Azure AD, B2B, B2C Azure Active Directory B2C, B2B - What Makes The Difference?

Looking at questions on the Internet (on sites like Quora or StackOverflow), I see a growing number of people confused by Azure Active Directory acronyms. We have Azure AD, Azure AD B2B, Azure AD B2C… yeah, it’s easy to get lost in them.

So, it’s time to clear things up a bit! Here is your quick guide that will help you to find your way in this maze.

We will keep it up to date in case any other “three characters” pop up, so save the link for the future.

Here’s our main question: what is the difference between Azure AD, B2B, and B2C? Are they different versions of the same service?

What is Azure AD?

Azure Active Directory (in short – Azure AD) is a cloud identity provider service or Identity as a Service (IdaaS) provided by Microsoft. Its primary purpose is to provide authentication and authorization for applications in the cloud (SaaS apps).

One of the key applications relying on Azure AD right now is Microsoft’s own Office 365 or Azure itself. In my previous blog post,you’ll find the relationship between Azure and Azure AD described in detail.

No time to read? Watch the video instead!

Who can use it?

Azure AD’s main purpose is supporting business organizations with extending their identity reach to the cloud and SaaS applications. On top of that, there are tons of enhancements and services provided, such as conditional access, identity protection, application publishing, access to pre-configured applications and so on.

Developers can build applications and secure them with Azure AD. In this case, an application can be developed for a single organization (single-tenant) or as a general application (multi-tenant) accessible by any company using Azure AD.

In short – Azure AD is meant for businesses to allow their users to work with cloud applications. You have your corporate users there, logging on with your domain name, and it is dedicated to your organization.

You can also create users on-premises and synchronize them with Azure AD (click here for more details) or create them in the cloud directly (we have covered it in another post).

An example scenario

You set up synchronization and SSO from your current AD and your users can log on to SaaS applications. Done.

Simple, right?

Access structure: Azure Active Directory

What is Azure AD B2B?

Now for Azure AD B2B (which of course stands for Business-to-Business). Is it a different version of Azure AD? No! It’s only one of its service features. It allows a company to invite members from other organizations to share application access.

A simple scenario – here at Predica, we use our Grandler app (for skills management). We start to co-operate with your business, and we want your people to also benefit from it and start assessing our and their own skills.

We can use Azure AD B2B to invite your users to Grandler based on our Azure AD. You don’t have to deploy it on your Azure AD. You don’t even have to configure it. We are just sharing this with you for collaboration.

What are the benefits?

Cross-organization collaboration is a hot topic and at the same time it is not that easy to roll out. When you work with an external party, there are some things to be considered:

• Is our security policy matching yours?
• Do we have to create accounts for your users?
• If we give accounts to your users, who will disable them if needed? And who will take care of those pesky password resets?

Azure AD B2B aims to address this problem. When you invite a user to your application, they will get access using their Azure AD account. No need to create another account for them. No need for a new password. They sign on to your app with their credentials.

On the other hand, you are still in control of your application. You decide if it requires multi-factor authentication. You choose who has access.

Azure AD B2B provides an API, so you can build your onboarding process and send invitations to apps. Or you can use the default one in the service.

An example scenario

A business uses applications based on Azure AD, and wants to collaborate in them with another company. Azure AD B2B allows this by granting app access to users from another Azure AD tenant.

Access structure: Azure Active Directory B2B

It’s that simple!

What is Azure AD B2C?

Time for the last one – my favorite, which deserves a separate write-up (which you’ll find here) – Azure AD B2C, Business-to-Consumer.

It is a separate service from Azure AD. Built on the same technology, but still… for different purposes.

The main difference – it is not to be used by single organization users. It’s built to allow anyone to sign up as a service user with their email or social media provider like Facebook, Google or LinkedIn.

You don’t need on-premises AD here since you’re not creating a synchronization process.

The purpose of Azure AD B2C is to allow organizations to build a cloud identity directory for their customers.

To learn some Azure AD B2C tricks and tips, I encourage you to read these excellent posts:

• Azure AD B2C Series – Custom Policies with custom claims
• Azure AD B2C Series – external service call during login and registration

An example scenario

Let’s imagine your business wants to build a website for your clients – might that be a shopping site, a customer-facing CRM app or a mobile directory of your products. You want to have it online, as a mobile application, and there might be other projects in the future.

Usually, in that case, organizations build some solutions to handle user identities in the app. A database with users, login process, sign-up process, password reset… OMG – how will we store passwords?!

Then someone says – Hey, are we going to support Facebook login? We have to do this.

Azure AD B2C does all of this for you. It is an identity repository in the cloud that allows your users to sign up for your applications with an email address and password (no restrictions on the email domain) or social media logins. The service itself handles all the processes like sign-up, sign-in, password reset and so on. You don’t have to worry about it.

If you establish it once and your customer is signed up, and later you spin off a new application – it is all there. They don’t have to sign up again. They can use their existing account for your applications.

The main purpose of this service: Consumer-facing applications and websites. A business wants to maintain a relationship with customers online – their Azure AD B2C handles the identity and access part. Multiple applications can use the same directory to provide the customer with SSO experience in your applications.

Access structure: Azure Active Directory B2C

And that’s it.

There are lots of technical details about these services. We have APIs, tenants, service features, policies and other things. There is also a licensing model – be sure about that 🙂 Check it here for Azure AD and here for Azure AD B2C.

Check out the video below to see how we used Azure B2C for building an open banking application:

Summary – Azure AD, Azure AD B2B, Azure AD B2C

To sum up, what you need to know is:

• Azure AD is an identity as a service provider aimed at organization users to provide and control access to cloud resources
• Azure AD B2B is not a separate service but a feature in Azure AD. It allows cross-organization collaboration in applications from an identity standpoint.
• Azure AD B2C is an independent service for building a consumer application identity repository. If you need a service to handle email or Facebook login – it is there for you.

That’s all for now. I hope that you’re now finding it nice and easy. If you’d like to read about the real-life implementation of the above services (building a unified identity platform for external users), here’s a case study you may like.

Struggling to provide easy access for your customers and partners? Read about our Multi-Access Identity platform, built on Azure AD B2C.