see a risk, we can enable MFA for the B2B partner users. ...
Updated: 30-06-2024 Playground Entra Verified ID Workshop Do you want to try it? Use my GitHub repository to set up your credentials. Entra Verified ID Workshop You can start with my workshop and create a simple flow with Entra Verified ID. All divided into steps with the code and the explanation. Big Picture Verifiable Credentials solve problems for identities in the digital world. What does it mean? Please check the story: You own the national ID card. It is in your wallet. To get the document, you must visit the government office, provide information/documents, check your identity with your old ID, passport, or proof of birth, and wait for the document. ...
TL;DR Authentication or authorization? What is the term I need to use with my current scope of work? Do I need to authenticate the user or authorize it? Ok! I need to authenticate the user and then authorize (or the opposite). Dictionary: Authentication - is the process of verifying the identity of a user. How can we do it? As a basic scenario, when only one person knows the combination of login and password, we need to check if the combination is correct to authenticate the user. Authorization - verifies the user has the right to access the resources. Can I read the file? Can I write to the file? I would like to share how to build an authorization service. Big Picture I believe authentication and authorization can be separated - or treated on many different levels. When we consider the authorization for GitHub: ...
TL;DR Please stop using passwords. My stack is based on Yubikey and 1Password. Can I be a passwordless team member? Check my journey and answer the question. I improved my security with the following steps: Entra ID accounts without password, extended security on GitHub with GPG key, moved the SSH keys to 1Password, started using 1Password CLI to access secrets for ServicePrincipals. Big Picture Yubikey I started my journey with Blue Yubikey. After a couple of weeks, I notice two issues: ...
TL;DR You decided to build a web application in Azure - great! The solution contains App Service, CosmosDB, Blob Storage or other resouces. You started with really simple solution, but as IT Pro you decided to build three environments: Development, Test, and Production. You also decided to use Azure API Management to manage your APIs. You are aware of the security risks and you want to protect your resources. Please fallow my suggestion to use Azure FrontDoor and API Management to protect your resources. ...
Microsoft Entra ID External Identities vs Azure AD B2C. TL;DR A summary of differences between Entra ID and Azure AD B2C. Entra ID in this article is used to build a product. Differences between Entra ID and Azure AD B2C To share resources from your organization (Entra ID) like PowerBi, OneDrive, and SharePoint - use B2B collaboration. Please remember: in many cases, you must assign the expected licenses - PowerBI*, for example, and you will be able to use PowerBI Portal. ...
Here are some tips that can help you with user management: Use CIAM User Interface to create a new user: with Azure AD B2C Policy - User Journey, you can create a single point for all applications to create a new user, making the process efficient, streamlined, easy to improve and change. Don’t share personal information with applications: Adopt a zero-trust approach to avoid sharing personal information with applications. Instead, you can use centralised communication with end-users for marketing and other purposes (It is only possible with some business cases). Avoid using email addresses as user identifiers: Not sharing them reduces the possibility of them being used as identifiers by new and migrating to CIAM applications. Also, for all primary cases, email is a basic user identifier (with password); hiding email from applications gives you independence and flexibility in the future - for example, using FIDO or Passkey or without keeping an email address. Use REST|SCIM API with temporary access for applications: This can be useful for migration purposes, as it provides temporary access for applications - granting limited time-frame access so you can easily monitor API usage. The main channel for sign-up users is the User Interface (Policy) - (KISS rule - it will be easier to maintain one component). Use CIAM solutions like Azure AD B2C for password security: These solutions take care of passwords and other security measures for you, so you don’t have to worry about them. Remember that you don’t have access to the user passwords via API or management portal. ...