Thursday, May 12, 2016

Azure B2C : Differences with Azure Active Directory (AAD)

There are a number of gotcha's with B2C that you may not realise at first.

This is still in preview so things will undoubtedly change and there is also B2C Premium on the horizon but no details are publicly available.

More details around limitations here.

To be fair, B2C is aimed at a completely different use case viz. external users who can self-manage via self-service registration and who need SSPR functionality.

I put this table together:

Azure AD
Azure B2C

Can share tenant e.g. with O365
B2C separate tenant that can contain B2C users only

Can add SaaS applications via Market Place

Can federate with other IDP

AD sync. via AD Connect

Users can have O365 licences

Support for WS-Fed, SAML 2.0p, OpenID Connect, OAuth2
Some OpenID Connect, OAuth2 functionality
(See below)

Support for Single Page Application (SPA) front-end that is written primarily in JavaScript and often uses a SPA framework such as AngularJS, Ember.js, Durandal, etc.

Web API support for OAuth 2.0 JWT Bearer Credential Grant, otherwise known as the On-Behalf-Of flow

Support for OAuth 2.0 client credentials flow
N/A – must use OpenID Connect to authenticate first

Wide range of authentication platforms
Only .NET, iOS, Android, and NodeJS

Social support for Yahoo, Facebook, Google and MSA (Windows Live) via ACS
Social support for Facebook, Google, Amazon, LinkedIn and MSA (Windows Live)

Can add additional social providers via Identity aaS e.g. Auth0, Optimal IDM etc.

Can verify custom domains
N/A on classic portal

Any E&O, fell free to discuss via comments.



Unknown said...

Isn't ACS going away?

nzpcmad said...

It's been going away for the last 4 years but until Microsoft get a decent social interface it's still needed. B2C is an option but you wouldn't add B2C just to get social.

Personally, I use the social interfaces in Auth0 (and there are tons of them) and hook Auth0 up to AAD / ADFS.