Arkose fraud protection

Arkose Labs' New Account Fraud Solution is designed to combat the creation of fraudulent accounts to ensure the security of your application while maintaining a seamless onboarding experience for legitimate users.

Prerequisites

Before you start make sure you have configured the following:
  1. Create a tenant and add admin accounts
  2. Register a web application
  3. Create a user flow

This is in preview and configuration can be done using Microsoft Graph.

Setup Arkose Fraud protection in your tenant

To setup Arkose Fraud protection in your tenant run the following Graph (required permissions RiskPreventionProviders.ReadWrite.All). Replace:

  • {public-key} with the public Key from your Arkose account, should be in a GUID format.
  • {private-key} with the rrivate key from your Arkose account.
  • {client-sub-domain} with the client sub-domain for your Arkose account. Use only the subdomain prefix (e.g., "client-api"), not the full domain.
  • {verify-sub-domain} with the verify sub-domain for your Arkose account. Use only the subdomain prefix (e.g., "verify-api"), not the full domain.
POST https://graph.microsoft.com/beta/identity/riskPrevention/fraudProtectionProviders
{ 
  "@odata.type": "#microsoft.graph.arkoseFraudProtectionProvider", 
  "displayName": "Arkose config", 
  "publicKey": "{public-key}",  
  "privateKey": "{private-key}", 
  "clientSubDomain": "{client-sub-domain}", 
  "verifySubDomain": "{verify-sub-domain}" 
} 
        


POST https://graph.microsoft.com/beta/identity/authenticationEventsFlows/12345678-0000-0000-0000-000000000000/microsoft.graph.externalUsersSelfServiceSignUpEventsFlow/onAuthenticationMethodLoadStart/microsoft.graph.onAuthenticationMethodLoadStartExternalUsersSelfServiceSignUp/identityProviders/$ref
{
    "@odata.type": "#microsoft.graph.arkoseFraudProtectionProvider",
    "displayName": "Arkose config",
    "publicKey": "12345678-1234-1234-1234-000000000000",
    "privateKey": "11111111-2222-3444-5555-666667777888", 
    "clientSubDomain": "client-api",
    "verifySubDomain": "verify-api"
}


 
From the response, copy the value of the id, for example:
{
    "@odata.type": "#microsoft.graph.arkoseFraudProtectionProvider",
    "id": "11111111-1234-1234-1234-000000000000",
    "displayName": "Arkose config",
    "publicKey": "12345678-1234-1234-1234-000000000000",
    "clientSubDomain": "client-api",
    "verifySubDomain": "verify-api"
    ...
}
        

Assign the fraud protection provider to your application

Finally, create an AuthenticationEventListener policy to use the Arkose fraud protection config in signup flow for an application (required permissions EventListener.ReadWrite.All). Replace:

  • {app-id} with your application ID.
  • {fraud-protection-id} with the ID your copied in the previous step
POST https://graph.microsoft.com/beta/identity/authenticationEventListeners
{ 

  "@odata.type": "#microsoft.graph.onFraudProtectionLoadStartListener", 
  "conditions": { 
    "applications": { 
      "includeApplications": [ 
        { 
          "appId": "{app-id}" 
        } 
      ] 
    } 
  }, 
  "handler": { 
    "@odata.type": "#microsoft.graph.onFraudProtectionLoadStartExternalUsersAuthHandler", 
    "signUp": { 
      "@odata.type": "#microsoft.graph.fraudProtectionProviderConfiguration", 
      "isContinueOnProviderErrorEnabled": true, 
      "fraudProtectionProvider": { 
        "@odata.type": "#microsoft.graph.arkoseFraudProtectionProvider", 
        "id": "{fraud-protection-id}" 
      } 
    } 
  } 
}