Entra External ID: Microsoft's Next Generation CIAM Solution to Replace Azure B2C

Rawson WadeAzure & Entra Software Engineer

Managing customer identities and access is a pivotal aspect of ensuring a secure and seamless user experience. This is where Customer Identity and Access Management (CIAM) comes into play, serving as a specialized subset of identity management tailored for customer-facing applications. CIAM systems are adept at handling large volumes of external user identities, providing robust security, and facilitating a frictionless customer journey across various digital touchpoints.

Microsoft Entra External ID emerges as a cutting-edge solution in this realm, offering a developer-friendly CIAM platform that integrates seamlessly into your customer-facing applications1. As part of the broader Microsoft Entra suite, External ID is designed to bolster security, enhance scalability, and provide a customizable user experience that aligns with your application’s unique requirements.

What is B2C CIAM and Why Separate Customers from your Workforce?

Before we can get into the weeds of this new directory type in Microsoft Entra. First, we need to understand why you would even consider using this technology. Customer Identity and Access Management (CIAM) is a specialized subset of identity management that focuses on managing and securing customer identities and their access to digital platforms and services. CIAM systems are designed to handle large volumes of external user identities and provide a seamless, secure customer experience across various digital touchpoints. Separating CIAM from your primary directory, typically used for internal workforce management, is crucial for several reasons:

  1. Enhanced Security: By isolating customer data from employee data, organizations can implement specific security measures tailored to the unique requirements of customer-facing applications, reducing the risk of data breaches and unauthorized access.
  2. Scalability: CIAM solutions are built to scale with the business, efficiently managing millions of customer identities and transactions, which might overwhelm traditional IAM systems designed for a finite number of internal users.
  3. Regulatory Compliance: With CIAM, businesses can ensure compliance with various data protection regulations by providing customers with control over their personal information and consent preferences.
  4. Improved Customer Experience: A dedicated CIAM system allows for frictionless customer interactions, such as single sign-on (SSO) and social logins, leading to higher engagement and retention rates. Login flows can be customized to highly integrate the experience into your product's user journey.

Separating CIAM from the primary directory allows businesses to offer a customer-centric approach to identity management, ensuring both security and convenience for their customers.

Microsoft Entra External Identity

Microsoft External ID is a new full-stack identity management solution designed to facilitate secure access to applications for your customers. It’s part of the Microsoft Entra suite of products, which focuses on securing and managing identities across various platforms.

External Identity Tenant

The tenant lives side-by-side with your workforce tenant. In fact, the admins of the External ID tenant are guests invited from the workforce tenant. Its important to understand that this tenant is completely orphaned from Azure Subscripts. This is obviously a good thing but does take a bit of planning from application integrations where Managed Identities are used for service to service integrations. The tenant is fully owned by the workforce tenant but can be separately administrated and billing is tied to a workforce tenant's Azure Subscription.

I like to think of it as "a Entra ID tenant segregated just for customers with a similar feature set to the typical Workforce Tenant".

Entra External Identity Licensing / Pricing

Microsoft External ID offers a pricing model that is designed to be both cost-effective and scalable, catering to businesses of various sizes and their unique needs. The core offering of Microsoft External ID is free for the first 50,000 monthly active users (MAU), which provides a generous allowance for smaller businesses to manage external identities without incurring initial costs. Beyond this free tier, additional active users are priced at AUD 0.05 (USD 0.03) per MAU. This pricing structure is generous in that it only charges you for active users instead of all user objects in the directory. It also allows organizations to scale with predictable pricing.

Auth Flow Customisation

One of the standout features of Microsoft Entra External ID is the ability to create custom-branded sign-up experiences. Organizations can configure self-service registration flows, add their own background images, logos, and text, and collect information from customers during sign-up using built-in or custom user attributes. You can even intercept these flows before and after the user has filled in the custom sign-up flow to do custom verification. Maybe even build a close invitation-only CIAM environment 😉 Blog post to come.

Migration from Azure B2C (The Former Microsoft CIAM Solution)

There is currently no migration plan for customers to migrate from the "old" Azure AD B2C to the new Microsoft Entra External ID. However, there have been public comments that there will be a migration plan and tools in the future. However, like with many IAM migrations. Transferring passwords between these systems may prove more difficult than one would initially believe. In the same essence, Azure AD B2C has not been deprecated at this point and will be supported for the foreseeable future. Maybe even new features will be released.

Is Entra External ID Still in Preview?

No, core features have moved to general availability on the 15th of March. As a general summary here are the flagship features moving to GA:

  1. Custom Authentication Extensions: Enables tailored authentication processes for a personalized user experience.
  2. Custom Sign-in and Sign-up flows: customize and integrate user sign-in into your products.
  3. Visual Studio Code Extension: Integrates identity management into the development workflow efficiently.
  4. Improved Azure App Service Integration: Simplifies secure access to applications, focusing more on building and less on configuration.

Native Authentication: Enhances user sign-ins for a smooth experience and increases developer and user satisfaction.

Microsoft Entra External ID vs Azure B2C

Microsoft Entra External ID is the next-generation replacement of Azure AD B2C. It takes a more unified approach to the technology by leveraging the existing infrastructure and interfaces from Entra ID (Azure AD) and making only slight modifications to be more tailored to customers. This has the major benefit that many existing applications built around Entra ID or Microsoft Graph can quickly integrate. One example is Apporetum which is a delegated access management solution built on top of Entra ID to create a more business-centric approach to Access Management. The day after the announcement for public availability Apporetum was able to integrate with External ID and have CIAM delegated access management. Building off the same stack has exceptional eco-system opportunities for application developers.

Microsoft Entra External ID vs Azure B2C vs Entra ID External Identities

One final note that I have been asked plenty of times. "Explain the difference between Microsoft Entra External ID vs Azure B2C vs Entra ID External Identities". To be fair Microsoft is in a bit of a pickle with this naming but hopefully I can provide a little bit of clarity.

Entra External ID

A dedicated Entra ID tenant with dedicated features to support customer single-sign-on (SSO) flows and branding requirements. Aligned to the same Microsoft Graph APIs as a workforce tenant and similar feature set to the workforce Entra ID. This means that many of the features for Workforce will be automatically ported to the Customer tenant. You will notice that not everything is up to scratch and some work arounds will need to done like Registering External ID User Id after registration.

Azure B2C

Previous generation Microsoft CIAM solution with a lot of bespoke APIs and management capabilities. Microsoft graph APIs were highly dedicated to management APIs for this tenant. I would only recommend people use this product if they need the SLAs before 15th March.

What features is missing in Entra External ID

Entra External Id has many of the features you would expect in a CIAM solution. However, it is missing key features which you might need to migrate. For example, Apple SSO and Microsoft Personal Accounts are currently missing as authentication options for customers. Futhermore, Entra External Id does not have any native IOS and Android SDKs for integration into your mobile Application. We expect that these features will be available in the next year as they are key features for customers.

Migrate from Azure B2C to Entra External ID

Currently, there is no migration path for customers to use to migrate to Entra External ID. One of the biggest challenges you will face is missing features (e.g. Apple SSO) and password migrations. If you want to migrate now you will need to design and build a user journey for migration which we know how to do. Get In Touch

Do I need to migrate to Azure AD B2C?

Absolutely not! Right now Microsoft have not depricated Azure B2C and will likely not for a considerable amount of time as they work on a migration strategy. However, to work out if this is in your best interest you can Schedule a call

Difference between Entra Id and Azure B2C (Worforce IAM vs Customer IAM)

Understanding the difference between Entra ID and Azure B2C can initially seem challenging, but the distinction lies in their primary purposes.

Entra ID is designed with a focus on workforce users, including your employees and those who are part of your supply chain through a B2B arrangement. It’s essential to know who these users are, why they exist in your tenant, and what access they have.

On the other hand, Azure B2C (and CIAM more broadly) is geared towards managing your customer user accounts. This could include their usernames and passwords or connections to their personal accounts like Google, Facebook, or Microsoft Online account. These accounts are primarily aimed at your customer channel, which usually comprises users who you may not directly know but who pay for a public or private product or service that you provide to your customers.

One of the key advantages of Microsoft CIAM capabilities, such as Azure B2C, is the high level of customization they offer, along with a more secure model for external accounts. This makes them an excellent choice for managing customer identities and access.

Entra External Identity is the new generation technology offering from microsoft to replace Azure B2C in the future. Although, there is no plan to deprecate Azure B2C at this time.

Need help with your Azure CIAM / B2C Solution?

Even before this technology has gone into GA we have delivered a close invite CIAM solution for one of our clients. We understand how to tightly integrate this technology into your applications and environments. Want to start your Microsoft CIAM journey but don't know where to start? Contact us if you would like to have a chat about your CIAM use case or want a free consultation session.

Rawson WadeAzure & Entra Software Engineer

© Posts are provided 'as is' under the AGPL 3.0 license unless otherwise stated

Want to be kept in the loop

Sign up to hear about the latest from the team at Entraneer. We talk anything Entra, IAM and Azure Enterprise Apps.

entra id microsoft entra identity customer identity and access management b2c azure ad Replace Azure B2C Microsoft Entra External ID External ID General Availability GA CIAM Solution b2b vs b2c b2c ciam Entra External ID Vs Azure B2C Rest API External ID New Azure B2C Azure AD B2C vs Microsoft Entra External ID vs External IDs CIAM für B2C entra hisse kimin micro soft azure azure license azure entra single sign on with azure ad entra b2c integrate with high schools entra external id vs b2c ciam microsoft microsoft entra external id vs b2c b2b and b2c b 2 b 2 c customer identity and access management azure b2c ad entra microsoft com azure ad b2c pricing compare entra external id vs b2c azure b2c vs entra external id comparison

Expansive Knowledge, Best in class Security, best Value in the Cyber Security and Microsoft Entra Partner Class, Highly Skilled. Preference number one. Microsoft Entra Excellence. We are your consultants for entra engineering and development. Microsoft entra engineering. Identity and Access Management Experts in Microsoft Azure, Microsoft Entra, Microsoft Entra ID and Microsoft Entra External ID. experts for microsoft entra Our team offers expansive knowledge and best-in-class security, ensuring the best value in the cyber security industry. As a top Microsoft Entra Partner, we provide highly skilled services, making us your number one preference. We excel in Microsoft Entra excellence and serve as your dedicated consultants for Entra engineering and development. Our expertise in Microsoft Entra engineering encompasses all aspects of identity and access management. We are identity and access management experts in Microsoft Azure, Microsoft Entra, Microsoft Entra ID, and Microsoft Entra External ID. Trust us as your experts for Microsoft Entra. Need help with azuread / Microsoft Entra. Talk to the trusted experts from Australia

We use cookies

We use cookies to ensure you get the best experience on our website. By clicking Accept, you agree to our use of cookies.
Learn more.