I have a client using B2C on a small scale looking to scale up to support 100,000 users.
Questions are as follows:
1 The documentation suggests lockout after 10 failed login attempts. Is it on the roadmap to allow users to configure lockout policies? (The client sees this as a security weakness)
2 To change the UPN for a user do we still need to use Graph API?
3 B2C user feedback messages to end users does not meet internal stakeholder expectations (they don’t like the error messages as they give information about if a username is valid or not) the customer seeks to customise this and understand how to customize look and feel in line with internal guidelines (The client sees this as a security weakness)
Thanks!
In the future, I recommend making three separate posts for the three questions. Helps to make each question more searchable - and also follows the Stack Overflow guidelines. In the meantime:
Smart lockout is on the roadmap, but you should vote for the feature here to help the team prioritize - https://aka.ms/aadb2cfeedback
You cannot change the UPN, but why would you want to?
You can customize all strings in Azure AD B2C - see here for built-in policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-language-customization
Related
I’m currently working on a POC to use Azure AD B2C in a multi-tenant architecture where we have a single database of users tied to companies. Presently we have around 1000 different companies. The question I couldn’t determine from documentation and Azure support is whether I can do the following:
Allow company admins to choose the sign in providers they want for their users.
Provide per company branding to the user flows.
Of course, my main consideration is doing this in a configurable and scalable way. Right now we only have a single B2C tenant setup and unclear if we need one per company vs managing it all together well.
Finally, is this even the right product for these outcomes?
I currenly have an application that is used by multiple organisations(my customers) of which their employees can login to the application.
These organisations can have their own customers. Currenly these customers cannot login or do anything. I want to make it possible for these customers to login and view specific data about themselves. I thought Azure AD B2C would be a good solution for this, but I’m starting to have some doubt about that.
Because these organisations(my customers) all operate in the same field it is possible for their customers to also be a customer of an other organisatie. Users can only exist once in the B2C directory, so how to differentiate between these organisations. Is it possible to use Azure AD B2C for this situation(and would it be a good solution) and if possible how can I implement this?
It would not be very difficult to search the other directories and check if the user exists but what would it really achieve?
The user could just sign up with a different email address in the second B2C environment unless you restrict the email addresses that can be used to self signup.
As for how to implement this there is plenty of documentation how to do this or if you have specific problems with your implementation code please feel free to ask new questions for them.
Is it possible to federate B2C with these organisations?
If so, each federation will be different since the login address will be different e.g. joe#company1.com vs joe at company2.com.
These users won't be local; they effectively use shadow accounts and so a user can be in B2C multiple times.
Edit
It is not a duplicate: The other question is about Sign Up, this is about Sign In. What's more: That question is about email verification, this question about quotas/throttling. Those are different elements of a middleware policy. Although the consequences could be similar, the issue itself and also the solution is different. Please remove the duplicate flag
In case of a malicious user scripts her/his Sign In/Sign Out against your application/web site, which uses AD B2C it can cause millions of Sign In within a reasonable short term.
Because of you will be billed based on the count of Sign Ins (free for < 50 000, then pay) this will not be a happy hour.
Question
Is there any way to prevent the scenario above? (limiting payment is not an option, this case after the attack your site will be unable to serve Sign In user flow)
Azure AD B2C has mitigation techniques against malicious attacks like you the ones you described, and B2C will automatically lock out the user for a certain period of time.
More info: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-threat-management#password-attacks
At the moment, with smart lockouts(as mentioned in the link above) admins cannot control the number of attempts. But if you want to be able to configure that and maybe, even take an action (like MFA) you can do that with custom policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
Azure AD B2C community on GitHub has a sample to lock out the user after 6 unsuccessful sign-ins.
https://github.com/azure-ad-b2c/samples/tree/master/policies/lockout
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 6 years ago.
Improve this question
I recently entertained the idea of developing an app that aggregates Instagram data of a small community and displays it in different UI clusters, derived by certain analytics. While the API provides all the required endpoints for my requirements, I started re-inventing the app over and over again, to satisfy the Instagram platform policy, terms and conditions as well as the login permissions for the different scopes.
According to Instagram API documentation there are 3 categories for the scopes of all apps:
To help individuals share their own content with 3rd party apps: basic
This use case is meant for apps that allow the general public to login with Instagram to get their own content; for example, an app that allows people to print their own pictures. Apps that fall into this use case will only have access to the basic permission.
To help brands and advertisers understand and manage their audience and digital media rights: basic, public_content, comments, relationships, likes, follower_list
This use case is meant for products that don't have a public facing login integration, but are gated to brands and advertisers. The product must support either multiple brands and advertisers (e.g. a social media management platform) or multiple users within a single brand or advertiser organisation.
To help broadcasters and publishers discover content, get digital rights to media, and share media with proper attribution: basic, public_content, comments
This use case is meant for products that don't have a public facing login integration, but are gated to broadcasters and publishers. The product must support either multiple broadcasters and publishers, or multiple users within a single broadcasters or publisher organization.
Ideally, my app would benefit as many analytical endpoints as possible, particularly if I can process the list of followers and public content. This means my app should fall under group (2). However, the target community of this app was not consisted of brands and advertisers. Group (3) is also not an option, since my community is consisted of individuals. Then I was thinking that group (1) will fit my needs. But that was also not the case, since according to platform policy, I won't be allowed to put the media in different UI clusters:
You cannot replicate the core user experience of the Instagram apps or web site. For example, do not build a media viewer.
Then I started comparing the use cases with existing live apps. I noticed that if they would carefully follow the terms and conditions, as well as platform policies, they would also be unfit for all rules imposed by Instagram. Let me provide examples:
minter.io (broadcasters == individuals?)
minter.io focuses on Instagram analytics. Thus, it falls in group (2). However, anyone can register on this system, meaning any individual that owns an Instagram account. How is this a valid case when brands and advertisers are not gated? Furthermore, even if those are somehow filtered in some future phase (which they claim they do manually), why is it allowed to generate a report of a "competitor" account, when the ID of that account could be any individual, and not an advertiser?
pikore.com (discover / search function?)
Apart from having the similar issues of minter.io, where everyone can login, I fail to understand how is it possible for pikore.com to provide a "discover" functionality which is exactly what Instagram offers on its mobile apps? Is that not breach of platform policy? Or the fact that it is also able to display all media items of a given account mixed with advertisement? For example: pikore.com/arianagrande. This breaches also other terms stated in General Terms of Platform Policy:
24. Add something unique to the community. Don't use the Instagram APIs to replicate or attempt to replace the functionality or essential user experiences of Instagram.com or any of Instagram's apps.
25. Respect the way Instagram looks and functions. Don't offer experiences that change it.
26. Don't attempt to build an ad network on Instagram.
ElseWatcher (another media viewer?)
I absolutely adore this app. But the fact that the Instagram data is organized by location and date, it seems to me that it's another media viewer with extra functionalities.
socialbakers.com (free social tracker?)
socialbakers.com, while providing an amazing interface, it requests public_content scope for any individual user of instagram.com. On top of that, without providing any mechanism to gate the broadcasters, offers their services as "Free Instagram Analytics Tool".
Maybe I am wrong, but the way I see it, the Instagram API rules, are not applied consistently to all 3rd party apps. Can anyone explain whether those are inconsistencies indeed, or whether I got things the wrong way?
While at it, I would also like to know how is it possible to have the term clause "1. Instagram users own their media (stated here) in conjunction with "17. Don't apply computer vision technology to User Content, without our prior permission" (stated here). Does that mean that if I am an Instagram API user that agrees to these terms, and I perform computer vision on any image that also happens to be on Instagram, that I am breaching terms?
Have you seen this cases?
simplymeasured.com/freebies/instagram-analytics
pro.iconosquare.com/pricing
websta.me
unionmetrics.com/free-tools/instagram-account-checkup/
After June 1st all Instagram 3rd party apps should pass a review. The review should contain video screencast with
Provide a link to a video screencast showing the experience in your
app. Please show how your integration uses all permissions you are
requesting, any interface to moderate content or getting rights to
media, and any Instagram login experience. Since your app may be in
sandbox mode, you can use data from sandbox users to showcase the
integration.
I think, Instagram wouldn't have approved any app which violate their rules.
I am creating a web-page/website that integrates all my accounts into one spectrum, as in, from this page I want to use this page to log into my mail box online or any other site that requires authentication. All i want is a central login panel. enter my unname&passwd and get redirected to my mail. Is that an impossible question to ask?
It sounds to me like you want to consider using OpenId, which is a standard, fairly widely adopted form of single sign-on. Used by this very site, in fact, and supported by at least two of the three companies you mentioned: yahoo and google. Hotmail does not currently support it.
It completely depends on the individual service. You'll have to investigate each service to see if they even allow you to authenticate against their servers remotely. In the event that they do allow it, it's still up to the service whether or not you'll be able to retrieve any kind of information from them after logging in.
Banks in particular are very unlikely to give you any way to interface with them and the ones that do will likely require a monthly access fee.
You want to look into SAML, an XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services Technical Committee.
With SAML, you can communicate between the major single sign on (SS0) technologies like CAS, OpenID, Shibboleth, AD/LDAP...