I looked at the below regarding AzureAD B2C is charged based on
Number of stored users
Number of authentications
Number of multifactor authentications
Is there any specific charge for using the Graph api ?
Is there any limit on the concurrent graph api calls made
You aren't charged for use of the Azure AD Graph API.
Azure AD Graph is designed to handle a high number of requests. However, in the event of an overwhelming number of requests, a throttling threshold might be exceeded. Azure AD Graph limits any further requests from the same client while the server throttle is in effect.
Related
I was wondering if anyone has some real-life information on Azure B2C performance in production with thousands of customers registered. We got a task to create a new system based on an old one which contains 100 000+ customer profiles. As such we would like to use B2C to store and query profile data.
How is the B2C performance for up to 100 000 profiles when it comes to:
JWT-token generation and validation
Using graph api to filter on built-in and extended fields (especially string filtering like startsWith)
If the filtering performance is poor for such many profiles, is there a way to increase it? Like a way to group profiles via some tag info or similar?
Have a look at Azure Active Directory B2C service limits and restrictions.
The following end-user related service limits apply to all authentication and authorization protocols supported by Azure AD B2C, including SAML, Open ID Connect, OAuth2, and ROPC.
Category
Limit
Number of requests per IP address per Azure AD B2C tenant
6,000/5min
Total number of requests per Azure AD B2C tenant
12,000/min
The number of requests can vary depending on the number of directory reads and writes that occur during the Azure AD B2C user journey. For example, a simple sign-in journey that reads from the directory consists of 1 request. If the sign-in journey must also update the directory, this operation is counted as an additional request.
EDIT:
Also, see this:
Azure AD B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring, and automatically handling threats like denial-of-service, password spray, or brute force attacks.
This quote, taken from What is Azure Active Directory B2C?, shows us two things:
Performance shouldn't be an issue
AAD B2C is an identity solution, not a user profile solution
i don't have a bench, but for sure you should check the service limits here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/service-limits.
Those for sure would impact the "JWT Generation" since this happens inside a user journey and every interaction with the underlying tenant counts as a request. The "JWT Generation" performance could also vary depending on your user journey complexity: if you are using the Identity Experience Framework to create a custom User Journey, every Orchestration Step will take time to execute so your users will wait for the journey to complete prior to getting a token. So more Orchestration Steps equals more waiting time, especially if you use Restful Technical Profiles which involve third-party services.
I don't get the "JWT Validation" part: AAD B2C doesn't validate your JWTs, it just issues them. Your application or API should validate them.
About the Graph API queries, the performance are usually good. You're using the underlying AAD tenant which is an enterprise-grade service so such queries are pretty common. Doublecheck if the fields you want to filter on support the function you want to use since not all fields support all the functions. Also keep in mind that even the Microsoft Graph API has limits: https://learn.microsoft.com/en-us/graph/throttling and you should keep them in mind.
If you plan to use your AAD B2C tenant as a database and continuously query it for extracting info, probably you're using it wrong.
Regards, F.
Consider an Azure B2C - Business API integration, where a custom policy triggers an HTTP request (req A.) to business apis (REST API on AWS) for provisioning access to external systems.
Req A response time is currently limited by AWS/API Gateway to 30s but this is changing with requirements and might increase.
Considering Req A is so expensive, what options do we have in the custom policy for handling this type of scenario?
There is nothing in B2C Custom Policies specifically to handle this case. So your options are probably limited to whatever else you'd usually do for any API.
A few examples:
Cacheing: Instead of calling AWS API Gateway for the inquiry, you'd call another service which caches these results (like Azure API Management). This may or may not be a good idea depending on what type of claim you're grabbing.
Delayed Retrieval: Instead of populating the claim in the user token via B2C custom policy, have your application grab that value independently of Azure AD B2C.
Currently, a user has to add my application within the Azure portal. I will then get a ClientID etc. and use that to get access to the users Consumption data. I wondered if I could streamline this process by asking for consent using the Azure authentication.
Pre-thanks!
**
Let me elaborate a bit more, I'm creating an application that will help the user by giving insights on there cloud spend. I get the data using the consumption API. At the moment I get access to that API by them giving my app credentials via the Azure portal. But I want to get the access via Azure authentication
**
In Azure AD, there are several auth flows, not sure which one you want to use. Generally, these flows can be divided into two types, user-interactive or non-interactive.
Per my understanding, you want to call the Azure Consumption REST API via Azure AD auth. If you want the user-interactive way, you could use auth code flow. If you want a non-interactive way, you could use client credential flow.
For more details, see https://learn.microsoft.com/en-us/rest/api/azure/
I have created an azure application which I use to sync user data using graph API. I am able to sync the data. However, I have a security concern. I am using certificate based authentication for the graph api to access data. However, if anyone has access to the certificate, he can access the graph API to sync the data.
Is there anyway, we can limit the application access using Graph API?
Can we limit the access to certain IP ranges?
No
You can use Conditional Access to block access to users using ip addresses ranges but not to service principals in case you're authenticating as an application.
Is there a way to configure account lock-in Azure AD B2C?
As of my research, I was able to find out that azure locks the account after 10 unsuccessful login attempts and locks it for 60 seconds. But I want to configure the number of attempts to 5, the account to be locked forever and won't display a message to the user to call our customer care or follow certain steps to get the account unlocked. I want a graph API call to unlock the clocked account.
Any pointers in this regard will be helpful.
Thanks in advance
I don't believe you can configure this lockout information using either the Azure Portal or the Azure AD Graph API.
(I wish, in future, Azure AD B2C allows customization of the smart lockout values that are supported by Azure AD.)