Azure External Identities is a powerful tool that allows you to manage external users and guests in your Azure AD tenant. This feature is particularly useful for B2B and B2C scenarios.
You can invite users from other organizations to collaborate on projects or access your resources, and they'll receive an email invitation with a link to accept the invitation. This makes it easy to onboard external users.
Azure External Identities also supports B2C scenarios, where you can enable external users to sign up or sign in to your applications using their social media accounts or email addresses. This is a great way to expand your user base and increase engagement.
With Azure External Identities, you can manage external users in the same way as internal users, including assigning roles, setting permissions, and monitoring their activity.
B2B and B2C Identities
Azure External Identities offers two main types of identities: B2B and B2C. B2B identities are used for business-to-business collaboration, allowing guests to sign in to Microsoft apps or become members of Teams. These identities are created when a guest accepts an invitation to share a document or join a group.
B2B identities are managed in the same workforce tenant as employees, but are typically annotated as guest users. They can be managed the same way as employees, added to the same groups, and so on.
In contrast, B2C identities are used for customer identity and access management. They are created in a separate consumer-based directory that is managed in the Azure portal through the Azure AD B2C service. Each Azure AD B2C tenant is separate and distinct from other Microsoft Entra ID and Azure AD B2C tenants.
Here's a comparison of B2B and B2C identities:
What Are Workforce Tenants?
A workforce tenant is a standard Microsoft Entra tenant that contains your employees, internal business apps, and other organizational resources.
In a workforce tenant, you can collaborate with external business partners and guests using B2B collaboration.
Your internal users can manage and access all the resources within the tenant, including registered apps and a directory of users.
This type of tenant is ideal for organizations that want to manage their internal employees and business apps while still allowing collaboration with external partners.
Here are the key features of a workforce tenant:
- Contains employees, internal business apps, and other organizational resources
- Supports B2B collaboration with external business partners and guests
- Allows internal users to manage and access all resources within the tenant
Consumer (B2C)
Consumer (B2C) identities are a crucial aspect of identity and access management. They allow organizations to manage external identities, such as customers or users who don't have a corporate identity.
Azure B2C is a legacy solution for customer identity and access management, and it's a separate consumer-based directory that you manage in the Azure portal. Each Azure AD B2C tenant is distinct from other Microsoft Entra ID and Azure AD B2C tenants.
You can use Azure B2C to support consumer identities and has a different pricing model than Azure AD. It's commonly used in the retail industry, and there's no cost for the development and staging of Azure B2C directories as long as you have fewer than 50,000 monthly active users.
Azure B2C is an Identity Provider (IdP) that can federate with other Social Providers like Google, Amazon, FaceBook, and you can also create Local Users. It supports its own multi-factor authentication and Identity Protection security features natively.
To deploy Azure B2C, it's highly recommended to have a Web Application Firewall (WAF) like Azure Front Door, Akamai, or Cloudflare in front of your directory to protect against bots and bad actors.
Here are some key features of Azure B2C:
- Supports OAuth 2.0, OpenID Connect (OIDC), Microsoft Authentication Library (MSAL), and a rich set of development languages like .Net, PHP, Java, Ruby, and Node.js.
- Can create Local Users and supports its own multi-factor authentication and Identity Protection security features natively.
- Can federate with other Social Providers like Google, Amazon, FaceBook.
By using Azure B2C, organizations can create a separate Microsoft Entra tenant in an external configuration, which allows them to manage their apps and user accounts separately from their workforce.
B2B Direct Connect
B2B Direct Connect is a feature that lets you create two-way trust relationships with other Microsoft Entra organizations. This enables the Teams Connect shared channels feature, allowing users to seamlessly sign in to Teams shared channels for chat, calls, file-sharing, and app-sharing.
With B2B direct connect, users authenticate in their home organization and receive a token from the resource organization for access. This is different from B2B collaboration, where users are added as guests to your workforce directory.
To set up B2B direct connect, you use cross-tenant access settings to manage trust relationships with other Microsoft Entra organizations. You can define inbound and outbound policies for B2B direct connect to control user access.
Once you set up B2B direct connect with an external organization, you can enable the following Teams shared channels capabilities:
- A shared channel owner can search within Teams for allowed users from the external organization and add them to the shared channel.
- External users can access the Teams shared channel without having to switch organizations or sign in with a different account.
Licensing and billing for B2B direct connect are based on monthly active users (MAU).
Comparing ID Features
You can enable two main scenarios with External ID: one for workforce tenants and one for external tenants.
In a workforce tenant, External ID allows your employees to collaborate with business guests who can use their preferred identities to sign in to Microsoft Entra resources. This provides access to Microsoft applications or your own custom-developed applications.
The primary scenario in a workforce tenant is intended for collaborating with business partners from external organizations. These users might not have Microsoft Entra ID or managed IT.
Guest users in a workforce tenant are managed the same way as employees, with the same default permissions. They can be added to the same groups and have cross-tenant access settings to determine who has access to B2B collaboration.
SSO to all Microsoft Entra connected apps is supported in a workforce tenant, including access to Microsoft 365 or on-premises apps.
In an external tenant, External ID is used to publish apps to external consumers and business customers. This provides identity and access management for modern SaaS or custom-developed applications.
The intended use for an external tenant is for consumers and business customers of your app, who are managed in a separate tenant from employees.
App users in an external tenant have different default permissions than users in a workforce tenant and are managed in the external tenant, separate from the organization's employee directory.
Here's a comparison of the two scenarios:
Frequently Asked Questions
What are external identities?
An external identity is a synchronization key that connects identity entries across different systems. It helps coordinate identity information between your metadata and authentication provider.
What are external identity providers?
External identity providers are external applications and services that store and manage user identity information, providing authentication services to other systems
Who are the external members of entra id?
External members of Entra Id are individuals from outside your organization who can access your applications securely using their own logins. These users can be customers, partners, or other external parties that require access to your services.
Sources
- https://practical365.com/azure-ad-external-identities/
- https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview
- https://stackoverflow.com/questions/77378500/azure-ad-b2c-vs-azure-active-directory-external-identities-vs-microsoft-entra-ex
- https://medium.com/the-new-control-plane/some-thoughts-on-ciam-external-id-and-azure-ad-b2c-65aeb5a611e4
- https://docs.fintechos.com/Platform/24.0/AdminGuide/Content/Security/ftosIdpAzureAd.htm
Featured Images: pexels.com