Azure AD B2B vs B2C: What are the key differences between Microsoft’s external access products?

The management of external identities has changed a great deal in recent years, with Microsoft‘s approach being no exception.

If you‘re reading this blog, you‘ve likely come across the two products Microsoft uses to facilitate external access, Azure AD B2B and Azure AD B2C.

On the surface, it would seem self-explanatory that B2B is used to provide access to partners and suppliers whilst B2C caters to customer-facing interactions.

Like much of life, however, things are never so clear cut. Azure AD B2B and B2C may have begun life intended for these purposes, but there‘s an increasing amount of crossover in their application.

This can make things difficult for when it comes to selecting the right technology choice for your scenario. In this blog, I shall attempt to clarify the differences between the two and highlight how they can best serve your external access needs.

Azure AD B2B and B2C explained

So, how does Azure AD B2B work?

B2B (or ‘Azure AD B2B collaboration’) addresses the problem of sharing your applications with external users and is a feature of Azure AD rather than a standalone service.

These users could be suppliers, customers, partners, or any kind of external user with whom you wish to collaborate.

In the past, you may have just created a user account on your corporate Active Directory (i.e. a ‘local account’) to invite an external user to use a web application. Or, if you have ADFS infrastructure, you may have established a trust relationship between your ADFS server and your partner’s.

The local account solution is an easy fix – but it comes with a housekeeping problem. When the external user leaves, you may not be notified immediately (or at all) of their departure – which means they could retain access even when they should not have it.

The ADFS solution is a neater one – but is complex and requires all of your partners to have a similar solution and to set up trusts between each organisation.

In response, Microsoft created Azure Active Directory B2B, where you simply invite a user by email to start the ball rolling:

• The user receives an email with a link to accept the invitation.
• The authentication happens in the right place (at the user’s organisation).
• The trust relationship is established in the background – without any new hardware or configuration.
• Credentials stay in the guest directory.
• Access control is managed in the host directory.

You can onboard users in four main ways – simply pick the model that best suits your relationship with the external users:

1. Individual email invitation.
2. Access packages (individuals apply for and are granted access via an approval process).
3. Self-service User Flows (Individuals apply for access via an automated verification process).
4. Bulk invite via CSV upload.

There are many advantages of using B2B to invite guests into your organisation:

• You can place guests into the same groups as your employees to manage access to resources.
• You can invite users and bundle up access using access packages (via an Azure AD feature called ‘entitlement management’).
• You can control and review access with Azure AD’s conditional access and access reviews.
• You can easily create ‘terms of use’ that your guests must accept before they gain access.

What is Azure AD B2C?

Azure AD B2C provides a security and authentication solution for your outward-facing applications and is independent of your corporate Azure AD.

The actual authentication process works in a very similar way to B2B. But B2C is not designed to allow access to your employee groups and other resources, as it is primarily intended for end customers.

B2C provides complex user flows (known as custom policies). This feature allows you to have multi-step sign-in experiences, which can be useful for providing or verifying attributes.

For example, with one of our insurance company clients, existing customers with no online relationship with the company needed to be able to sign up to the website and see their documents.

To make this happen, B2C needed to verify the customer’s identity using an API call during sign up.

After accepting the terms and conditions, the customer submits their account number and a one-off ‘activation code’. Providing these two items allows the policy to check their identity.

The policy sends the data to a web service (API) external to B2C and receives a response which tells it whether the user is indeed a customer.

At this point, the customer can now continue to set up their credentials, complete the sign-up process, and access their documents.

At time of writing, B2C offers some features that B2B does not have:

• Out-of-the-box integration with a wide range of identity providers including MSA, Amazon, and more: B2B only offers out-of-the-box integration with Google accounts and Facebook accounts.
• Custom policies with multiple steps: B2B offers journey steps but in a more limited way – for example, you can call an external API but at the moment you only have two choices about when to call it.

Convergence

However, Microsoft is rapidly developing new capabilities for B2B.

Recent additions to Azure Active Directory include:

• Additional attributes
• Custom page layouts in user flows
• API connectors (ability to call an external API during a user flow)

So, what we’re seeing is a trend of convergence between the two products. The restriction of having to choose B2C if you want a customised look and feel no longer applies.

This means that these two products are increasingly venturing beyond the confines of their original B2B and B2C remits. It’s more about deciding on the functionality you require and selecting the product that suits you best, regardless of whether it’s a partner or customer access scenario.

I wouldn’t be at all surprised if Microsoft were to eventually do away with the B2B and B2C labels. As these two products become ever more entwined, they’ll act as a single external access management suite.

Key takeaways

Next steps