🔍
Azure AD B2B vs B2C vs External Identities – differences, security features, pricing, examples - YouTube
Channel: unknown
[0]
I'm getting a lot of questions - what's
better, Azure AD B2B or Azure AD B2C?
[6]
When to use which service?
[8]
In this video, I will explain all
the differences between Azure AD
[12]
B2B, B2C, and then new kid on the
block, which is External Identities.
[17]
This video will be a guide through the
options, differences, real-world
[22]
scenarios, pricing, and more.
[24]
Let's dive in.
[30]
Hello, I'm your host in
this video, Tomasz Onyszko.
[33]
I'm a CTO of Predica.
[35]
If you are new to this channel, Predica
is a consulting services company.
[39]
We are delivering reliable
services on Microsoft cloud.
[43]
If you want to see more of
our content and do not miss
[45]
anything, remember - subscribe.
[47]
Let's dive into our topic.
[49]
I'm assuming you're familiar
with Microsoft cloud.
[52]
In case you are new to it,
first, what is Azure AD?
[56]
Azure AD is basically a service
underneath all Azure services, delivering
[62]
authentication, authorization, and access
control across all of Azure services.
[67]
Many of you will be familiar with
Azure AD, let's call it Enterprise.
[71]
So, this is the service,
which is underneath the Office
[74]
365 access to Azure cloud.
[77]
This is what corporations
are using, companies like
[79]
ours, yours, and many others.
[82]
So, this is the base, foundation of
Azure identity and authentication
[87]
access control - Azure AD.
[89]
But, you might heard different terms,
like Azure AD B2B or Azure AD B2C.
[96]
What are those?
[98]
So, we have this basic service
Azure AD, which is for companies.
[102]
And then, sometimes, companies have a need
to invite somebody from external entity.
[109]
So, you want to get a
guest in your account.
[111]
You want to invite somebody
from other company to your
[115]
Teams, SharePoint, Azure cloud.
[117]
You can do it in two ways.
[119]
You can create an account for him or
her in your organization, as a standard
[124]
user, or you can use a function of
Azure AD, which is called Azure AD B2B.
[130]
So, first fact, Azure AD B2B is
not a separate service, it's a
[135]
function of Azure AD for companies.
[139]
What it allows you, is to use something
from external world, like other accounts
[146]
from other Azure AD tenant or a Google
account, or from other provider,
[151]
to invite someone to your tenant.
[153]
And then, you can grant access, control
this user behavior, permissions and so on.
[159]
So, Azure AD B2B is a service,
a function in Azure AD, which
[165]
allows your organization to invite
external guests to your tenant.
[170]
Now, standard Azure AD is attached to
an organization, what does it mean?
[177]
So, in normal Azure AD, you
have to be a corporate user.
[181]
You are using a corporate name,
for example @predicagroup.com.
[186]
So, you are using the
domain of this organization.
[190]
Azure AD B2B user is
within this organization.
[194]
But, what if you want to create
an application for your customers?
[198]
So, let's think you want to create an
internet store, e-commerce site, website
[203]
for patients in a healthcare, or to handle
inflow of your workers in your stores.
[210]
You don't want those people to be
part of your organization, but you
[213]
want reliable authentication service.
[216]
And this is exactly what Azure AD B2C is.
[220]
The biggest difference between
Azure AD and Azure AD B2C, is that
[224]
Azure AD B2C is a service directly
for applications to create a secure
[230]
authentication directory for applications.
[234]
It is not attached to any organization.
[237]
Of course, you manage it, but you
can register users with the email
[242]
addresses, actually you can use a
phone number to register a user.
[246]
You can allow
self-registration for a user.
[249]
So, a user can sign up to your application
and basically you are free to shape the
[254]
way how this flow of authentication goes.
[257]
So, you're free to create different
user journeys, as we call them.
[261]
You can use social providers, you
can allow people to use Facebook,
[264]
Google, Twitter, or WeChat accounts
to access your application.
[268]
First distinction, Azure AD
for Office 365, Azure cloud,
[273]
organizations, companies.
[275]
This is a corporate directory.
[278]
Azure AD B2C is a separate service,
available in Azure, which allows you
[284]
to create a secure authentication
directory for applications, but
[288]
it's not attached to your company.
[290]
It might serve any application.
[292]
What is important to understand,
is that underneath, they are
[296]
using the same technology.
[297]
So, you are getting the scale and security
of Azure AD for your applications, using
[302]
Azure AD B2C, for a fraction of a cost.
[304]
So, the distinction between Azure AD and
Azure AD B2C seems simple, but Microsoft
[310]
decided to make it a bit more complicated.
[313]
Not to complicate your life, but actually,
because there is a business need for
[317]
it, and created something, which is
called Azure AD External Identities.
[321]
I know, it's mouthful.
[323]
So, what is Azure AD External Identities?
[325]
Simple scenario.
[326]
You are an organization, so
let's say you run the school.
[329]
You have a single application, let's
say lesson diary, and you want to
[336]
invite parents of the kids to this
application, but you don't want to
[339]
create all those accounts for them.
[340]
They are not working for you.
[342]
They are not registered in your HR.
[344]
You don't know who they are, but you
want to allow them to self-sign and
[348]
self-register for this application
and control the way they sign in.
[353]
And this is exactly where Microsoft
decided to merge a bit of Azure AD
[357]
B2C with Azure AD, this corporate
directory, and created something, which
[362]
is called Azure AD External Identities.
[365]
Lost?
[367]
I hope not, but in the moment I will
explain it on a practical example.
[372]
What is the typical first step
in application development?
[375]
What people are doing when they are
starting to develop a new application?
[379]
They create a user table.
[381]
So, that's my experience.
[383]
They create a user table and create
passwords there and they are taking on all
[388]
the troubles with keeping secure, doing
the notification in proper way, and so on.
[393]
Services, we are talking about,
are targeted to replace it.
[396]
So, instead of doing it, you are basically
using the ready service to authenticate,
[401]
store, secure passwords of your users.
[404]
Now, how to decide in which
scenario to use which service?
[407]
Let's take a school.
[408]
I mentioned this before.
[409]
So, if you will think about the school,
there are employees and there are
[415]
teachers and there are students and they
all are part of the same organization.
[421]
It's a pretty good chance right now
that your kids, the same as my kids,
[426]
are using Office 365 for home schooling,
which creates all kinds of different
[430]
problems, but they all use Azure AD to
connect to their school environment.
[436]
They are using Teams, they
are using SharePoint, they
[438]
use different applications and
it's all powered by Azure AD.
[442]
So, what if the school wants to bring
a guest teacher from the other school?
[448]
If this other school is using Office
365, they can use Azure AD B2B to invite
[454]
this teacher into their environment.
[456]
So, the teacher has only one set of
credentials and there is a full SSL
[460]
between those tenants, the teacher is
invited, there is an object created
[465]
in Azure AD for this guest user.
[468]
And then, he or she can access this
environment, can participate in
[473]
the lesson, can access the files
from SharePoint, can access any
[477]
application, which access was granted.
[479]
It is not a requirement to have other
Office 365, because Azure AD B2B supports
[485]
also Gmail accounts or other providers.
[488]
So, the scenario is that the
organization wants to invite somebody
[493]
to participate in this organization.
[495]
And this is Azure AD B2B.
[497]
Now, what if the school wants to
create a site for, let's say, contest
[502]
on artworks and they want to make it
public, anyone can sign up for this 4
[509]
days contest and submit their artwork.
[513]
So, they might create it in their Azure
AD tenant, but the limitation will be that
[519]
they will have to create account for every
person who is signing up for this contest.
[524]
So, instead of using Azure AD, they can
create a separate service, Azure AD B2C,
[530]
and allow people from all around the
world to sign up for this application.
[535]
And then, they can have a branded
website with a signup flow, with
[540]
a logo, they can use multifactor
authentication, they can allow them to
[544]
sign up with their own private emails
and they can allow them, for example,
[549]
to use Facebook account or Gmail.
[551]
So, this is a B2C application.
[554]
So, the difference is that they create
something to be used outside of the
[557]
organization for general audience.
[560]
And this is Azure AD B2C.
[562]
But, what if the school has
an application for parents?
[567]
Let's say a lesson diary and they
want to allow people to use their own
[572]
emails or Facebook accounts, whatever,
to access this application, but they
[577]
want to maintain a full control of
it, based on the corporate standards.
[581]
So, this is where Azure AD External
Identities kicks in, because it gives
[586]
you the abilities of Azure AD B2C,
to be used within your directory.
[590]
To simplify it, Azure AD is for people
who are in your organization, you have
[596]
a relationship with them, they are
employed, they're on your payroll,
[600]
they are enrolled into your class.
[602]
Azure AD B2B is a function of Azure
AD, which allows your organization
[607]
to invite external people.
[609]
Think guest teacher, external contractor,
somebody from different organization,
[615]
temporarily working for you, within
the context of your organization.
[618]
This is Azure AD B2B.
[620]
Azure AD B2C is for applications
from your organization, but targeted
[626]
for general users, consumers.
[628]
Think e-commerce, websites,
e-learning, all those scenarios.
[633]
And Azure AD External Identities is
a mix of Azure AD with Azure AD B2C,
[640]
because it allows general access
of people to application within
[644]
the control of your organization.
[646]
Why would you want to use Azure AD or
Azure AD B2C, instead of creating your
[652]
standard username and username table?
[655]
Let's talk security features.
[657]
Azure AD comes with a lot of security
features and talking between Azure
[663]
AD, Azure AD B2C and B2B, remember,
it's the same technology underneath.
[669]
So, taking on Azure AD, you are getting
a lot of security technology baked in.
[676]
And when you think about standard
Azure AD usage in organization, so you
[680]
think about multifactor authentication,
conditional access, security risk and
[686]
so on, an entire access control, when
you are inviting somebody through the
[691]
Azure AD B2B, you take advantage of
it, because you can use multifactor
[695]
authentication on this user, you can use
conditional access to secure access and
[701]
control access of those guests users.
[703]
And there are really advanced features,
you can get, to control what they
[707]
have access to and also, to control
the life cycle of those users.
[711]
Because, if you are lucky enough to have
higher level of license for Azure AD P2
[718]
or, some of you might know E5, then you
have a feature called Access Review,
[723]
which actually allows you to review the
access of guest users and automatically
[727]
block their access, if they are losing it.
[729]
So, with Azure AD B2B, the advantage
is, that you're using the same familiar
[735]
controls, like conditional access,
MFA, access policies to control
[740]
external people, using other Office 365
accounts, Microsoft accounts or Google.
[747]
Now, with Azure AD B2C, the technology
underneath is the same, but the set
[751]
of features is different, because the
usage of this technology is different.
[756]
So, the basic security feature always
was multifactor authentication.
[762]
When you are getting Azure AD B2C
tenant out of the box, it is supporting
[767]
the multifactor authentication
for users, using SMS messages or
[772]
email messages with little work on
extension, which is well documented and
[776]
available on the GitHub, you can get
authenticator app support, and so on.
[782]
Recently, Microsoft extended Azure AD
B2C with similar features like Azure AD.
[789]
So, in the past, there was only
one version of Azure AD B2C.
[793]
Right now, we have a version P1 and
P2, and P2 is bringing the same set
[799]
of security features from Azure AD or
similar to Azure AD B2C, so we are talking
[805]
about risk control, we are talking about
adaptive access control, and so on.
[810]
Azure AD, in all flavors,
corporate, B2B, B2C delivers
[815]
you a set of security features.
[817]
Basic, like MFA, in Azure AD they are for
free, in Azure AD B2C you actually have
[824]
to pay for it a bit, if you are using
SMS as a multifactor authentication, but
[829]
if you will decide to use authenticator
app and do a bit of development
[833]
around that, that's free as well.
[835]
But there are higher security features
in both services, so if you decide that
[839]
you need advanced identity protection
features, there is a price tag on it.
[845]
Which brings us to a favorite topic
of all cloud services, which is price.
[851]
A typical B2B pricing model was
attached to the standard Azure AD users.
[857]
So, for every licensed Azure
AD user, you can bring five
[861]
B2B guests into your directory.
[863]
That's simple to count.
[865]
Now, the thing is a bit different, if
you want to think about Azure AD B2C.
[869]
And the same pricing is for External
Identities in Azure AD, because there,
[875]
we pay for a monthly active user.
[878]
What is a monthly active user?
[879]
It is a user, who is using the service
within the billing period, which is
[884]
a month, regardless of how many times
this user has authenticated, you pay
[889]
only for one user per month, active.
[892]
Example, you might have a million
users in your Active Directory
[897]
B2C, but if only 10,000 of them
use the application - you pay zero.
[903]
Now, you're getting 50,000 free
tier of monthly active users.
[909]
So, in Azure AD B2C, for up
to 50,000 users, active within
[914]
the month, you're paying zero.
[917]
If you're across it, you're paying a
fraction of a dollar for each user, but
[922]
again, not stored user, not registered
user, but the user who is actually using
[927]
your application and generating business.
[929]
So, let's do a quick math.
[932]
What does it cost to run service
with Azure AD B2C and 100,000
[939]
monthly active users on a P1 version?
[942]
This is the base version without
those advanced security features.
[946]
And it is whooping 162,50 dollars.
[950]
So, 162,50 for 100,000
monthly active users.
[958]
If you will decide to use the advanced
feature, the P2 version of Azure AD B2C,
[964]
then it will cost you around 812 dollars.
[969]
So, let's imagine that your application
is really successful and you have half
[974]
a million of monthly active users, which
means you have probably 18 or 10 millions
[980]
registered users, this means you will
pay around 1,500 dollars per month to
[986]
Microsoft, for handling half a million of
active users in your directory, monthly.
[993]
If you ask me, it's pretty cheap,
because otherwise you need to
[997]
do all those things on your own.
[1001]
Quick pricing summary.
[1002]
Azure AD B2B is based on the
licensed users, one licensed user
[1007]
in your Azure AD, five guests.
[1010]
Azure AD B2C and External Identities
are based on the monthly active users,
[1015]
50,000 of users within the billing period
is free, above that, you're paying for
[1022]
additional active users within the month.
[1025]
That's simple.
[1026]
We have Azure AD for organization.
[1029]
That's what you use for Office
365 and Azure cloud access.
[1035]
Within this Azure AD, you have a
function which is called Azure AD B2B.
[1040]
It allows you to bring external people to
your organization without creating them
[1045]
separate accounts, they can use Office
365 accounts, Google or other providers,
[1050]
check the options in your Azure AD.
[1052]
Azure AD B2B is built based on
the number of licensed users.
[1058]
For every one licensed user from your
organization, you can bring five guests.
[1063]
Separate service is Azure AD B2C.
[1065]
Azure AD B2C is a
directory for applications.
[1070]
It is not attached to your organization.
[1072]
People can use their
private emails to sign up.
[1075]
They can use their phones or social
media accounts, like Facebook,
[1079]
Google, WeChat, Twitter, many others.
[1082]
You have a total control over how
you will authenticate, how it will
[1087]
look, what will be the process of
authentication within Azure AD B2C.
[1092]
You can customize it.
[1094]
Azure AD B2C is built
on monthly active users.
[1098]
So, you're paying only for users who
are using the directory within the
[1103]
billing period and 50,000 of users
each month or billing period, is free.
[1110]
And mix of Azure AD B2C for
an organization is called
[1114]
Azure AD External Identities.
[1116]
The use case for it, is that you
want to create an application,
[1119]
which you have a total control over
from your Azure AD, but you want to
[1124]
invite people from the outside, you
want to allow them to self-sign.
[1128]
Think about parents in the
school, or people applying
[1132]
for work within your company.
[1134]
This is Azure AD External Identities.
[1137]
It's the same or similar set
of features as Azure AD B2C.
[1140]
It has a similar billing model.
[1144]
So, it's based on monthly active users.
[1146]
And again, 50,000 of those is free.
[1149]
I hope I answered all the questions you
had about Azure AD, Azure AD B2B, B2C,
[1155]
External Identities and differences.
[1157]
If you have more, leave the comment and I
will follow up and answer the questions,
[1162]
or maybe we'll do a second video on that.
[1165]
Please, remember to subscribe,
using this little button underneath
[1168]
the video, because we are going to
follow up with more videos like this.
[1173]
If you have any suggestion about
the topic, leave it in the comment,
[1176]
all the links to the documentation,
pricing and more are underneath
[1181]
the video in the links section.
Most Recent Videos:
You can go back to the homepage right here: Homepage