Configuring AAD B2C
in Dynamics 365
Commerce
Brian ShookSenior Program ManagerDynamics 365 Commerce
Agenda • AAD B2C & Commerce Overview
• AAD B2C Set Up & Commerce
Configuration
• Additional Information
AAD B2C & COMMERCEOVERVIEW
Azure
ActiveDirectory
(AAD) B2C
Azure Active Directory B2C is an Identity
Provider which provides end-user
authentication as a service.
Azure service used to provide identity and
access management
AAD B2C is a scalable, global, and secure
enterprise-ready business-to-customer
Identity Provider
Azure ActiveDirectory (AAD) B2C with Commerce
AAD B2C supported as an out-of-box Identity Provider in Commerce
• AAD B2C is used for end-user (C2) Authentication when authenticating into a site
• A Customer Record in HQ is linked to the B2C Record for authentication purposes
• Main information for the customer is tracked in Dynamics HQ
AAD B2C Auth Flows in Commerce
Social Identity Providers in AAD B2C
AAD B2C Auth Flows in Commerce
Commerce customers and Identity records
AAD B2C record is used for
authentication• Customer record is created in B2C first, then
in Commerce during the sign-up flow
• A new customer record is created for the
initial sign-up flow
• In default behavior, email is used as the
Username and remains unique within the B2C
tenant for local accounts
• Profile Edit flow allows First (Given Name) and
Last (Surname) names to be edited across
both systems
Custom AAD Pages in Commerce
Custom Pages in E-Commerce Site Builder:• Pages can be authored in the E-Commerce Site Builder and served from AAD B2C
• Note that relative links will not be maintained from the Site Builder pages (use AAD Header
and AAD Footer fragments)
Choice of approaches
• General AAD Module: AAD Generic
(the ‘div’ insert approach) {Available 10.0.15 and up}
• Specific AAD Modules: Sign in, Sign
up, Password reset, Password reset
verification, Account profile edit
• Separate HTML pages: AAD B2C
supports HTML files hosted in Azure
Blob Storage (this is an external solution
from Commerce)
Custom Pages in Commerce: AAD Generic
AAD Generic module:• Single page can be used for all User Policy page layout flows
• Content rendered within the DIV provided by the module
• Stricter design options (CSS can be used on elements), more versatile usage
Custom Pages in Commerce: AAD Specific modules
• Use specific Commerce page
layouts per User Policy page
• More design functionality, less
versatile to AAD specific
changes/loadouts
• Each element in the module
must be accounted for:
• Customization of the modules
needed to handle Social Identity
Provider buttons, changes in
arrangement and specific wording,
or additional attributes to collect
AAD B2C SET UP &COMMERCE CONFIGURATION
Setting Up
AAD B2C in
Commerce
Three items to connect across:
• Azure Portal: AAD B2C Tenant in
Azure AD Portal (role: Global Admin or
Contributor)
• Dynamics Headquarters: (role:
System Admin)
• E-Commerce Site Builder: (member
of System Admin SG)
Setting Up AAD B2C in Commerce
Resource List:• Reply URL
• AAD B2C Tenant Name
• AAD B2C Application ID (Client ID)
• Issuer reference
• Sign Up and Sign In Policy ID
• Password Reset Policy ID
• Profile Edit Policy ID
Reply URL
• Reply URL (Site endpoint)
• Referenced in Life Cycle Services (LCS)
• Example: https://fabrikam.dynamics.commerce.com
• Include a “/msdyn365/authresp” suffix during
application setup
To collect site endpoint, go to your environment, select Commerce
tab, and find in the list of referenced Links in e-Commerce section:
Setting Up AAD B2C in Commerce
Create an AAD B2C Resource in Azure Portal
Create an AAD B2C Resource:• Start from the directory containing your subscription (use Directory + Subscription icon)
• Create a resource
• Search for AAD B2C and select “Create a new Azure AD B2C Tenant”
• Fill in your:
• Organization Name – the name for your B2C Tenant
• Initial domain name – the domain your B2C Tenant will utilize (fabrikam.onmicrosoft.com)
• Country or region – select country/region
• Subscription
• Resource group (or create new)
Create an AAD B2C Resource in Azure Portal
Link your Azure AD B2C Tenant to a Subscription:• Must be Tenant Admin in the B2C Tenant created
• Switch to directory you own Subscription in
• Select ‘Create a resource’ and enter AAD B2C in the search bar, selecting Azure Active
Directory B2C
• Choose option ‘Link an existing Azure AD B2C Tenant to my Azure subscription’
• Select the new AAD B2C Tenant created in the previous step
Setting Up the AAD B2C Application in Commerce
• In the Azure Portal, switch
the Directory to your
newly created AAD B2C
Directory
• Select or Search for and
select the Azure AD B2C
page
• In ‘App registrations’, click
on “New registration”
• Fill in the form to
complete the Application
set up
Setting Up the AAD B2C Application in Commerce
*include ‘/_msdyn365/authresp’ suffix
• Name• Choose a name for the
application
• Supported account types• Any identity provider or
organizational directory
(for authenticating users
with flows)
• Redirect URI• Use the Reply URL with the
Commerce suffix
Setting Up AAD B2C Application in Commerce
Setting Up AAD B2C in Commerce
*Copy the Application’s “Application (Client) ID”
for your Resource List
(GUID format, masked above in image)
User Attributes
User Flows
User flows in AAD B2C provide functionality
control of specific end-user actions:
Sign up and Sign In
• Combined user flow to allow an end user to sign
up for the first time
• Based on a sign in page for users- includes a link to
the sign-up page
Profile Edit
• Used to update ‘Given Name’ and ‘Surname’
between
Password Reset
• Self-service password reset with email verification
flow
Sign up and sign in
Sign up and sign in
Sign up and sign in
Sing up and sign in
Sing up and sign in
Sing up and sign in
Password Reset
Password Reset
Password Reset
Password Reset
Password Reset
Password Reset
Profile Edit
Profile Edit
Profile Edit
Profile Edit
Retrieving the Issuer Reference
• Navigate to your Sign Up and Sign In policy in your AAD B2C Tenant
• With it selected, click Run User Flow at the top menu
• On the right-hand action menu, select the link shown under the “Run user flow”
label (ending in …/openid-configuration?p=<Sign up policy id>)
• In the new window opened by the link, copy the issuer value shown within the quotes
(ex: https://<tenantname>.b2clogin.com/11111-111-11-13333-333-3333344444/v2.0/)
Perform the following to document your B2C
Tenant’s Issuer reference for your Resource List:
*Sample data above for illustration, do not use as actual values
Configuring in Commerce
Resource List:• Reply URL: https://fabrikam.dynamics.commerce.com
• AAD B2C Tenant Name: b2cSampleTenantName
• AAD B2C Application ID (Client ID): 111111-111-1111-111-11111
• Issuer reference: https://b2csampletenantname.b2clogin.com/12312312-1111-1111-1111-1111111111/v2.0/
• Sign Up and Sign In Policy ID: B2C_1_SignUpAndSignIn
• Password Reset Policy ID: B2C_1_PasswordReset
• Profile Edit Policy ID: B2C_1_ProfileEdit
Checking in on our Resource List, we should have all
the following details:
*Sample data above for illustration, do not use as actual values
Configuring B2C in Commerce HQ• Go to the Commerce shared
parameters > Identity
Providers screen
• Select +Add under Identity
Providers to add a new line
• Fill out the ‘Issuer String’,
provide a name reference for
this entry, and select ‘Azure
AD B2C (id_token)’
• With Issuer still selected,
under ‘Relying Parties’, add
the Client ID, select ‘Type’ as
“Public”, and ‘UserType’ as
“Customer”
• Save changes and run the
1110 Global configuration
distribution schedule
*Sample data above for illustration, do not use as actual values
Configuring B2C in E-Commerce Site Builder• Navigate to the Home
screen in Site Builder (the
upper left grid-button and
select “Home” as
presented)
• Expand Tenant settings
and select B2C settings
• Select the Manage button
to show the right-hand
action menu, and click the
Add B2C Applications
button
Configuring B2C in E-Commerce Site Builder• Fill out the fields
appropriate (using your
Resource List if keeping)
• Most set ups will only
need required fields
• Application Name
provided will be how it is
displayed in the Tenant
Settings and when
choosing in your Channel
Setup
• Once filled out, click OK
• Close the right-hand
action menu and select
the page Save button
before moving to other
screens. *Sample data above for illustration, do not use as actual values
Configuring B2C in E-Commerce Site Builder• Navigate to your Site in E-
Commerce Site Builder
and navigate to Site
settings > Channels
• Select the name of your
Channel
• In the Channel Action
menu on the right-hand
side, drop down the
Select B2C application
picker and choose the B2C
set up named in the
previous step
• When completed, close
the action menu and click
the Save and publish
button to commit the
changes
Test Sign in with your Site
• After set up is complete, go to your site endpoint and test the functionality.
• The sign-in link from the site should redirect to the B2C endpoint and pages
rendered (if using custom pages)
• Upon sign up or subsequent sign in, authenticated users should be redirected
back to the web site and logged in name showing in the upper right-hand menu
• Test ‘Forget password’ flow
• Test ‘Edit profile’ flow
*Showing sample header menu from Fabrikam demo site
Troubleshooting
Some common troubleshooting items:• Clicking “Sign-in” not directing to B2C domain
• Check the reply URL in the B2C Application is set up correctly
• Confirm E-Commerce Site Builder Tenant Settings was not showing any error
• The re-direct after logging in brings back to the site but retries (and name is not
showing)
• Check the Dynamics HQ set up in Commerce Shared Parameters > Identity Provider
• Custom page in B2C is not filling in details properly
• Check the policy has the Properties > ‘Enable JavaScript’ button set to “Yes”
ADDITIONALINFORMATION
Post-launch updates
After a site launch with DNS switchover to the production
URL, consider the following:• Prior to launch, ensure the production URL is configured in the B2C Application
as an additional Reply URL (including the ‘/_msdyn365/authresp’ suffix)
• Just after the launch, you may want to update the Page Layout URL’s to reflect
the production domain for your custom pages (with ‘?preload=true’ argument
kept included)
• Test all flows to ensure both B2C policies and re-directs are working as expected
Company Branding for the AAD B2C Tenant
Company branding can be set up in the AAD B2C Tenant to
provide logo, sign in page picture, and color defined for the
tenant.• These items are used in the default pages B2C presents, as well as are reflected
in the Security Pin email sent for Sign Up verification and Forget Password flows
• In the Azure Portal, switch to your AAD B2C directory
• Search for ‘Azure Active Directory’ page (not the normal AAD B2C page)
• In the Azure Active Directory page, navigate to Company Branding in the menu
• Set up a default branding per the form instructions (following the specifications
provided per item in the form)
Custom Policies
Custom policies offer more specific and complex user flows
to be built for your B2C Tenant
• In your AAD B2C Tenant, in the Azure AD B2C
page- select the Identity Experience
Framework menu to download samples and
learn more:
User Migration
AAD B2C Documentation suggests a few different methods
of user migration which vary in complexity depending on the
desired results
• Plan early in terms of architecture and migration execution
• Review with AAD B2C or Dynamics Commerce teams any open questions you
may have ahead of time
• Account for the highest security in your migration process for your execution
environment
© Copyright Microsoft Corporation. All rights reserved.
Additional Resources
//aka.ms/WhatIsAADB2C
//aka.ms/CommerceAuthFlows
//aka.ms/SetUpB2CInCommerce
//aka.ms/SetUpCustomPagesForSignUps
//aka.ms/AADMFA
//aka.ms/B2CCustomPoliciesOverview
//aka.ms/B2CUserMigration
Contact Articles
//aka.ms/CommerceYammerGroup
//aka.ms/CommerceForums