Looking at questions on the Internet (sites like Quora or StackOverflow) I see a growing number of people confused with Azure Active Directory acronyms. So… Time to clear things up a bit, here is your quick guide that will help you not to get lost in this maze. We have Azure AD, Azure AD B2B, Azure AD B2C – we will keep it up to date in the future in case any other “three characters” will pop-up so save the link for the future.
What is the difference between just Azure AD, B2B, and its B2C? Are these different versions?
Azure Active Directory (in short – Azure AD) is the cloud identity provider service or Identity as a Service (IdaaS) provided by Microsoft. Its primary purpose is to provide authentication and authorization for applications in the cloud (SaaS apps).
One of the key applications relying on Azure AD right now is Microsoft’s own Office 365 or Azure itself. In the previous blog post, you’ll find the relationship between Azure and Azure AD described in details.
Who will use it?
Azure AD key scenario is supporting business organizations with extending their identity reach to the cloud and SaaS applications. On top of this scenario, there are tons of enhancements and services provided like conditional access, identity protection, application publishing, access to pre-configured applications and so on.
Developers can develop applications and secure them with Azure AD. In this case, an application can be built for a single organization (single-tenant) or as a general application (multi-tenant) accessible by any organization using Azure AD. Example? Our time tracking application.
In short – Azure AD is for business organizations to allow its users to work with cloud applications. You have your corporate users there, logging on with your domain name and dedicated to your organization. Users’ on-premises are being synchronized to Azure AD (read here for more details). You can create them in the cloud directly (we have covered it in another post).
The key scenario: you set up synchronization and SSO from your current AD and your users can log on to SaaS applications. Done.
Azure AD B2B
Now Azure AD B2B (which of course stands for Business-To-Businesses). Is this a different version of Azure AD? No! It’s only the one of service features. It aims one organization to invite members from other organizations to share the application access.
Simple scenario – here at Predica, we are using our Grandler app (for skills management). We start to co-operate with your business, and we want your people also to benefit from this with the skills assessment.
We can use Azure AD B2B feature to invite your organization users to use Grandler based on our Azure AD. You don’t have to deploy it on your Azure AD. You don’t have to configure it. We are just sharing this with you for collaboration.
Where are the benefits here? Cross-organization collaboration is hot and at the same time not so easy to roll. When you collaborate with an external party there are some things to be aligned:
- Is our security policy matching yours?
- Do we have to create an account for your users?
- If we give accounts to your users, who will disable it if needed? And who will take care about those pesky password resets?
Azure AD B2B aims to address this problem. When you invite a user to your application this user will get access using its Azure AD account. No need to create an account for them. No need for a new password. They sign-on to your app with their credentials.
Hint: As stated earlier, Azure is on its own controlled by Azure AD. If you want some external consultant to gain access to your Azure instance, don’t use Microsoft Account for that. Invite them with Azure B2B if they have their account in this service.
On the other hand, you are still in control of your application. You decide if it requires multi-factor authentication. You choose who has the access.
Azure AD B2B provides API around it so you can build your onboarding process and send invitations to apps. Or you can use the default one in the service.
The key scenario: An organization is using applications based on Azure AD and wants to collaborate in these applications with some other businesses. Azure AD B2B allows working together by granting access to these applications to users from another Azure AD tenant.
Azure AD B2C
Time for the last one – my favorite, which deserves a separate write-up (and it will get one), Azure AD B2C, Business-To-Consumer.
Azure AD B2C is a separate service from Azure AD. Built on the same technology, but still… for different purposes.
The main differentiation – Azure AD B2C is not to be used by single organization users. It’s built to allow anyone to sign-up as a user in this service with their e-mail or social media accounts like Facebook, Google or LinkedIn.
You don’t need on-premises AD here since you don’t create synchronization process.
The purpose of Azure AD B2C is to allow organizations to build cloud identity directory for their customers.
Let’s imagine your business wants to build a website for your clients – might that be a shopping site, customer facing CRM app or a mobile directory of your products. You want to have it online, as a mobile application and there might be other projects in the future.
Usually, in that case, organizations are building some solutions to handle user identities in the app. Database with users, login process, sign-up process, password rest. OMG – how we will store passwords?!
Then someone says – Hey, are we going to support Facebook login? We have to do this.
It is all that Azure AD B2C does for you. This is an identity repository in the cloud that allows your users to sign-up for your applications with an e-mail address and password (no restrictions on e-mail domain) or social media logins. The service handles itself all these processes like sign-up, sign-in, password reset and so on. You don’t have to worry about it.
If you establish it once and your customer is signed up, and later you spin off a new application – it is all there. They don’t have to sign-up again. They can use their existing account for your applications.
The key scenario: Consumer facing applications and websites. Business wants to maintain a relationship with customers on-line – there Azure AD B2C handles the identity and access part. Multiple applications can use the same directory to provide the client with SSO experience in your applications.
And that’s it.
There are lots of technical details about these services. We have APIs, tenants, service features, policies and other things. There is also licensing model – be sure about that :). Check it here for Azure AD and here for Azure AD B2C.
What to remember in short?
- Azure AD is an identity as a service provider aimed at organization users to provide and control access to cloud resources
- Azure AD B2B is not a separate service but a feature in Azure AD. It allows cross-organization collaboration in applications from an identity standpoint.
- Azure AD B2C is an independent service for building consumer application identity repository. If you need a service to handle e-mail or Facebook login – it is there for you.
That’s all for now. I hope right now you find it nice and easy. For more technical details on these services make sure to follow our blog posts here, our videos and Facebook profile. There’s more to come! In the meantime, you can jump here to examine the architecture of your apps – better check if it’s working optimally or it needs some fixing.