-->
Productivity Software. The EFI Productivity Suite addresses the most pressing automation and efficiency needs. Best-in-class segment-based MIS/ERP systems, value-added components, and end-to-end certified workflows designed for your business needs. Ship Express Find out more. From Home, click Microsoft Intune. Click Device configuration. Click Profiles Create Profile Endpoint protection Windows Defender Credential Guard. It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. Fiery color management. Fiery ® color management tools give you maximum control over color quality. ICC-based color management technology is integrated in every Fiery server and works directly with advanced controls in Fiery Command WorkStation ®. Fiery Color Profiler Suite is integrated with the Fiery server to create best-in-class ICC output profiles for each substrate in a few simple steps.
Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.
The OEM can use instructions from the firmware manufacturer to create Secure boot keys and to store them in the PC firmware. When you add UEFI drivers, you'll also need to make sure these are signed and included in the Secure Boot database.
For information on how the secure boot process works included Trusted Boot and Measured Boot, see Secure the Windows 10 boot process.
Secure boot requirements
In order to support Secure boot, you must provide the following.
| Hardware requirement | Details |
|---|---|
| UEFI Version 2.3.1 Errata C variables | Variables must be set to SecureBoot=1 and SetupMode=0 with a signature database (EFI_IMAGE_SECURITY_DATABASE) necessary to boot the machine securely pre-provisioned, and including a PK that is set in a valid KEK database. For more information, search for the System.Fundamentals.Firmware.UEFISecureBoot system requirements in PDF download of the Windows Hardware Compatibility Program Specifications and Policies. |
| UEFI v2.3.1 Section 27 | The platform must expose an interface that adheres to the profile of UEFI v2.3.1 Section 27. |
| UEFI signature database | The platform must come provisioned with the correct keys in the UEFI Signature database (db) to allow Windows to boot. It must also support secure authenticated updates to the databases. Storage of secure variables must be isolated from the running operating system such that they cannot be modified without detection. |
| Firmware signing | All firmware components must be signed using at least RSA-2048 with SHA-256. |
| Boot manager | When power is turned on, the system must start executing code in the firmware and use public key cryptography as per algorithm policy to verify the signatures of all images in the boot sequence, up to and including the Windows Boot Manager. |
| Rollback protection | The system must protect against rollback of firmware to older versions. |
| EFI_HASH_PROTOCOL | The platform provides the EFI_HASH_PROTOCOL (per UEFI v2.3.1) for offloading cryptographic hash operations and the EFI_RNG_PROTOCOL (Microsoft defined) for accessing platform entropy. |
Signature Databases and Keys
Before the PC is deployed, you as the OEM store the Secure Boot databases on the PC. This includes the signature database (db), revoked signatures database (dbx), and Key Enrollment Key database (KEK). These databases are stored on the firmware nonvolatile RAM (NV-RAM) at manufacturing time.
The signature database (db) and the revoked signatures database (dbx) list the signers or image hashes of UEFI applications, operating system loaders (such as the Microsoft Operating System Loader, or Boot Manager), and UEFI drivers that can be loaded on the device. The revoked list contains items that are no longer trusted and may not be loaded. If an image hash is in both databases, the revoked signatures database (dbx) takes precedent.
The Key Enrollment Key database (KEK) is a separate database of signing keys that can be used to update the signature database and revoked signatures database. Microsoft requires a specified key to be included in the KEK database so that in the future Microsoft can add new operating systems to the signature database or add known bad images to the revoked signatures database.
After these databases have been added, and after final firmware validation and testing, the OEM locks the firmware from editing, except for updates that are signed with the correct key or updates by a physically present user who is using firmware menus, and then generates a platform key (PK). The PK can be used to sign updates to the KEK or to turn off Secure Boot.
You should contact your firmware manufacturer for tools and assistance in creating these databases.
Boot sequence
- After the PC is turned on, the signature databases are each checked against the platform key.
- If the firmware is not trusted, the UEFI firmware must initiate OEM-specific recovery to restore trusted firmware.
- If there is a problem with Windows Boot Manager, the firmware will attempt to boot a backup copy of Windows Boot Manager. If this also fails, the firmware must initiate OEM-specific remediation.
- After Windows Boot Manager has started running, if there is a problem with the drivers or NTOS kernel, Windows Recovery Environment (Windows RE) is loaded so that these drivers or the kernel image can be recovered.
- Windows loads antimalware software.
- Windows loads other kernel drivers and initializes the user mode processes.
Related topics
-->A companion to About Azure Active Directory B2C, this article provides a more in-depth introduction to the service. Discussed here are the primary resources you work with in the service, its features. Learn how these features enable you to provide a fully custom identity experience for your customers in your applications.
Azure AD B2C tenant
In Azure Active Directory B2C (Azure AD B2C), a tenant represents your organization and is a directory of users. Each Azure AD B2C tenant is distinct and separate from other Azure AD B2C tenants. An Azure AD B2C tenant is different than an Azure Active Directory tenant, which you may already have.
The primary resources you work with in an Azure AD B2C tenant are:
- Directory - The directory is where Azure AD B2C stores your users' credentials, profile data, and your application registrations.
- Application registrations - Register your web, mobile, and native applications with Azure AD B2C to enable identity management. You can also register any APIs you want to protect with Azure AD B2C.
- User flows and custom policies - Create identity experiences for your applications with built-in user flows and fully configurable custom policies:
- User flows help you quickly enable common identity tasks like sign-up, sign-in, and profile editing.
- Custom policies let you build complex identity workflows unique to your organization, customers, employees, partners, and citizens.
- Sign-in options - Azure AD B2C offers various sign-up and sign-in options for users of your applications:
- Username, email, and phone sign-in - Configure your Azure AD B2C local accounts to allow sign-up and sign-in with a username, email address, phone number, or a combination of methods.
- Social identity providers - Federate with social providers like Facebook, LinkedIn, or Twitter.
- External identity providers - Federate with standard identity protocols like OAuth 2.0, OpenID Connect, and more.
- Keys - Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords.
An Azure AD B2C tenant is the first resource you need to create to get started with Azure AD B2C. Learn how to:
- Create an Azure Active Directory B2C tenant.
Accounts in Azure AD B2C
Azure AD B2C defines several types of user accounts. Azure Active Directory, Azure Active Directory B2B, and Azure Active Directory B2C share these account types.
- Work account - Users with work accounts can manage resources in a tenant, and with an administrator role, can also manage tenants. Users with work accounts can create new consumer accounts, reset passwords, block/unblock accounts, and set permissions or assign an account to a security group.
- Guest account - External users you invite to your tenant as guests. A typical scenario for inviting a guest user to your Azure AD B2C tenant is to share administration responsibilities.
- Consumer account - Accounts that are managed by Azure AD B2C user flows and custom policies.
Figure: User directory within an Azure AD B2C tenant in the Azure portal
Consumer accounts
With a consumer account, users can sign in to the applications that you've secured with Azure AD B2C. Users with consumer accounts can't, however, access Azure resources, for example the Azure portal.
A consumer account can be associated with these identity types:
- Local identity, with the username and password stored locally in the Azure AD B2C directory. We often refer to these identities as 'local accounts.'
- Social or enterprise identities, where the identity of the user is managed by a federated identity provider. For example, Facebook, Microsoft, ADFS, or Salesforce.
A user with a consumer account can sign in with multiple identities. For example username, email, employee ID, government ID, and others. A single account can have multiple identities, both local and social.
Figure: A single consumer account with multiple identities in Azure AD B2C
For more information, see Overview of user accounts in Azure Active Directory B2C.
Local account sign-in options
Azure AD B2C provides various ways in which users can authenticate a user. Users can sign-in to a local account, by using username and password, phone verification (also known as password-less authentication). Email sign-up is enabled by default in your local account identity provider settings.
Learn more about sign-in options or how to set up the local account identity provider.
User profile attributes
Azure AD B2C lets you manage common attributes of consumer account profiles. For example display name, surname, given name, city, and others.
You can also extend the Azure AD schema to store additional information about your users. For example, their country/region of residency, preferred language, and preferences like whether they want to subscribe to a newsletter or enable multi-factor authentication. For more information, see:
Sign-in with external identity providers
You can configure Azure AD B2C to allow users to sign in to your application with credentials from social and enterprise identity providers. Azure AD B2C can federate with identity providers that support OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols. For example, Facebook, Microsoft account, Google, Twitter, and AD-FS.
With external identity provider federation, you can offer your consumers the ability to sign in with their existing social or enterprise accounts, without having to create a new account just for your application.
On the sign-up or sign-in page, Azure AD B2C presents a list of external identity providers the user can choose for sign-in. Once they select one of the external identity providers, they're taken (redirected) to the selected provider's website to complete the sign in process. After the user successfully signs in, they're returned to Azure AD B2C for authentication of the account in your application.
To see how to add identity providers in Azure AD B2C, see Add identity providers to your applications in Azure Active Directory B2C.
Identity experiences: user flows or custom policies
In Azure AD B2C, you can define the business logic that users follow to gain access to your application. For example, you can determine the sequence of steps users follow when they sign in, sign up, edit a profile, or reset a password. After completing the sequence, the user acquires a token and gains access to your application.
In Azure AD B2C, there are two ways to provide identity user experiences:
User flows are predefined, built-in, configurable policies that we provide so you can create sign-up, sign-in, and policy editing experiences in minutes.
Custom policies enable you to create your own user journeys for complex identity experience scenarios.
The following screenshot shows the user flow settings UI, versus custom policy configuration files.
Read the User flows and custom policies overview article. It gives an overview of user flows and custom policies, and helps you decide which method will work best for your business needs.
User interface
In Azure AD B2C, you can craft your users' identity experiences so that the pages are shown blend seamlessly with the look and feel of your brand. You get nearly full control of the HTML and CSS content presented to your users when they proceed through your application's identity journeys. With this flexibility, you can maintain brand and visual consistency between your application and Azure AD B2C.
For information on UI customization, see:
Custom domain
You can customize your Azure AD B2C domain in the redirect URLs for Azure AD B2C. Custom domain allows you to create a seamless experience so that the pages are shown blend seamlessly with the domain name of your application.
From the user's perspective, they remain in your domain during the sign-in process rather than redirecting to the Azure AD B2C default domain .b2clogin.com. For more information, see Enable custom domains.
Localization
Language customization in Azure AD B2C allows you to accommodate different languages to suit your customer needs. Microsoft provides the translations for 36 languages, but you can also provide your own translations for any language. Even if your experience is provided for only a single language, you can customize any text on the pages.
See how localization works in Language customization in Azure Active Directory B2C.
Email verification
Azure AD B2C ensures valid email addresses by requiring customers to verify them during the sign-up, and password reset flows. It also prevents malicious actors from using automated processes to generate fraudulent accounts in your applications.
You can customize the email to users that sign up to use your applications. By using the third-party email provider, you can use your own email template and From: address and subject, as well as support localization and custom one-time password (OTP) settings. For more information, see:
Add your own business logic
If you choose to use custom policies, you can integrate with a RESTful API in a user journey to add your own business logic to the journey. For example, Azure AD B2C can exchange data with a RESTful service to:
- Display custom user-friendly error messages.
- Validate user input to prevent malformed data from persisting in your user directory. For example, you can modify the data entered by the user, such as capitalizing their first name if they entered it in all lowercase.
- Enrich user data by further integrating with your corporate line-of-business application.
- Using RESTful calls, you can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and more.
Loyalty programs are another scenario enabled by Azure AD B2C's support for calling REST APIs. For example, your RESTful service can receive a user's email address, query your customer database, then return the user's loyalty number to Azure AD B2C.
Efi Profile Editor
The return data can be stored in the user's directory account in Azure AD B2C. The data then can be further evaluated in subsequent steps in the policy, or be included in the access token.
You can add a REST API call at any step in the user journey defined by a custom policy. For example, you can call a REST API:
- During sign-in, just before Azure AD B2C validates the credentials
- Immediately after sign-in
- Before Azure AD B2C creates a new account in the directory
- After Azure AD B2C creates a new account in the directory
- Before Azure AD B2C issues an access token
To see how to use custom policies for RESTful API integration in Azure AD B2C, see Integrate REST API claims exchanges in your Azure AD B2C custom policy.
Protocols and tokens
For applications, Azure AD B2C supports the OAuth 2.0, OpenID Connect, and SAML protocols for user journeys. Your application starts the user journey by issuing authentication requests to Azure AD B2C. The result of a request to Azure AD B2C is a security token, such as an ID token, access token, or SAML token. This security token defines the user's identity within the application.
For external identities, Azure AD B2C supports federation with any OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML identity providers.
The following diagram shows how Azure AD B2C can communicate using various protocols within the same authentication flow:
- The relying party application starts an authorization request to Azure AD B2C using OpenID Connect.
- When a user of the application chooses to sign in using an external identity provider that uses the SAML protocol, Azure AD B2C invokes the SAML protocol to communicate with that identity provider.
- After the user completes the sign-in operation with the external identity provider, Azure AD B2C then returns the token to the relying party application using OpenID Connect.
Application integration
When a user wants to sign in to your application, the application initiates an authorization request to a user flow- or custom policy-provided endpoint. The user flow or custom policy defines and controls the user's experience. When they complete a user flow, for example the sign-up or sign-in flow, Azure AD B2C generates a token, then redirects the user back to your application.
Multiple applications can use the same user flow or custom policy. A single application can use multiple user flows or custom policies.
For example, to sign in to an application, the application uses the sign up or sign in user flow. After the user has signed in, they may want to edit their profile, so the application initiates another authorization request, this time using the profile edit user flow.
Multi-factor authentication (MFA)
Windows Efi Editor
Azure AD B2C multi-factor authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for your users. It provides extra security by requiring a second form of authentication, and delivers strong authentication by offering a range of easy-to-use authentication methods.
Your users may or may not be challenged for MFA based on configuration decisions that you can make as an administrator.
See how to enable MFA in user flows in Enable multi-factor authentication in Azure Active Directory B2C.
Conditional Access
Azure AD Identity Protection risk-detection features, including risky users and risky sign-ins, are automatically detected and displayed in your Azure AD B2C tenant. You can create Conditional Access policies that use these risk detections to determine remediation actions and enforce organizational policies.
Azure AD B2C evaluates each sign-in event and ensures that all policy requirements are met before granting the user access. Risky users or sign-ins may be blocked, or challenged with a specific remediation like multi-factor authentication (MFA). For more information, see Identity Protection and Conditional Access.
Password complexity
During sign up or password reset, your users must supply a password that meets complexity rules. By default, Azure AD B2C enforces a strong password policy. Azure AD B2C also provides configuration options for specifying the complexity requirements of the passwords your customers use.
For more information, see Configure complexity requirements for passwords in Azure AD B2C.
Force password reset
As an Azure AD B2C tenant administrator, you can reset a user's password if the user forgets their password. Or you would like to force them to reset the password periodically. For more information, see Set up a force password reset flow.
Smart account lockout
To prevent brute-force password guessing attempts, Azure AD B2C uses a sophisticated strategy to lock accounts based on the IP of the request, the passwords entered, and several other factors. The duration of the lockout is automatically increased based on risk and the number of attempts.
For more information about managing password protection settings, see Mitigate credential attacks in Azure AD B2C.
Protect resources and customer identities
Azure AD B2C complies with the security, privacy, and other commitments described in the Microsoft Azure Trust Center.
Sessions are modeled as encrypted data, with the decryption key known only to the Azure AD B2C Security Token Service. A strong encryption algorithm, AES-192, is used. All communication paths are protected with TLS for confidentiality and integrity. Our Security Token Service uses an Extended Validation (EV) certificate for TLS. In general, the Security Token Service mitigates cross-site scripting (XSS) attacks by not rendering untrusted input.
Edit Efi
Access to user data
Azure AD B2C tenants share many characteristics with enterprise Azure Active Directory tenants used for employees and partners. Shared aspects include mechanisms for viewing administrative roles, assigning roles, and auditing activities.
You can assign roles to control who can perform certain administrative actions in Azure AD B2C, including:
- Create and manage all aspects of user flows
- Create and manage the attribute schema available to all user flows
- Configure identity providers for use in direct federation
- Create and manage trust framework policies in the Identity Experience Framework (custom policies)
- Manage secrets for federation and encryption in the Identity Experience Framework (custom policies)
For more information about Azure AD roles, including Azure AD B2C administration role support, see Administrator role permissions in Azure Active Directory.
Auditing and logs
Azure AD B2C emits audit logs containing activity information about its resources, issued tokens, and administrator access. You can use the audit logs to understand platform activity and diagnose issues. Audit log entries are available soon after the activity that generated the event occurs.
In an audit log, which is available for your Azure AD B2C tenant or for a particular user, you can find information including:
- Activities concerning the authorization of a user to access B2C resources (for example, an administrator accessing a list of B2C policies)
- Activities related to directory attributes retrieved when an administrator signs in using the Azure portal
- Create, read, update, and delete (CRUD) operations on B2C applications
- CRUD operations on keys stored in a B2C key container
- CRUD operations on B2C resources (for example, policies and identity providers)
- Validation of user credentials and token issuance
For more information on audit logs, see Accessing Azure AD B2C audit logs.
Usage analytics
Azure AD B2C allows you to discover when people sign up or sign in to your app, where the users are located, and what browsers and operating systems they use.
By integrating Azure Application Insights into Azure AD B2C custom policies, you can gain insight into how people sign up, sign in, reset their password or edit their profile. With such knowledge, you can make data-driven decisions for your upcoming development cycles.
For more information, see Track user behavior in Azure Active Directory B2C using Application Insights.
Next steps
Now that you have deeper view into the features and technical aspects of Azure Active Directory B2C, get started with our tutorial for creating an Azure Active Directory B2C tenant.