{"id":40159,"date":"2021-03-25T00:23:35","date_gmt":"2021-03-25T07:23:35","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/premier-developer\/?p=40159"},"modified":"2021-03-24T06:00:57","modified_gmt":"2021-03-24T13:00:57","slug":"to-b2b-or-to-b2c","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/to-b2b-or-to-b2c\/","title":{"rendered":"To B2B or to B2C?"},"content":{"rendered":"

Marius Rochon<\/a> explores differences and benefits of Azure B2B and B2C.<\/p>\n

\n

There are a number of articles (see\u00a0here\u00a0<\/a>for a good example) comparing Azure B2B \u2013 a feature of Azure AD \u2013 and Azure B2C \u2013 a special type of Azure AD tenant. Both of these are designed to allow external identities \u2013 users who are not employees of the directory owner \u2013 to gain access through these directories to resources they control. While one uses B to signify it\u2019s focus on business partnerships, while the other uses C for consumers, at the end of the day either can be used to accomplish roughly the same access. My intent here is to focus on what I see as the fundamental difference; one that is most likely to drive the appropriate choice of technology.<\/p>\n

The main strength of Azure AD and its B2B feature is the power of its\u00a0authorization\u00a0<\/strong>control, particularly features like\u00a0Conditional Access<\/a>,\u00a0Entitlement Management<\/a>,\u00a0Privileged Access Management<\/a>\u00a0and security groups. Of these, B2C provides only a very limited version of CA and has, but does not use security groups. Furthermore, some applications \u2013 Office 365 in particular \u2013 can only be accessed through Azure AD. Therefore, if the intent is to expose high-value applications, where access control is particularly critical, Azure AD with its B2B features is the preferred platform.<\/p>\n

The main strength of Azure B2C is its\u00a0customizability<\/strong>, particularly support for\u00a0custom user journeys<\/a>, which allow calls to external REST functions, give extensive support for UX customization and, out-of-the box support a greater variety of social providers, other OpenID Connect IdPs as well as SAML and WS-Federation providers. These in turn support such unusual scenarios as LDAP authentication (via an API call<\/a>), phone-only authentication, identity impersonation and user-created accounts. B2B on the other hand only allows users from other AADs, individually specified external WSFed and SAML (not OIDC) issuers and selected social providers (Google and Facebook).<\/p>\n

Some applications, e.g. multi-tenant SaaS application could benefit from both sets of features: customizable way of supporting many different issuer types and strong tenant-owned authorization. While that may be the eventual intent of Microsoft (I am an employee of the company but not privy to any non-public product plans), today there are ways to accomplish some of that with additional custom code.\u00a0Here is an example<\/a>\u00a0of such an application.<\/p>\n

Marius has created a wealth of content on B2C and B2B scenarios —\u00a0 learn more on his blog.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

While one uses B to signify it\u2019s focus on business partnerships, while the other uses C for consumers, at the end of the day either can be used to accomplish roughly the same access. My intent here is to focus on what I see as the fundamental difference; one that is most likely to drive the appropriate choice of technology.<\/p>\n","protected":false},"author":582,"featured_media":37840,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[25],"tags":[163,1131,266],"class_list":["post-40159","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-b2b","tag-b2c","tag-marius-rochon"],"acf":[],"blog_post_summary":"

While one uses B to signify it\u2019s focus on business partnerships, while the other uses C for consumers, at the end of the day either can be used to accomplish roughly the same access. My intent here is to focus on what I see as the fundamental difference; one that is most likely to drive the appropriate choice of technology.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/40159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/users\/582"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/comments?post=40159"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/40159\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media\/37840"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media?parent=40159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/categories?post=40159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/tags?post=40159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}