Case Study

Building a secure multi-brand authentication experience at BT

arrow icon arrow icon

Creating a secure customer authentication framework for a single brand can be a challenge. Applying it across four brands, whilst remaining ‘pixel perfect’ is on another level. But, with Azure AD B2C, we helped BT Group to do just that.

How do you seamlessly and safely connect millions of customers to multiple high-profile brands with a single authentication?

This was the challenge presented by Roy Corneloues, BT Group’s Enterprise Architect. And with the help of Azure AD B2C, Kocho helped to make BT’s Single Authentication Framework (SAF) a reality.

For any organisation, customer experience and data security are essential. They’re the cornerstones of trust and loyalty.

When you’re a global enterprise with multiple high-profile brands and millions of customers worldwide, it’s critical that you get this right.

For BT this meant delivering a seamless authentication experience that lets customers access and move between every service, app, and brand with ease. A revolutionary change from an existing time-consuming process where users had to register and sign into each service separately.

SAF and a vision for seamless, multi-brand customer experiences

This was the ambition behind the Single Authentication Framework (SAF). The brainchild of BT Group’s Architecture team.

BT Group is a global leader in the telecoms industry. A provider of cutting-edge technology to businesses and consumers around the globe.

It offers a vast array of commercial and consumer services via major brands including: EE, BT, Openreach, and Plusnet. From leading-edge fibre broadband to entertainment, sport, gaming, TV, and mobile services.

And, with around 25 million customers accessing over 100 different services, the organisation had a vision to revolutionise the way it provided this access. To provide a seamless and secure experience for every customer, everywhere. Across every brand and application.

But in order to deliver on this vision, it couldn’t be held back by legacy technology.

Adopting Azure AD B2C to turn SAF into a reality

Following an RFP process that included established providers like Okta, Ping, and ForgeRock, Roy and the team at BT identified Microsoft Azure AD B2C as its chosen technology platform.

With Azure AD B2C, BT had a platform that could deliver seamless, fully-branded customer experiences across each brand and service, while also incorporating essential modern security features like MFA and passwordless authentication.

The ultimate guide to external identity success

A 7-step plan to achieve seamless user access, the highest levels of security, and unrivalled user experiences.

On working with Kocho

While the project was to be led via an internal team, there was recognition that the project would require collaboration and support from a partner with the skills and expertise in Microsoft cloud technology, identity, and cybersecurity.

Kocho was selected for its expertise and understanding of the vision BT was working to deliver.

Kocho was and continues to be recognised as a leading global Microsoft partner for External Identity, and this Azure AD B2C project would prove to be one of Microsoft’s largest B2C deployments to date.

Kocho’s External Identity team worked closely with the BT Group team, upskilling and providing the support needed to establish and action each stage of the project, including:

  • Creation and development of the SAF.

  • Migration of all customer accounts.

  • Adoption as a product.

  • Refinement and further feature development.

Creating ‘one front door’ for access and authentication

At the heart of SAF is the idea of providing access via a single ‘front door.’

One framework that could be monitored, upgraded, and simultaneously updated across each brand – with no visible disruption to the customer experience.

This framework would consist of event-driven architecture and contain a single suite of experiences and features that could be ‘skinned’ to represent each brand for a consistent end-user experience.

Using the single sign-on feature baked into Azure AD B2C, customers no longer need to retain multiple credentials to gain access to the different apps and services.

A secure customer identity platform built for scale

For SAF to succeed, it needed to be underpinned by a rigorous approach to security and data protection.

Having this one framework also meant that security monitoring improvements could be made, using Microsoft Sentinel to draw security data into a single dashboard for investigation and remediation.

Once the framework had been developed and implemented, the next challenge was migrating users to begin using it.

Speech mark icon

We get so much telemetry from Microsoft Sentinel about user behavior that we can resolve those situations in real time. We react to those alerts faster than ever before.

Andrew Warner

Identity Product Director, BT Group

A roadmap to migrating 25 million customers

With over 500 applications to migrate and more than 25 million customer accounts, Kocho and BT had to carefully plan the approach to ensure minimal disruption to customers.

First to migrate was the EE brand, with approximately 150 apps, and over 3.3 million active users. This meant finding a solution to securely migrate those users without impacting their usage and experience of the EE application and portal.

Across the remaining 350 applications on the BT side, BT Group and the Kocho External Identity team collaborated to develop a “proxy server” container design. This allowed just-in-time migration to move any users who needed to use the service before migration was completed wholesale.

This involved creating a process where submitted credentials were verified against the existing directory and, if approved, were then created in Azure B2C.

A multi-stage migration process would then be completed to move applications and users to the new platform.

A secure, seamless, on-brand experience with Azure AD B2C

With support from our external identity team, BT are realising their vision of delivering a seamless experience that welcomes rather than deters its customers:

Ebony and green key icon on transparent background

A single access portal

‘One front door’ for access and authentication across multiple brands – improving security monitoring and administration.

Ebony and green hand and mobile phone icon on transparent background

A single authentication portal

A single framework for authentication, applying strong, scalable security to each of its business brands.

Ebony and green Identity management and governance icon on transparent background

Seamless user migration

The ability to securely migrate millions of accounts with no disruption to the end user.

Green and ebony magnifying glass and line icon on transparent background

Improved visibility and monitoring

Improved security log generation and monitoring, thanks to Microsoft Sentinel.

Ebony and green central connected nodes icon on transparent background

Meeting identity and security standards

Best-in-class solutions for a standards-based approach to identity and security.

Ebony and green arrow laptop icon on transparent background

A powerful, modern customer experience

A single, highly customisable, modern platform that protects its customers and provides a ‘pixel-perfect’ brand experience.

Outcomes that outline the success of SAF

SAF is a long-term vision for the future of secure authentication and exceptional customer experience. And, BT Group are already seeing the significant benefits of its implementation.

Within the first few weeks, BT Group had seen:

  • 5 million customers onboarded

  • More than 100,000 attacks thwarted

In the months that followed, they have reported:

  • Monthly active users increased by 1 million customers.

  • A sharp drop in customer abandonments.

  • 33,000 challenges to anti-bot system stopped in first six weeks using Conditional Access.

  • Over 1 million IDs processed in 4 minutes during coverage of 2023 Champions League Final.

A version of the Kocho butterfly logo
Speech mark icon

Our vision was to build a next-generation customer registration experience that could be adopted by every one of our lines of business, yet provide world-class security and modern authentication using open industry standards.

Roy Corneloues

Enterprise Architect for Customer Identity and Access Management, BT Group

Excited by the options and opportunities Azure AD B2C has made available, BT Group has ambitious plans for the future.

These include completing the migration of its remaining brands, applications, and users into Azure, as well as rolling out passwordless and verified ID technologies to its users.

Alongside improving the customer experience and its internal identity and security infrastructure, BT Group has also moved to a much-improved pricing structure. As B2C is billed on a monthly active user (MAU) basis, they will now only pay for usage, rather than per user.

As an organisation with more than 25 million customers, this is a key benefit a key factor in BT Group opting for Azure AD B2C.

It’s now able to confidently expand its offerings and services, knowing that it has a flexible – yet secure – platform on which to build.

Next steps

The ultimate guide to external identity success

A 7-step plan to achieve seamless user access, the highest levels of security, and unrivalled user experiences.

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.