You may have heard that Azure AD will get a new name – Microsoft Entra ID. Even though this does not affect Azure AD B2C directly, it still might be of interest to you. Especially if you are building solutions on Azure AD B2C. You see, many of the most popular features from Azure AD B2C are already built into Microsoft Entra External ID. In this article I’ll go through the most useful features in Microsoft Entra External ID that you could use to build your solutions on top of that instead of Azure AD B2C.
Abbreviations and Acronyms
Before I dive into the article, I guess it’s a good idea to go over some abbreviations and acronyms. Azure AD, Azure AD B2C, Microsoft Entra ID and Microsoft Entra External ID are all very long names. Since I’ll be using those names quite a lot, so I better try shortening them up.
- AAD – Azure AD
- AADB2C or just B2C – Azure AD B2C
- ME-ID – Microsoft Entra ID. This is in fact the official acronym for Microsoft Entra ID, the new name of Azure AD.
- ME-EID – Although not the official acronym for Microsoft Entra External ID, I have to come up with my own, because I’ll be talking about Microsoft Entra External ID quite a lot in this article. And if I would spell out the name every time, it would be a lot of repetition.
The Future of Azure AD B2C
AADB2C is still fully supported. I have not come across any kind of end-of-life announcement for B2C either (early November 2023). So there is absolutely no need for panic, if you have built your solutions around AADB2C.
On the other hand, why would Microsoft have two cloud products with very similar features in it? Two cloud products that solve more or less the same problems? You might remember Azure Access Control Service (ACS). It used to have somewhat similar capabilities as Azure AD B2C. However, back in 2017 it was more or less discontinued, in favour of Azure AD B2C.
What really says it all for me is the following note from this overview page about Microsoft Entra External ID.
Keep in mind that the next generation Microsoft Entra External ID platform represents the future of CIAM for Microsoft, and rapid innovation, new features and capabilities will be focused on this platform. By choosing the next generation platform from the start, you will receive the benefits of rapid innovation and a future-proof architecture.
You can’t say it any clearer that that without actually saying it – Microsoft Entra External ID will eventually replace Azure AD B2C. I don’t know when Microsoft will announce that AAD B2C will be discontinued. I am not a Microsoft employee nor am I an MVP (yet). But I am willing to bet that the day will come sooner or later. Azure AD B2C will probably still be around for many years though.
Should You Switch to Microsoft Entra External ID?
If you have solutions running on AADB2C now in production, I would say that you are in no hurry at all to migrate your users and applications to Microsoft Entra External ID. I guess that all existing namespaces for ACS still work today even though you haven’t been able to create new namespaces since 2017. Similarly, all existing Azure AD B2C tenants will still work as they used to years after the last Azure AD B2C tenant was created.
But if you are planning on building a solution for managing the identities of your customers or other external users, then you should get and stay informed about Microsoft Entra External ID. At Integrata, the company I currently work for, we are building solutions where we have decided to use Azure AD B2C for managing external user identities. But now after the announcement of Microsoft Entra External ID, we have decided to switch to Microsoft Entra External ID. We have the luxury of being able to wait until Microsoft Entra External ID is ready for production use.
What is Microsoft Entra External ID
To put it short, Microsoft Entra External ID is a feature in Microsoft Entra ID (formerly known as Azure AD) to manage identities for users that are external to your own tenant, such as your customers. Currently (early November 2023), Microsoft Entra External ID is in public preview.
Currently, it looks like you can’t take an existing ME-ID tenant, and turn on the External ID features in it. However, if you log in to entra.microsoft.com in your existing ME-ID tenant, you can open the view that allows you to create a customer user, i.e. an external user. But the user creation fails when when you try to create the user. The creation fails even if you enable external user collaboration in that tenant. Remember, Microsoft Entra External ID is still in public preview, so this might be something that will change in the future.
Even if this will change in the future, I would say that it is a good thing to keep your external users in a separate tenant. It is a good thing to have a Microsoft Entra ID tenant as a security boundary between your employees and external users.
Features Supporting Identity Management for External Users
So what features are there in Microsoft Entra External ID for external users that do not exist in Microsoft Entra ID (formerly known as Azure AD)? While the list of features described below is not a complete list, at least I have found them useful in previous assignments when creating identity solutions for users from outside one single organisation.
One of the key features you absolutely need to have is more flexible username options than you have in ME-ID. In ME-ID you can only have user accounts that use one of the domains registered with the tenant. Obviously that won’t cut it when creating user accounts for your customers or other external users. In Microsoft Entra External ID you can create user accounts using any e-mail address. You can also use more traditional usernames that don’t have to be e-mail addresses, and follow any naming convention you like. One very popular convention back in the on-prem days was the 5 + 3 convention – Take 5 first chars of your last name and append the 3 first chars of your first name. For me, that would be BerglMik.
Another very useful feature I have found myself using in most of the external user identity assignments I’ve worked with is the ability to augment the identity token with custom claims. In Azure AD B2C, this required you to write custom policies. And to create custom policies, you need to write a lot of XML. And I mean a lot. In Microsoft Entra External ID you don’t have to do that anymore. You just configure the URL of your HTTP endpoint that you want to return your custom claims, and you’re done! That’s a huge improvement!
Custom User Flows
Then there’s one more thing that I find pretty useful in cases that involve identities for external users. That is the possibility to create custom user flows for things like signing up, signing in and self-service password changes. In ME-ID you have the flows you have, and they provide very limited amount of flexibility. In Microsoft Entra External ID user flows you can customize for instance the following.
- Select how users sign in
- Add custom attributes
- Specify what attributes to collect during sign-up
- Add custom authentication extensions
- Customize translations
You also have some limited ways to modify the fields for collecting user attributes, and specifying whether a field is required or not.
Comparing Microsoft Entra External ID to Azure AD B2C
All in all, I think Microsoft Entra External ID is moving in the right direction compared to Azure AD B2C. There are two main reasons why I think so.
No More XML
First of all, you don’t have to write a huge amount of XML to resolve common uses cases. And I hope thinks stay like that too! At least for me, the feature set in Microsoft Entra External ID is enough, already in preview stage. I can’t think of a single project with external identities that I have worked on that we could not have implemented with Microsoft Entra External ID. Sure there are things that would have been nice to have. But none of them would have been a deal-breaker.
An Actual Microsoft Entra ID Tenant
The second thing that makes Microsoft Entra External ID so interesting is that it is an actual Microsoft Entra ID tenant. This was not the case with Azure AD and Azure AD B2C. This means that you have exactly the same features available for external users as you have for your employees. This brings up a few interesting use cases. Let’s say you are starting up a company, and create a tenant to host your employees’ user accounts. What if you create this tenant as a Microsoft Entra External ID tenant? If you then provision Microsoft 365 services to this tenant like Outlook, SharePoint and Teams, can you then have your customer users use this features just like your employees?
I guess that should be possible at least on an academic level, since the authority is exactly the same tenant. Needless to say that this will most certainly create some very weird scenarios. I still think that it is best to keep your external users in a separate tenant, but this is an interesting idea not to say the least. I will have to look into this a bit deeper in a future article.
UI Customization Still Missing
However, there is one feature currently missing in Microsoft Entra External ID that I really liked in Azure AD B2C. That is customizing the UI. In Azure AD B2C you can completely define your own HTML to use in your user flows. The only requirement for that HTML is that it is publicly available on the Internet, and that it contains a
<div id="api" /> element. That element is a placeholder for Azure AD B2C to inject its own markup. This feature does not exist in Microsoft Entra External ID. The only way to customize your UI is to use similar branding features that you have in ME-ID. I hope that the custom UI feature comes to Microsoft Entra External ID some day. But, I can live without it too.
Below are some links that you might find useful when researching more about Microsoft Entra External ID.