Open in app

Sign in

Write

Sign in

Confusion around B2B with Entra External ID for customers (CIAM)

Rory Braybrook
The new control plane
Published in
4 min readFeb 9, 2024
Image of head-spinning (confusion)
Head-spinning icon from Wikimedia

Entra ID B2B has two parts to it:

  • External ID for customers (CIAM) B2B
  • Entra ID B2B

The confusion exists around the self-service sign-up user flow.

Entra ID B2B is the classic B2B where external users are added via an invite.

Image of “Invite external user” page

These users have a “User type” of “Guest” (as opposed to the usual “Member”) e.g.

Image of “User type” = Guest

or:

Image of “User type” = Guest

If you are in an Entra ID tenant and navigate to “External identities / User flows”:

Image of B2X page

you will see that the name starts with “B2X”, and one of the tabs is “API connectors”.

Refer to this for B2B collaboration.

If you are in an Entra External ID for customers (CIAM) tenant and navigate to “External identities / User flows”:

Iamge of “User flow” page

you will see that the name has no prefix, and one of the tabs is “Custom authentication extensions”.

Refer to this for CIAM.

Make sure you are in the right tenant 😄.

Self-service sign-up in the Entra ID tenant

In the Entra ID tenant, download one of the MSAL samples. I downloaded the .NET Core sample and used the single tenant one.

I created an app. registration for “My organisation only” and included returning an ID token.

I created a user flow with “Email OTP” and added some user attributes.

You need to link the user flow to the application:

Image of “Use / Applications”

In “External Collaboration Settings”, ensure self-service is turned on:

Image of “Enable guest self-service sign up via user flows” choice

Run the application:

Image of “Sign in” page

Click the “No account? Create one” link.

Image of “Create account” page

I entered a Gmail address. Click “Next”.

Image of “Enter code” page

I entered the code and accepted the terms in the consent screen.

Image of “Add more details” page

I was successfully logged in.

Image of signed-in application page

And I can then sign in with that guest account.

Image showing “User type” = Guest

Conclusion: Self-service sign-up in an Entra ID tenant creates a Guest account.

Self-service sign-up in an Entra External ID for customers (CIAM) tenant

Remember: Access the portal via “entra.microsoft.com”.

I used this Microsoft.Identity.Web sample.

The config. is as per this post.

Image showing “Sign in” page

Click “No account? Create one”.

Image showing “Create account” page

I used a Gmail address.

Image showing “Enter code” page

Enter the code and click “Next”.

Image showing “Add details” page

Enter the details, click “Next”, and then accept the consent.

You are now signed in.

Image showing application signed in apge

And I can then sign in with that account and password.

Conclusion: Self-service sign-up in an Entra External ID for customers (CIAM) tenant creates a Member account.

(In B2C terms, you can think of this as a “Local” account created by a B2C signup policy).

Notes

Note that the same user is now in both tenants.

In the Entra ID tenant, the UPN is:

user_gmail.com#EXT#@tenant.onmicrosoft.com

In the Entra External ID for customers tenant, the UPN is:

71c…2f4@tenant.onmicrosoft.com

What about invites in the Entra External ID for customers tenant?

The user is created as a Guest account.

Summary

All good!

B2B
Entra
Ciam
External Id

--

--

Rory Braybrook
The new control plane

Written by Rory Braybrook

713 Followers
Editor for

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams