Looking at questions on the Internet (on sites like Quora or StackOverflow), I see a growing number of people confused by Azure Active Directory acronyms. We have Azure AD, Azure AD B2B, Azure AD B2C… yeah, you can get lost. So, it’s time to clear things up a bit! Here is your quick guide that will help you to find your way in this maze.
We will keep it up to date in case any other “three characters” will pop-up, so save the link for the future.
Here’s our main question: What is the difference between just Azure AD, B2B, and its B2C? Are these different versions?
Azure Active Directory (in short – Azure AD) is a cloud identity provider service or Identity as a Service (IdaaS) provided by Microsoft. Its primary purpose is to provide authentication and authorization for applications in the cloud (SaaS apps).
One of the key applications relying on Azure AD right now is Microsoft’s own Office 365 or Azure itself. In my previous blog post, you’ll find the relationship between Azure and Azure AD described in detail.
Who will use it?
Azure AD’s main purpose is supporting business organizations with extending their identity reach to the cloud and SaaS applications. On top of this, there are tons of enhancements and services provided, such as conditional access, identity protection, application publishing, access to pre-configured applications and so on.
Developers can build applications and secure them with Azure AD. In this case, an application can be developed for a single organization (single-tenant) or as a general application (multi-tenant) accessible by any company using Azure AD. Example? Our time tracking application.
In short – Azure AD is meant for businesses to allow their users to work with cloud applications. You have your corporate users there, logging on with your domain name, and it is dedicated to your organization.
The key scenario: you set up synchronization and SSO from your current AD and your users can log on to SaaS applications. Done.
Azure AD B2B
Now for Azure AD B2B (which of course stands for Business-to-Business). Is it a different version of Azure AD? No! It’s only one of its service features. It allows one organization to invite members from other organizations to share application access.
A simple scenario – here at Predica, we use our Grandler app (for skills management). We start to co-operate with your business, and we want your people to also benefit from it and start assessing our and their own skills.
We can use Azure AD B2B feature to invite your users to Grandler based on our Azure AD. You don’t have to deploy it on your Azure AD. You don’t have to configure it. We are just sharing this with you for collaboration.
What are the benefits here?
Cross-organization collaboration is a hot topic and at the same time not so easy to roll out. When you collaborate with an external party there are some things to be considered:
- Is our security policy matching yours?
- Do we have to create accounts for your users?
- If we give accounts to your users, who will disable them if needed? And who will take care of those pesky password resets?
Azure AD B2B aims to address this problem. When you invite a user to your application, they will get access using their Azure AD account. No need to create an account for them. No need for a new password. They sign on to your app with their credentials.
Hint: As stated earlier, Azure is controlled by Azure AD. If you want to grant access to your Azure instance for an external consultant, don’t use a Microsoft Account for that. Invite them with Azure B2B if they have an account in this service.
On the other hand, you are still in control of your application. You decide if it requires multi-factor authentication. You choose who has access.
Azure AD B2B provides API around it so you can build your onboarding process and send invitations to apps. Or you can use the default one in the service.
The key scenario: An organization is using applications based on Azure AD and wants to collaborate in them with another business. Azure AD B2B allows working together by granting access to these apps to users from another Azure AD tenant.
Azure AD B2C
Time for the last one – my favorite, which deserves a separate write-up (and it will get one) – Azure AD B2C, Business-to-Consumer.
It is a separate service from Azure AD. Built on the same technology, but still… for different purposes.
The main difference – it is not to be used by single organization users. It’s built to allow anyone to sign up as a user in a service with their email or social media provider like Facebook, Google or LinkedIn.
You don’t need on-premises AD here since you’re not creating a synchronization process.
The purpose of Azure AD B2C is to allow organizations to build a cloud identity directory for their customers.
To learn some Azure AD B2C tricks and tips, I encourage you to read this excellent posts by Predica’s expert Daniel Krzyczkowski: