Azure Active Directory B2C pricing clarification with refresh tokens

Question

I am confused by the pricing structure for Azure AD B2C defined here. The question seems to arise from this description:

Authentications: Tokens issued either in response to a sign-in request initiated by a user, or initiated by an application on behalf of a user (e.g. token refresh, where the refresh interval is configurable).

In Azure AD B2C settings for my tenant / application, I define a SignInUp policy and then have options for the lifetime of the Access / ID Token (maximum 24 hours), as well as the Refresh token (maximum 90 days) and then the refresh sliding window boundary (up to 365 days or no expiry). How does this relate to authentications I would get charged for under the authentication pricing?

For example, if I set my Access / ID Token to 24 hours and my Refresh token to 90 days and I use the MSAL library to AcquireTokenSilentlyAsync and I have a user who gets into the app every day, will I get charged 30 authentications for that user per month, or just 1 authentication because the refresh token has not yet expired?

This makes a huge difference in cost and whether I can use B2C for my app authentication needs. For instance at 100,000 daily users, if I only get charged 1 authentication per month, it will end up costing an average of about $50 per month if my Refresh tokens are set to 90 days, whereas if it charges an authentication every 24 hours, I would get charged $6300 per month! Any clarification on this is appreciated.

GouldComputing GouldComputing · Accepted Answer · 2017-06-13T12:45:53

I received an answer from Microsoft Azure support as follows:

I have reviewed your case and I understand that you have query regarding B2C Pricing. I would like to inform you that, the Tokens issued either in response to a sign-in request initiated by a user, or initiated by an application on behalf of a user. Please find the pricing details as mentioned below: https://azure.microsoft.com/en-us/pricing/calculator/?service=active-directory-b2c So if the user or an application, sign-in’s per day one time, hence, it would be charged 30 authentications for that user per month and Also, upto First 50,000 user or an application sign-in’s are free

I sent a follow up for clarification:

So, just for clarification, even if it is the refresh token that is used (which is good for 90 days if setup that way), that still charges as an 'authentication'? This makes B2C extremely expensive and there is no way that the Real Madrid example case is true, as they would be spending $10,000,000 a year or more just for authentications. Microsoft will never get indie developers to be able to use this, and it will be out of the price range of most medium businesses as well. It is nowhere near competitive with Auth0, which for 50k users a month and UNLIMITED authentications, costs just $850.

And received the following response:

Your suggestion are really important for us to make improvements for our product and services. I would recommend that you open the feedback link and provide us your valuable feedback. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Windows Azure.

https://feedback.azure.com/forums/223579-azure-portal/suggestions/18796606-lower-the-price-of-ad-b2c

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10986063-reduce-pricing-for-azure-ad-b2c

https://feedback.azure.com/forums/34192--general-feedback/suggestions/15434943-azure-active-directory-b2c-don-t-charge-for-token

If you look at these feedback, they have not gotten many votes or action in a year, so please, if you want B2C as a viable option for indie developers or small / mid size companies, go vote!

Azure Active Directory B2C pricing clarification with refresh tokens

2 Answers