Azure B2C and B2B

Question

Azure B2C and B2B

Mike 251

I am new to B2C and currently we have a requirement in which we would allow external party to be able to access the application, as well as our own users in our main tenant.

The way I imagined it, is that I can setup an external IDP such as an external Azure AD and then for any application that we register, we can federate the authentication with an external AD with any application we register, and for any other accounts we will just create it locally. When I created my first instance of B2C, go to users, I see my account from our main tenant as an Admin. I imagined that I will have all the users here from our main tenant, and by the user sign in flow, allow them to access all the apps we register. Is this even doable?

Accepted answer

1 additional answer

Your answer

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Mike

Thanks for reaching out.

Azure AD B2B collaboration is intended for organizations that want to be able to authenticate users from partner/supplier organization, regardless of the identity provider, and be able to manage the lifecycle of those guest users. These accounts are managed in the same directory as employees, and can be added to the same groups and resources.

Azure AD B2C is intended for commerce and other interactions with consumers, citizens, or members of another group that does not require access to internal resources. These accounts are managed in a separate B2C directory and are completely separate from your internal user accounts. B2C accounts are a customer lifecycle: they are either managed by the customer, or directly by the application.

Regarding your question about federating authentication with an external AD, you can add identity providers that are supported by Azure Active Directory B2C (Azure AD B2C) to your user flows using the Azure portal**.**

https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow

As for your question about seeing all the users from your main tenant in the B2C users list, which is not possible. Azure AD B2C is a separate directory from your main tenant, and it has its own set of users. You can create users in Azure AD B2C, or you can use an external identity provider to authenticate users.

You can set up Azure AD or similar external providers to allow users from Azure AD to sign into your B2C application.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Mike 251 Reputation points

2023-08-04T12:12:43.4766667+00:00

This is very helpful. I have managed to configure our main tenant as OIDC provider.

I then configured a sign in flow, with a test application. I am not a developer and just know a little about how SaaS apps work. I used to this to register

https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga

What I notice is that it seems I needed to have a Sign in and Register. What I was hoping to achieve is that, only local guest accounts should exist in the B2C, and everything else will be redirected to their respective iDP. I don't want them to sign up, I just want B2C to issue the required token after they have authenticated in their respective iDP. I am not sure if this is because the app I used in the sample, uses B2C store. But if it is another app, which has the user store, will it work? I was hoping MS has an example if my understanding is correct.
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-08-08T10:35:52.83+00:00

Your understanding is right here. To configure any iDP in B2C, we are using B2C application which asks the user to register in B2C.

Only allow accounts that have been pre created for login via external IdP can sign in directly to the application. You can create local accounts and link them with a federated account if you do not want your users to register.

https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account

Thanks,

Shweta
Mike 251 Reputation points

2023-08-08T18:57:02.0966667+00:00

so it is the ssample app limitation then. I appreciate the link but I am not a developer. So a third party app with its local store should not have an issue with sign in, where b2c uses an external IDP without them registering in B2C?

Answer 2

Vahid Ghafarpour 23,385 Volunteer Moderator

For sure, you can create user flows for your requirement:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows

Mike 251 Reputation points

2023-08-02T19:16:30.7633333+00:00

I managed to find out that i will need an oidc app in the main tenant for the external idp. Now im stuck with sign in flows. For the user that was authenticated by the external iDP, will it be possible to avoid a sign up and use the information in the claims to create those accounts. Because im very specific for the tenant im creating that they are valid users.
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-08-04T11:18:54.8666667+00:00

Hi @Vahid Ghafarpour ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Share via

Azure B2C and B2B

1 additional answer

Your answer