Azure AD B2C or Microsoft Entra External ID – how to choose?

Customer Identity and Access Management (CIAM) has become crucial for many organizations in today’s digital landscape. CIAM is particularly important in industries such as e-commerce, finance, healthcare, and any other sector where businesses interact with customers online. The goal is to create a secure, seamless, and personalized experience for customers while ensuring compliance with privacy regulations.

This article explores two Customer Identity and Access Management solutions offered by Microsoft in the Azure cloud: Azure Active Directory B2C and Microsoft Entra External ID (Entra ID for customers). We’ll also provide guidance to help you decide which one is the right choice to kick-start your journey into Customer Identity and Access Management.

Azure Active Directory B2C – mature product with rich set of features

Azure Active Directory B2C is a powerful customer identity access management (CIAM) solution available in the Microsoft Azure cloud, that can handle millions of users and billions of authentications every day. With built-in scalability and security features, the platform ensures the safety of the authentication process, continuously monitoring and mitigating threats such as denial-of-service attacks, password spray attacks, and brute force attacks.

Azure AD B2C provides authentication services for customers accessing business resources such as websites or mobile applications. It supports multiple authentication methods such as social identity providers (Facebook, Google, etc.), enterprise identity providers (Active Directory, Okta, etc.), and local accounts (email, password).

This is not enough. Azure AD B2C allows businesses to customize their user experiences by creating their own user interface (UI) and branding, ensuring a consistent and seamless user experience. Below there are two login pages presented with modified branding.

Azure Active Directory B2C supports MFA (Multi-factor Authentication), enabling businesses to require additional verification from customers before granting access to their resources. MFA adds an extra layer of security, reducing the risk of unauthorized access.

Azure Active Directory B2C provides analytics and reporting features, allowing businesses to monitor and analyze user activity, and gain insights into authentication trends and patterns. This information can be used to improve the user experience and enhance security measures.

As we can see, Azure AD B2C is mature product with rich set of features available to implement secure and scalable CIAM solutions. However, there are some challenges worth discussing before making decision to choose it. Let’s talk about them.

Azure Active Directory B2C – what are the challenges?

While Azure AD B2C is mature product with rich set of features, there are still important challenges worth to consider. Let’s discuss them.

Advanced authentication scenarios implementation

Azure AD B2C provides two ways to implement flows like login or registration. Let’s discuss them quickly. We can leverage user flows and define them directly in the Azure portal. With this approach we can define simple flows like login or registration including calls to external systems (APIs). However, user flows are limited in their nature and to implement more advanced authentication scenarios we must use custom policies instead. Custom policies are XML files which enable implementing advanced scenarios for different kinds of flows like login, registration or password reset. We have almost full control over each step in the user’s authentication journey. However, implementing custom policies requires specialized knowledge and is not as convenient to developers as working with JSON files. Many developers find it challenging to implement custom policies and learning curve is quite high.

DevOps practices and automation

I mentioned above that implementing advanced authentication scenarios with Azure AD B2C requires using custom policies (XML files). Nowadays each modern solution leverages DevOps practices and automation. Automating deployment of custom policies XML files can be challenging. It does not mean it is not possible. It means that when Azure AD B2C was created, DevOps practices were not so broadly adopted and required.

Native Device Authorization Grant support

Modern solutions sometimes require usage of OAuth 2.0 Device Authorization Grant. What is it? In a simple words, this flow enables devices with no browser or limited input capability to obtain an access tokens. This is commonly seen on smart TV, IoT device, or a printer. Unfortunately, Azure AD B2C does not support this flow natively.

Native Authentication support

Securing web applications with Azure AD B2C is a great choice. As mentioned before, we can customize the look & feel of login or registration pages provided by Azure AD B2C. When this is a great solution in the web applications world, sometimes there is a strong need to integrate login or registration pages into the application. Mobile applications are perfect example here. Sometimes there is a requirement to avoid user redirection to the web browser on mobile device to complete authentication process. Instead, there is a need to implement native login and registration pages withing the mobile application. Unfortunately, this is not possible with Azure AD B2C as it does not provide any authentication API which could be used by application developers.

Microsoft Entra External ID

Microsoft Entra External ID is successor for Azure AD B2C. It is a complete customer identity and access management solution that allows personalizing and securing access to any application for customers and partners. CIAM (Customer Identity and Access Management) capabilities are built into Microsoft Entra ID so we can benefit from platform features like enhanced security, compliance, and scalability. Below there are only some of the rich set of capabilities Microsoft Entra ID offers.

Branded login and registration pages

Microsoft Entra External ID provides the ability to customize the look and feel of login, and registration pages which provides a deeper level of personalization for our customers. Here is an example of the branded login page for our Formula Healthcare demo solution:

It is worth mentioning that it is possible to adjust user attributes that we want to collect during the registration process.

Native Device Authorization Grant support

Microsoft Entra External ID fully supports OAuth 2.0 Device Authorization Grant. It means that we can use it to implement authentication flows on smart TVs, IoT devices, or printers.

Integration with social accounts

As previously mentioned, customers desire the flexibility to choose their preferred login options. Some may prefer using Facebook, while others may prefer a Google account. Enabling these options in our Customer Identity and Access Management (CIAM) solution is crucial. Microsoft Entra External ID simplifies this process by providing easy configuration for integrating with popular social identity providers such as Facebook and Google. Once set up, customers can conveniently select their preferred identity on the login page, enhancing their overall authentication experience.

Easy integration with external systems

Customer Identity and Access Management (CIAM) is not only about login and registration forms. It is more complex. When implementing a CIAM solution we have to stay compliant with many different kinds of regulations, like GDPR, CCPA, or HIPAA. This is where Microsoft Entra External ID can also help. We can integrate it with existing systems within an organization, like a CMS (Consent Management System). It is possible to call external system during user authentication to exchange some data and also include it in the token issued to the application.

Native Authentication support

Native Authentication provides the freedom to fully customize the login experience. This means we can create visually appealing and flawless authentication screens that seamlessly blend into our applications, eliminating the need to depend on browser-based solutions (redirection to the web browser to complete authentication process).

With the new platform, Microsoft Entra External ID, we can choose to utilize authentication API or the Microsoft Authentication Library (MSAL) for Android and iOS. We have the power to construct engaging sign-up and sign-in journeys. This API-centric approach not only grants the flexibility in design but also enables the development of highly tailored interactions and flows. These capabilities are crucial for building exceptional and enjoyable consumer mobile applications.

Resource management with Microsoft Graph API

Microsoft Entra External ID for customers was designed with keeping automation and DevOps scenarios in mind. This means that using the Microsoft Graph API we can manage resources in Microsoft Entra ID for customers directory. There are operations supported like creation of user flows, registration of custom extensions and applying custom branding. It means that we can not only benefit from secure and resilient platform but also we can use tools like Azure DevOps or GitHub to implement automation and deployment processes for Microsoft Entra External ID.

Decision – how to choose?

The most important question is about requirements and a need for advanced, complex authentication scenarios.

Choose Azure Active Directory B2C when:

  • You have immediate need for mature, production-ready identity solution.
  • You need to implement advanced authentication scenarios. For example: multi-page registration process with integration with external systems (APIs).
  • You do not need to implement crafted-to-perfection login and registration pages within your application.
  • You do not have strong requirement for using device code flow to support authentication on devices without web browser available.

Choose Microsoft Entra External ID for customers when:

  • You are starting your journey with CIAM and you are in early stages of production scenarios discovery.
  • You need to implement crafted-to-perfection login and registration pages inside your application without any web browser redirections.
  • You want to benefit from the new CIAM features that will be added to the new platform.
  • You want to benefit from the modern DevOps practices for your identity solutions.

Summary

In essence, Microsoft Entra External ID represents the next frontier in Customer Identity and Access Management (CIAM) at Microsoft. It’s important to note that this doesn’t signal a discontinuation of support for Azure AD B2C. Instead, Microsoft plans to channel all upcoming features exclusively into the Entra External ID platform. This strategic decision makes it a compelling option for organizations seeking a CIAM solution, and it’s worth considering for the future needs of your organization.

At Formula5, we firmly believe in the efficiency of Microsoft Entra to assist organizations in deploying modern and secure CIAM solutions. Our commitment includes substantial investments in both knowledge acquisition and team skill development to effectively support clients on their journey towards identity modernization. Please contact us using this form if you need our help with building resilient, secure and user-friendly CIAM solution for your organization with either Azure AD B2C or Microsoft Entra External ID.

Written By

Modern Identity Lead

Related Posts

We are using cookies to give you the best experience. You can find out more about which cookies we are using or switch them off in privacy settings.
AcceptPrivacy Settings

GDPR

  • We value your privacy

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking “Accept All”, you consent to our use of cookies.

Let’s make your vision a reality!

Want to discuss my work or a challenge you’re facing?  Leave your details and I’ll get back to you!

Popup Form