Deciding which external access solution meets your needs can be a challenge, so let’s explore what Microsoft’s Azure AD B2B and B2C products offer, where they crossover, and where they differ.
The management of external identities has changed a great deal in recent years, with Microsoft‘s approach being no exception.
If you‘re reading this blog, you‘ve likely come across the two products Microsoft uses to facilitate external access, Azure AD B2B and Azure AD B2C.
On the surface, it would seem self-explanatory that B2B is used to provide access to partners and suppliers whilst B2C caters to customer-facing interactions.
Like much of life, however, things are never so clear cut. Azure AD B2B and B2C may have begun life intended for these purposes, but there‘s an increasing amount of crossover in their application.
This can make things difficult for when it comes to selecting the right technology choice for your scenario. In this blog, I shall attempt to clarify the differences between the two and highlight how they can best serve your external access needs.
B2B (or ‘Azure AD B2B collaboration’) addresses the problem of sharing your applications with external users and is a feature of Azure AD rather than a standalone service.
These users could be suppliers, customers, partners or any kind of external user with whom you wish to collaborate.
In the past, you may have just created a user account on your corporate Active Directory (i.e. a ‘local account’) to invite an external user to use a web application. Or, if you have ADFS infrastructure, you may have established a trust relationship between your ADFS server and your partner’s.
The local account solution is an easy fix – but it comes with a housekeeping problem. When the external user leaves, you may not be notified immediately (or at all) of their departure – which means they could retain access even when they should not have it.
The ADFS solution is a neater one – but is complex and requires all of your partners to have a similar solution and to set up trusts between each organisation.
In response, Microsoft created Azure Active Directory B2B, where you simply invite a user by email to start the ball rolling:
There are many advantages of using the B2B feature to invite guests into your organisation:
Watch our on-demand webinar and we’ll make things clear. You will:
Azure AD B2C provides an authentication solution for your outward-facing applications and is a service independent of Azure AD.
The actual authentication process works in a very similar way to B2B. But B2C is not designed to allow access to your employee groups and other resources, as it is primarily intended for end customers.
B2C provides complex user flows (known as custom policies). This feature allows you to have multi-step sign-in experiences, which can be useful for providing or verifying attributes.
For example, with one of our insurance company clients, existing customers with no online relationship with the company needed to be able to sign up to the website and see their documents.
To make this happen, the company needed to verify the customer’s identity using an API call during sign up:
After accepting the terms and conditions, the customer submits their account number and a one-off ‘activation code’. Providing these two items allows the policy to check their identity.
The policy sends the data to a web service (API) external to B2C and receives a response which tells it whether the user is indeed a customer.
At this point, the customer can now continue to set up their credentials, complete the sign-up process, and access their documents.
Below I’ve put together a comparison of the two products against some typically required features:
At time of writing, B2C offers some features that B2B does not have:
Out-of-the-box integration with a wide range of identity providers including MSA, Amazon and more: B2B only offers out-of-the-box integration with Google accounts and Facebook accounts (the latter in ‘preview’ only).
Custom policies with multiple steps: B2B offers journey steps but in a more limited way – for example, you can call an external API but at the moment you only have two choices about when to call it
However, Microsoft is rapidly developing new capabilities for B2B.
In 2020, the following features were included in the public preview of Azure Active Directory:
So, what we’re seeing is a trend of convergence between the two products. The restriction of having to choose B2C if you want a customised look and feel no longer applies.
This means that these two products are increasingly venturing beyond the confines of their original B2B and B2C remits. It’s more about deciding on the functionality you require and selecting the product that suits you best, regardless of whether it’s a partner or customer access scenario.
I wouldn’t be at all surprised if Microsoft were to do away with the B2B and B2C labels. As these two products become ever more entwined, eventually they will act as one external access management suite.
Keep your finger on the pulse of identity management and Microsoft technology. Get the latest content and event invites straight to your inbox.
Marcus Idle is our Head of Customer Identity and Access Management and IP Development at ThirdSpace. He is responsible for projects involving external identities. Expert in Microsoft’s Azure AD B2B...
We'd love to hear from you! Our friendly team can be reached Monday through Friday, from 9am to 5pm.Contact Us
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.