ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more

What is CIAM?

CIAM stands for customer identity and access management.

Typically, CIAM takes the form of authentication software used with an organisation’s public-facing websites, apps and other digital services. This software seamlessly integrates with a company’s branded digital properties to provide powerful security and frictionless access. CIAM solutions and their associated features are key to meeting consumer demands for a unified experience, while reducing the risk of a data breach.


Identity and access management (IAM) typically deals with authentication and access within an organisation – for example, determining what happens in terms of changes to a user account and privileges when employees join, leave, or move roles within a company.

As opposed to IAM, customer identity and access management (CIAM) is outward-facing. It is also concerned with joining, moving, and leaving, but more usually in the sense of registering for an account, making changes to the account or the relationship (self-service account, consent and preference management), or asking to be removed.

The ‘C’ in CIAM does not mean, however, that the users who authenticate are always private individuals. They may be authenticating on behalf of a company or other organisation. In other words, CIAM addresses external authentication scenarios – both B2C and B2B.

Why is CIAM needed?

With any website or other internet service which requires authentication, the norm in the past was to build the authentication into the website, using a back-end database to store credentials. Although this involves significant work at the start of the process, once up and running, it becomes part of the website ‘furniture’ – and it does not look like a useful candidate for outsourcing.

However, built-in website authentication almost always has all of the following problems:

  • Does not provide single sign on across multiple web applications.
  • Does not apply password blacklists.
  • Does not supply sign-on analytics.
  • Does not automatically update to protect the website against new threats.
  • Does not outsource single sign-on (SSO) to upstream identity providers (IdPs) such as social or organisational IdPs.
  • Does not update to incorporate new features such as multi-factor authentication (MFA).

From an end user perspective, the lack of SSO and social login can cause frustration – and rather than create new identities, a percentage of them will take their custom elsewhere. But even more concerning is the increased risk of a data breach with a legacy solution.

Features and benefits

As a corollary to the above disadvantages of a home-grown authentication solution, CIAM features remove the friction from sign-up and sign in processes – and, critically, improve security.

The above diagram quickly illustrates the key benefits of a CIAM solution.

Key benefits of CIAM:

Frictionless access

Single sign-on (SSO) across multiple web applications means users do not have to create more than one account when dealing with an organisation’s multiple web-based services.

Enhanced protection

For the user’s identity and the organisation’s resources – with a range of security measures including multi-factor authentication, threat detection and password blacklists.

Scalable performance

Customers expect anytime access to your services and resources – a CIAM solution needs to scale to demand to ensure the experience isn't compromised during times of peak usage.

In addition, most solutions available today will provide:

  • Some graphical analysis of user behaviour, which is available out of the box
  • Ability to ‘outsource’ credentials to other identity providers (IdPs) such as social IdPs* or Office 365

*Social login has become particularly prevalent and valuable in CIAM solutions – allowing customers to authenticate with popular social media providers, such as Facebook, rather than set-up yet another username and password. Keep in mind that if it’s an outsourced service, it’s more likely to provide new authentication-related features as they become available.

The end result is happy customers, who trust your organisation and stay loyal to your brand.

Key technologies


GDPR-friendly identity-as-a-service.


High availability solution touching 1.75 billion identities.


Open Source product for building your own IAM solutions.


Single sign-on (SSO) with easy app registration including SAML & OpenID.


Registration-as-a-service and social login.


Customisable solution based around JavaScript.

Microsoft Azure AD B2C

Highly secure solution based on Microsoft’s Azure Active Directory.

In February 2019, it was reported that 617 million online account details had been stolen from 16 hacked websites – and were being sold on the dark web.

Why Microsoft Azure AD B2C?

Microsoft Azure AD B2C (“B2C”) is a comprehensive CIAM solution, but its security features are particularly compelling – offering highly advanced threat protection based on machine learning from Microsoft’s security graph.

The authentication journey, hosted in the Microsoft cloud, will react to the level of threat posed by the user’s credentials – if the credentials have been compromised, the perceived threat level is elevated and appropriate actions (e.g. locking the user out) can be taken by the B2C framework.

In addition:

  • B2C is highly available and scalable, built as it is on Microsoft’s world-beating Azure infrastructure. This puts it head and shoulders above other solutions in terms of reliability and capacity.
  • B2C is built on open standards including OAuth 2 and OpenID Connect, but also features an ‘Identity Experience Framework’ (IEF), a way to modify sign-up and sign-in journeys to include additional steps (or ‘user flows’) beyond typical out-of-the-box sign-up, sign-in, profile editing and password reset options.
Confused about Azure AD B2B and B2C?

Confused about Azure AD B2B and B2C?

Watch our on-demand webinar and we’ll make things clear. You will:

  • Discover the key differences between Azure AD B2B and Azure AD B2C
  • See demos of Azure AD B2B’s and B2C’s user journeys and experiences
  • Find the best solution for your business – B2B, B2C or a hybrid combination
Watch on-demand now


What is the difference between Azure AD B2B and Azure AD B2C?

AAD and B2C live in separate directories (called ‘tenants’). When you invite B2B guest users into your organisation, they live in your main AAD tenant, whereas B2C users have their own tenant that does not mix with your AAD organisation. In addition, B2B has an invite model and B2C a registration model. Finally, the B2B login journey is not highly customisable, whereas the B2C authentication-related journeys are highly customisable (see below).

How much can I customise the B2C authentication journeys?

Using Microsoft’s Identity Experience Framework (IEF), you can make calls to attribute validators and attribute providers as part of the user journey. An attribute validator can check that user-provided attributes are correct, while an attribute provider can insert additional attributes into the journey. But as custom components, they can also execute other actions to fulfil your requirements. Essentially, you can model the journeys to your exact process.

Can I log my corporate users into Azure AD B2C using their existing credentials?

Yes, Microsoft Azure AD can be treated as another identity provider with B2C as a relying party.

Will B2C support my web application?

Microsoft provides a wealth of libraries and sample code for web applications, including c#.Net, NodeJS, and JavaScript for single page apps (SPAs). Microsoft has also published additional samples on GitHub including Python/Flask and PHP code.

Will B2C support my mobile application?

Microsoft also provides sample code for mobile devices including iOS and Android.

Will B2C support my identity provider?

B2C supports many identity providers out of the box, including Microsoft Accounts, Google, Facebook, LinkedIn, Amazon, Weibo, QQ, WeChat, Twitter, and GitHub. In addition, you can add a custom provider if it conforms to the OpenID Connect standard.

You may also like...


Azure AD B2B vs B2C: What are the key differences between Microsoft’s external access products?


Confused about Azure AD B2B and B2C? External access options explained

B2B vs. B2C: External access options explained!

Compare Azure AD B2B and B2C – and see demos of user journeys and experiences.

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.