In this post, I discuss the features of Azure Active Directory B2B (AAD B2B) and Azure Active Directory B2C (AAD B2C), the differences between them and when to use one vs the other.
In B2B, the B stands for Business. AAD B2B allows external organizations to connect to your apps. For instance, AAD B2B has features to automatically manage the user based on the user’s identity, offshore the management to the original organization from where the user’s identity comes from, or let the user self manage the account. Examples of what you can do with AAD B2B:
- Use Dynamic Groups to automatically assign a user to a group based on attributes such as the user’s email, userType, companyName etc …
- Allow a user to self manage the account or request access to applications via MyApps portal.
- Allow a user to sign in once to use applications which the user has access.
- Delegate access management to application and group owners. For example, you can register an application and grant a group access to the application. The group’s owner can add other users to the group. Effectively, you delegate the access management to the group’s owner who may belong to your organization or an external organization.
- Allow the host organization to enforce access policies for their own users to access the applications in your directory. Example of access policies:
- Trusted network access
- MFA enforcement
- Trusted device access
- View audit and report logs for a user.
In B2C, the C stands for consumers. With AAD B2C, you can federate to any identity providers which support standard protocols: Open ID Connect, OAuth, or SAML.
You define and customize the authentication and authorization process via policies.
Out of the box, AAD B2C provides built in policies for federating to popular social platforms including Facebook, LinkedIn, Google, Twitter etc … You can easily configure the built-in policies to customize the login page, the registration page, and specify additional attributes you want the user to provide during registration.
You can use custom policies to connect to your own or any identity provider as long as they support one of the protocols mentioned above. Indeed, you have great flexibility in terms of what you can do using custom policies. For instance, you can have AAD B2C call your custom REST API to perform additional logic or pull in additional data during the authentication/authorization process.
Which one to choose?
Essentially it comes down to your needs. If you want the users to manage their own accounts or delegating access management tasks to admins or host organizations, then use AAD B2B. Otherwise, if you want to manage the users directly and only federating to other identity providers, then use ADD B2C.
Another thing to consider for government entities is AAD B2C is only available on an Enterprise subscription. It is not available on a government subscription.
One other key point I got from a Microsoft professional which distinguish AAD B2B from AAD B2C:
If you want external users (partners) to give access to your Office 365 apps then B2B is the only way to go, since SharePoint and other office apps do not accept B2C tokens.
It is possible to combine both AAD B2B and AAD B2C solutions in your system. Here is the sample project from Microsoft which demonstrates using both technologies in a single app.
Both AAD B2B and AAD B2C are federated identity management solutions. As such, they each allow a user to authenticate using the user’s own identity which is external to your directory. For instance, either AAD B2B or AAD B2C supports federating to Google for authentication. However, AAD B2C primarily targets individual users, whereas B2B provides features for access management at the organization level. Which one to choose depends on your needs. You can even combine the two solutions in your system.