Also read B2B partner Identities in Azure AD and Migrating Existing AD users to AAD

Why B2C? Why not just use AAD?

There’s two reasons : Scale (B2C usually has more users). And custom experiences that are built into B2C flows.

What’s the downside of B2C Tenants?

B2C does not support group based access (see access requests, a new feature in Azure).

How does Microsoft distinguish between B2C and B2B users?

B2C users are meant to be self service users – self sign up, self password reset etc. They are true EXTERNAL users, in that the company should not have to spend time managing their identities (think popular apps such as redfin, zillow, grubhub).

What other factors go into deciding whether an external user is a B2B user or a B2C User?

One of the bigger factors (apart from the self service factor discussed above), is whether or not these users need access to on premises apps (e.g. apps that need windows authentication or kerberos authentication). If so, B2B guest users are your only option (B2C is not equipped for this).

How does one grant access to on premises apps for B2B users?

One needs to first migrate any existing guest users to AAD (using either MIM or AD Connector Sync). Next, one needs to allow authentication to each on premises app using Azure AD Application Proxy.

Access Requests (only in B2B)

Access Requests are a simplified way to grant entire AAD groups access to apps at one go. However, at this time, they seem to only work for enterprise apps in AAD (there are no enterprise apps in B2C tenants).

What about B2B users?

These are users that are added as ‘Guest’ users in your AAD tenant. Some external users (e.g. vendors ) are truly B2B users. The thing to watch out here is that these guest users may automatically be granted access to sharepoint online and other O365 services, if the settings on those O365 apps allows them.

B2B users can be vendors of SaaS apps (not really true collaborators) or actual B2B partners (collaborators).  The not-really collaborators do not typically need to be in your AAD tenant (they can always login directly into their SaaS apps to troubleshoot).

Summary

B2C is useful, but one has to keep in mind certain limitations. It is far from the full blown AAD, and one often needs custom programming to work around missing features.

Next Steps?



Need an experienced Azure Professional to help out with your Azure Security Strategy or AD / ADFS Migration?  Set up a time with Anuj Varma. Anuj has migrated over 200 applications (legacy, custom, SaaS..) to Azure AD.



Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Identity Migration? Set up a time with Anuj Varma.