Enduser Management Solutions - Azure Active Directory

Enduser Management Introduction

Context & Problem

This document describes patterns to manage the endusers of applications including authentication and authorization. Applications are assumed to be web applications. From a data modeling perspective the major entities are the application and its endusers.

Application scenarios can range from relatively simple (Just the users with a few additional data) to very complex:

Simple: User and an application with a few extra attributes.
Middle: Users with different scopes. Global users are independent from the app whereas app specific users are targeted to a certain application only (See here for details).
Very complex
Online marketing (also known as internet marketing or web marketing) includes all marketing activities that are carried out online to achieve marketing goals, from brand awareness to closing an online business. Factors that make it complex:
- State change: Various events can trigger state changes in such a scenario. Targeting users with marketing content usually requires consent by the user. Expiry or explicit withdrawal must be reflected in those systems.
- Business partners as endusers: Business partners have to go through a much more complicated process before being verified. This might also include backoffice activities that trigger further state changes. Leaving the business or closing of business triggers state changes in the associated users.
- Guest user: To maximize online-business users should also allowed to do business although they may not yet fully registered in the system.
- API: Systems should have a clear defined API to shield calling applications from implementation details and allowing changing of underlying platform. An API also simplifies versioning.
- Integration: Certain aspects such as authentication might split across multiple systems. Systems have to communicate in such a scenario and might have to be able to receive signals to move forward in the processing flow.
- Data modeling: Complex scenarios have a much more complex data model which might include arbitrary attributes and own custom entities.

Technically enduser management can be integrated into the application itself or factored out into a separate service. The pictures below indicate the basic options:

Inside Application: In this model the persistence layer also hosts the additional enduser data. All required functionality such as authentication/ authorization is provided by the application.
Factored out (Same platform as app): In that case the enduser management is factored out in a separate service within the same platform as the application.
Factored out (Different platform as app): In that case the enduser management is factored out in a separate service using a platform, that differs from the application platform.
Hybrid: Mixture of options 1 to 3.

As shown enduser management can be split across systems. For the components used the standard considerations from the software lifecycle apply. This includes operational aspects such as monitoring and provisioning. Especially testing is challenging since the functionality requires user interaction which is not available in automated tests.

The picture below shows a logical architecture of a complex scenario:

Standard Problems

The following standard problems will be addressed in subsequent paragraphs. The problems result from all described application scenarios:

Entire process enduser management
The folowing challenges exist regarding the entire process:
- Implementation (Testing): Testing is a challenge since the tested functionality requires user interaction.
- Implementation (Provisioning): Automatic deployment pipelines should be preferred. The challenge might rise from the fact that the developers reside in a different organizational boundary than the endusers of the application.
- Operations (Monitoring): The user interactions must be monitored end-to-end across enduser management and the pplication. This might be challenging if enduser management is factored out in a separate service.
Application

The application must be able to access enduser information regarding authentication/ authorization. The application must manage sign in, out and up. Changes in the enduser management must be reflected by the application also if the user has not initiated a certain action.
Enduser managment
A service must able to handle the following challenges:
- API: A clear definition of the interfaces would preferable. This also allows to address versioning and abstraction of the underlying enduser management implementation.
- Flows: Flows refer to a sequence of actions mainly related to authorization and authentication. The flows are highly asyncronous due to possible blocking enduser interaction. E.g. if the user has to confirm his identity with an EMail verification link.
- External: Bidrectional communication is required if functionality is split across systems. E.g. if the backoffice approval is factored out in a different systems that requires adjusting the state of the enduser.
- Custom logic: It must be possible to incorporate custom logic e.g. to get additional data such as loyalty id.
- Data store: Endusers state must be persisted along with all asscociated information.
- Scheduling: Consent by the enduser might be limited to a certain expiry date. Expiry usually requires state changes of the enduser in the enduser management service.
- On behalf of: Especially if business partners as endusers are involved it is common that others do things on behalf of others. E.g. if the owner (=enduser) of a business partner organization invites employees.
- Access Reviews: Endusers you have been granted access might not be there anymore. E.g. because they have left their home organization. In that case system support is helpful that allows to determine which users are still active.

Enduser Management Platforms

Azure

This chapter lists major features/ concrete services for enduser management of the Azure platform. This architecture pattern builds on the general problem description for enduser management. A detailed discussion of services is part of the solution design in the subsequent chapters. Major features for the previously described areas are as follows:

Enduser managment
The central control instance for all users within Azure is Azure Active Directory (=AAD). Users in AAD must exist in a so called tenant which constitutes the highest possible domain boundary within Azure.

AAD comes with features that support enduser management out of the box such as AAD B2C. These features cover quite well the simple to middle scenario. In the complex scenario limitations of these features might be a problem. In that case only Azure native services remain as fallback. Problematic service limitations might be:
- Own entities: The features only support custom attributes but no own entities.
- Separate tenant: AAD B2C comes with an own tenant that differs from the corporate one where the provisioning services might live. Azure DevOps pipelines don’t work if you use custom policies.
- Bidirectional communication: Receiving messages in a publish/ subscribe pattern might not be directly supported.
- APIs: AAD comes with its defined endpoints. It is not possible to introduce custom APIs.
- Multiple organizations: Especially when endusers can be business partners users might be associated with multiple organizations. A tenant can serve as organization. However, a tenant is a heavyweight construct and moving endusers between tenants is not as easy as a data store update.
AAD B2C provides cookie based session management with different options to control the session. Upon subsequent authentication requests, Azure AD B2C reads and validates the cookie-based session, and issues an access token without prompting the user to sign in again. If the cookie-based session expires or becomes invalid, the user is prompted to sign-in again. Sessions can be managed by the following parties:
- Azure AD B2C - Session managed by Azure AD B2C
- Federated identity provider - Session managed by the identity provider, for example Facebook, Salesforce, or Microsoft account
- Application - Session managed by the web, mobile, or single page application
Application

Microsoft provides AAD libraries that wrap the required functionalities including sign in/ ou/ up.
Entire process enduser management
The Azure platform supports enduser management as follows:
- Implementation (Testing): User flows can be tested separatly without being incorporated into an application. No additional support beyond that feature exists.
- Implementation (Provisioning): Automatic deployment pipelines should be preferred. The challenge might rise from the fact that the developers reside in a different organizational boundary than the endusers of the application.
- Operations (Monitoring): Azure provides Azure Monitor for monitoring the enduser management service from the application perspective. Monitoring the AAD service from infrastructure perspective is more difficult.

The picture below summarizes major aspects mentioned before:

Enduser Management Solutions - Azure Active Directory

Overview Azure Active Directory

The central control instance for all users within Azure is Azure Active Directory (AAD). It comes with the following features/ services that can be used for enduser management:

AAD Business to Customer (B2C)

This feature started with the idea to cover endusers of an application. The feature comes with a special B2C tenant in which the users are located.
AAD Business to Business (B2B)

This feature started with the idea to give external users access to Azure resources in an existing tenant. The external are modeled as guest users in AAD. This feature can be also used for modeling endusers especially if the same tenant is not problematic. A big advantage is that problems related to the separate B2C tenant are not relevant such as provisioning.

Currently there is a lot of movement in this area. Microsoft was already porting features from B2C to B2B. The new external identities marks the shift towards even more integration between the two. Currently it refers to two things: (1) the new umbrella term unifying the so far separate B2B/ B2C features and (2) additional features that were added to AAD B2B. According to this source this might mean a unified service offering that combines the B2B and B2C features. According to feedback from the microsoft product group it probably does not mean a a new separate service that unifies the existing B2B and B2C. The majority is voting for creatin an option within AAD B2B to group the users in a logical container within a tenant. The current hassle could be then avoided that comes with the different B2C one.

Enduser Management Application Level

Overview

The solution is to use one of the introduced AAD features and the following platform features. The focus of this chapter is to introduce the relevant features. Recommendations for a concrete setup are given in the next chapter.

The relevant AAD features are as follows:

AAD Application registration

Applications need to be registered for usage within Azure B2C and B2B. Registration is mandatory for Azure B2C. B2B session settings define whether a user has access to certain applications only or a wider scope such as single-sign-on for all app registrations in the B2C tenant. For B2B it is only mandatory if users are invited per application (Scopes user group and tenant don’t require an app registration). App registration contain settings per Applications such as redirect URLs. See here for an example of an SPA web application.
AAD User Management feature
AAD B2B and B2C can be possible to manage end users. Crucial questions are:
- Is it a problem to store the application users with others in the same tenant? (Since you might have a mixture of corporate and non corporate users)
- Does the separate tenant cause problems? (E.g. because you want to use custom policies which results causes problems regarding provisioning)
- Feature differences such as Single Sign On
Monitoring

Application monitoring can be done via Azure Monitor. However the required steps for setting it up differ from standard. It requires even additional services such as Azure Lighthouse due to the separate tenant.
Compliance
Azure User features can be combined with various other Azure services/ AAD features to strengthen security. This includes:
- Azure sentinel for security analytics based on routing/ audit logs forwarded
- AD B2C Identity Protection provides two reports. The Risky users report is where administrators can find which users are at risk and details about detections. The risk detections report provides information about each risk detection, including type, other risks triggered at the same time, sign-in attempt location and more.

The picture below summarizes the points:

Detailed AAD User Management Features

The AAD features support the following out of the box:

Application

Microsoft provides AAD libraries that wrap the required functionalities including sign in/ ou/ up.
Enduser managment
The AAD supports the following:
- Flows: Supported out of the box. HTML/ CSS customization of required pages is possible. Flows are defined declarativ via XML.
- Custom logic: Can be implemented via functions.
- Data store: Supported entities besides users and organizations (=tenants) can be found here. Custom attributes can be added but no own entities.
- On behalf of: Is provided out of the box by invitation workflows.
- Access Reviews: Is provided out of the box.

Variations

Authentication can be done by an external identity provider.

Enduser Management Infrastructure Level

The core service is Azure AD. A direct monitoring with Azure Services is hard since the infrastructure monitoring tools also require Azure AD authentication. Possible native tools are:

Microsoft 365 service health status page
Microsoft 365 admin center

The Microsoft 365 Service Health Dashboard (SHD) doesn’t send notifications about Azure AD service outages and only shows this information in a dashboard, which administrators have to pull up and analyze (link to Source).

Credits

_{Last updated 2023-11-20 10:40:20 UTC}