I am confused by the pricing structure for Azure AD B2C defined here. The question seems to arise from this description:
Authentications: Tokens issued either in response to a sign-in request initiated by a user, or initiated by an application on behalf of a user (e.g. token refresh, where the refresh interval is configurable).
In Azure AD B2C settings for my tenant / application, I define a SignInUp policy and then have options for the lifetime of the Access / ID Token (maximum 24 hours), as well as the Refresh token (maximum 90 days) and then the refresh sliding window boundary (up to 365 days or no expiry). How does this relate to authentications I would get charged for under the authentication pricing?
For example, if I set my Access / ID Token to 24 hours and my Refresh token to 90 days and I use the MSAL library to AcquireTokenSilentlyAsync and I have a user who gets into the app every day, will I get charged 30 authentications for that user per month, or just 1 authentication because the refresh token has not yet expired?
This makes a huge difference in cost and whether I can use B2C for my app authentication needs. For instance at 100,000 daily users, if I only get charged 1 authentication per month, it will end up costing an average of about $50 per month if my Refresh tokens are set to 90 days, whereas if it charges an authentication every 24 hours, I would get charged $6300 per month! Any clarification on this is appreciated.
When a user journey starts, Azure AD B2C receives an access token from an identity provider. Azure AD B2C uses that token to retrieve information about the user. You enable a claim in your user flow to pass the token throughto the applications that you register in Azure AD B2C.
You enable a claim in your user flow to pass the token throughto the applications that you register in Azure AD B2C. Your application must be using a recommended user flowto take advantage of passing the token as a claim.
They are issued by Azure AD B2C and can be inspected and interpreted only by Azure AD B2C. They are long-lived, but your application shouldn't be written with the expectation that a refresh token will last for a specific period of time.
Go to Azure portal, navigate to Azure Active Directory blade > Users > All Users, select (double-click) the required user and click the Revoke Sessions button on top of the toolbar. Apart from the listed reasons in the above post, the tokens can also be controlled through Sign-in frequency control in the Conditional Access policy.
I received an answer from Microsoft Azure support as follows:
I have reviewed your case and I understand that you have query regarding B2C Pricing. I would like to inform you that, the Tokens issued either in response to a sign-in request initiated by a user, or initiated by an application on behalf of a user. Please find the pricing details as mentioned below: https://azure.microsoft.com/en-us/pricing/calculator/?service=active-directory-b2c So if the user or an application, sign-in’s per day one time, hence, it would be charged 30 authentications for that user per month and Also, upto First 50,000 user or an application sign-in’s are free
I sent a follow up for clarification:
So, just for clarification, even if it is the refresh token that is used (which is good for 90 days if setup that way), that still charges as an 'authentication'? This makes B2C extremely expensive and there is no way that the Real Madrid example case is true, as they would be spending $10,000,000 a year or more just for authentications. Microsoft will never get indie developers to be able to use this, and it will be out of the price range of most medium businesses as well. It is nowhere near competitive with Auth0, which for 50k users a month and UNLIMITED authentications, costs just $850.
And received the following response:
Your suggestion are really important for us to make improvements for our product and services. I would recommend that you open the feedback link and provide us your valuable feedback. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Windows Azure.
https://feedback.azure.com/forums/223579-azure-portal/suggestions/18796606-lower-the-price-of-ad-b2c
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10986063-reduce-pricing-for-azure-ad-b2c
https://feedback.azure.com/forums/34192--general-feedback/suggestions/15434943-azure-active-directory-b2c-don-t-charge-for-token
If you look at these feedback, they have not gotten many votes or action in a year, so please, if you want B2C as a viable option for indie developers or small / mid size companies, go vote!
Let me add a few clarifications to the snippet from the pricing site and then explain further. Revised: Authentications: ID tokens or Access tokens issued either in response to a sign-in request initiated by a user, or initiated by an application on behalf of a user to obtain a fresh id token or an fresh access token (e.g. when a refresh token is used by the application., where the refresh interval is configurable).
An ID Token has a maximum lifetime of 24 hours. Assuming that you set the ID TOKEN lifetime to 24 hours, a user that uses your application every day for 30 days, will incur at least 30 authentications.
If you set ID Token lifetime to 1 hour, and said users uses your app constantly for 12 hours, then that could add up to 12 tokens in that day.
Conversely a refresh token is "free." Its the exchange of a refresh token for and ID TOKEN that results in an authentication charge.
Jose
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With