Can I use Azure AD/Azure AD B2B/Azure AD B2C in this scenario?

1
votes

We have several asp.net applications, each has its own users tables and databases. Each application does is own login/reset password etc. Our users are from different companies, so a user is an employee from that company.

Now we want to use a central identity provider and let it do all the authentication and authorization work.

Can we use Azure AD/Azure AD B2B/Azure AD B2C to accomplish our goal?

We have thousands of users from those companies, and most of them don't have their own AD or Azure Ad. We need to migrate our existing users to Azure AD (or send invite to them if use b2c) in bulk from our own users table.

4
azure-active-directoryazure-ad-b2cazure-ad-b2b

4 Answers

3
votes

B2C is nice but it allows basically anyone to sign in there. So unless these apps are consumer-facing, I would probably go with B2B.

You can create a directory for those users who don't have an Azure AD, and invite them there (there's an API for this too).

Now of course your users will have to create a password again, since I am assuming you have stored them in non-reversible form.

0
votes

Are the users customers or internal to your organization? B2B is used for your company's user base or other companies that you have partnerships with. B2C is the customer side and supports sign in with not only Azure AD accounts but also Consumer Identity Providers such as facebook, google, and outlook.com.

That being said either will allow you to setup Azure AD applications that support SAML, OAuth and OpenID to allow users to sign-in to your applications for authentication and authorization

What is Azure Active Directory B2C? https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview

What is Azure Active Directory B2B? https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b

-1
votes

It depends also on what username or sign in email that you provide for your customers. I'm assuming here that you are not connecting with your customers Azure AD and they do not have Azure AD tenant, most if not all. If you choose B2B, as far as I know now, do not allow unverified domain email to be registered. So with default tenant, all of your users would be "[email protected]". In order to add other domain, you'd need to add and verify it which require some work with the domain registrar.

We had quite similar use case where we end up choosing B2C. It allows us to support customer use case ([email protected]). For our internal users in the Azure AD tenant, we add Azure AD as one of IdP in B2C.