Azure Active Directory (AD) B2C (Business to Consumer) covers the use case where a company has internal users that use Office 365, Azure AD, some SaaS packages etc.
At the same time, they want to interact with external users but they don't want the details in the "internal" repository and they don't want hundreds of phone calls to the help desk about expired passwords etc.
They want the users to self-register and they want to be able to mine the user's details.
This is what B2C provides - a repository for external users only with self-registration and self-service password reset.
So you could imagine a company portal that allows users to browse the company products, read information about new products, register an interest in some future product etc.
This portal is then configured in B2C as an application (in the same way that you configure applications in Azure AD).
When the external user navigates to the application, they can choose to:
- Update details
- Reset their password
When the user signs-in, they are redirected to B2C for authentication. They can log into the B2C repository or they can use some social logins. These all use OpenID Connect and then a JWT token is returned with the user's claims.
Sign-up, sign-in etc. all use policies. These are all configured in the Azure AD portal. You can have any number of these policies. An application specifies the policies it wants to use.
An example of a sign-up policy is to capture:
- First name
- Last name
- Postal code
- Phone number
Note that the email address is not of the form email@example.com. It can be e.g. firstname.lastname@example.org.
An example of a sign-in policy is to allow:
B2C also supports the Graph API so user CRUD etc. can be done programmatically.
More B2C information.
The downside is that:
- These users cannot interact with any SaaS offering e.g. they cannot have Office 365 licences
- They are in a separate Azure AD repository so they can't interact with users in a "normal" repository
- Only OpenID Connect is supported
- The policies need to be sent in the OAuth messages so this is not "normal" OAuth