When migrating your existing user identities from Active Directory to Azure Ad, one of the more common scenarios that presents itself is that of existing b2b users and b2c users in the on premises AD. These may have been added for specific use cases and are now in your AD for better or for worse. And they need to be somehow migrated over to the AAD tenant.

How does Microsoft distinguish between B2C and B2B users?

B2C users are meant to be self service users – self sign up, self password reset etc. They are true EXTERNAL users, in that the company should not have to spend time managing their identities (think popular apps such as redfin, zillow, grubhub).

What other factors go into deciding whether an external user is a B2B user or a B2C User?

One of the bigger factors (apart from the self service factor discussed above), is whether or not these users need access to on premises apps (e.g. apps that need windows authentication or kerberos authentication). If so, B2B guest users are your only option (B2C is not equipped for this).

Why not have B2C users in the same tenant as B2B users?

The volume of B2C users can be considerably higher than B2B users. Performance of the tenant was one reason  Microsoft chose to separate the B2C tenant out.

I have existing B2B users – VENDOR / PARTNER / DEALER users in our on premises Active Directory. What is the best way to get them into Azure AD?

AD Connect Sync is your only option. B2B users can be synced from AD to AAD using the member type = GUEST . During Sync, you would define a mapping for the external user based on their UPN or Email (typically this will be different from a corporate AD email).

I have existing B2C users in my Active Directory. What is the best way to get them into Azure AD?

AD Connect Sync does not support this scenario. Your only option is to write Graph API queries to get those users into a B2C tenant.

How do I handle future ( new ) B2B users?

AD Connect Sync will handle existing users, but what about new B2B users?

The SYNC that is set up in AAD can be a two way sync. The Synchronization rules that are defined are either outbound (from AD to AAD) or inbound (from AAD to AD).

You can define both INBOUND and OUTBOUND rules to handle two way synchronization.

What SOURCE Attribute should be used for the synchronization rule?

This is the key aspect of your sync – typically a UPN or an email would be the source attribute on your AD user.




Need an experienced Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.

How do I handle future ( new ) B2C users?

Self Sign Up