Overview of Partner Users in Azure AD
  • Partners are treated a little differently from Vendors (and other external users). Typically, a VENDOR type of user will not require SSO and MFA from your AAD tenant.
  • Partner users will need all of these features.  Partners may also need sharing (teams channels, calendars etc.) – which come at an additional cost (possible O365 license assignment).
Are Partner users B2B users or B2C Users?
Both B2B users (guest users who are INVITED, usually meant for collaboration with INTERNAL apps) and B2C users (can be WORK users, but are usually consumers, meant for PUBLIC facing apps), can be used for PARTNER identities.
What drives you towards one or the other is ‘how much self service do you want to provide the end user’? Here are some questions you need to ask yourself while making this decision:
Some Questions to Answer before deciding between B2B Partner Collaboration (guest users in AAD) and B2C Users (work users) 
  1. What aspects of the partner’s identity maintenance do you want to take over ? Do you want to give them SSPR (Self Service Password Reset)?  This will allow them to reset passwords in their original password store (the partner’s O365 or AAD tenant). SSPR cannot be provided in the original identity is a non microsoft identity.
  2. Do the partners need collaboration (Sharepoint, Teams etc.)? This is a driver towards B2B (and also requires P1 or P2 licensing per user). B2C isn’t equipped to handle internal app sharing – it is designed for authentication and access to PUBLIC facing assets.
  3. Do you need an identity risk monitoring profile? These profiles are available in both B2C and B2B – but are at different levels of sophistication.
  4. Will they have an external identity or will they have just an email address? (OTP support). If all they have is an email address, then they fit into the B2B guest users – who can be authenticated using OTP (One Time Passcode based authentication). B2C (to my knowledge) does not support JUST email based OTP (to confirm).
  5. Will they require MFA? If yes – the question is – what level of work do you (the AAD owner) want to undertake to provide MFA. Both b2c (little more work to set up user flows) and b2b (no work – just enable conditional access on b2b users) support MFA for external users.
What if I create a whole new AAD tenant Or Add them to the existing corporate AAD tenant for these b2b users?
Yes – Adding them to the existing corporate tenant will allow easier collaboration. However, if collaboration is not a requirement, opt for a completely new B2B tenant within the same subscription.
  • Inside Existing Corporate AAD Tenant  – This is an option. Each b2b users is essentially treated the same as an employee. Whether you grant them p1 or p2 licenses (for O365 access), is going to drive costs up ($5/user). If they need collaboration, this is your only option.
  • Separate Tenant – You could add all those partner users into their own AAD tenant – a separate AAD tenant from the corporate AAD tenant. This would not allow the collaboration pieces – but would help ISOLATE these external users to their own tenant.
  • Inside Existing Corporate AAD Tenant, Separate Domain  – This is yet another option. Users will login to a separate domain portal.<MYDOMAIN>.com
B2B Guest users WITHIN the existing AAD tenant is the best Option
Invite partner users into the current AAD corporate tenant as b2b users. The cost for such users is low – 50,000 users free per month.
What does B2C buy me that B2B does not?
Every partner will get their own username and password (in the b2c tenant). Most aspects can be made self service.
The real question to ask is – Are the users for an EXTERNAL facing app that contains it’s own native logins? If so –  B2C is your choice.
Also, do you want to provide a CONSITENT sign up and sign in experience ACROSS ALL your  EXTERNAL apps? Only B2C can serve that purpose.

Cost 

External users are priced at – first 50,000 are free – regardless of b2c or b2b.

Next Steps

Contact Cloud Identity Architect today

Appendix A – Guest User Invitation Flow per Microsoft

Appendix B – Password reset for B2B users

Password reset and change are fully supported on all business-to-business (B2B) configurations. B2B user password reset is supported in the following three cases:

  • Users from a partner organization with an existing Azure AD tenant: If the organization you partner with has an existing Azure AD tenant, we respect whatever password reset policies are enabled on that tenant. For password reset to work, the partner organization just needs to make sure that Azure AD SSPR is enabled. There is no additional charge for Microsoft 365 customers.
  • Users who sign up through self-service sign-up: If the organization you partner with used the self-service sign-up feature to get into a tenant, we let them reset the password with the email they registered.
  • B2B users: Any new B2B users created by using the new Azure AD B2B capabilities can also reset their passwords with the email they registered during the invite process





Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.