Some thoughts on CIAM External ID and Azure AD B2C

Logo_CIAM.jpg — from Wikimedia

CIAM External ID was announced at Build and is currently in public preview.

CIAM (Customer IAM) is the successor to Azure AD B2C.

And, of course, I then got a million questions about the future of B2C, so I decided to write this post.

Note that the product has just been announced, so I may have some things wrong, and everything here is my personal opinion. I will update this post as things get clearer.

Links

Some useful links:

• Microsoft Entra External ID
• Entra CIAM developer centre
• Microsoft Entra External ID for customers documentation
• Microsoft Entra External ID​ public preview: Developer-centric platform
• Empowering developers in the Dev. centre

What is CIAM?

Entra External ID is described as per this preview announcement:

“Microsoft Entra External ID is our next-generation customer identity and access management platform that represents an evolutionary step in unifying secure and engaging experiences across all external identities, including customers, partners, citizens, and others within a single, integrated platform”.

It has flows for sign up / sign in and password reset, you can authenticate with email/password, email/OTP, Facebook, Google and SAML and customise the UI look and feel etc.

It also supports MFA (via CA) and Identity Protection.

So does that mean B2C is dead?

Absolutely, definitely not!

If we compare this with what happened with ADFS, the last release of ADFS was with Server 2019, and there have been no updates since then.

But it is still supported, you can still raise support tickets against it, you can still install and run it, and it still gets security patches.

B2C will be supported the same way.

“Azure AD B2C is our current generation customer identity and access management product. Azure AD B2C will continue to remain a fully supported customer solution. There are no requirements for customers to migrate at this time and no plans to discontinue our current B2C product. Microsoft is committed to continued investment in the Azure AD B2C product”.

Are B2C and CIAM equivalent?

Not yet.

As one example, although they both have user flows, CIAM does not currently have a “custom policy” option in the sense of a “programmable” workflow.

However, you can add custom authentication extensions to CIAM.

You can also use RBAC.

Why CIAM?

B2C was a separate tenant, and you couldn’t use any of the Azure AD features unless they were migrated to B2C, e.g. conditional access. Groups are a good example of an Azure AD feature that is not supported in B2C.

CIAM sits inside B2C as an external identity. That way, it inherits all the goodness of Azure without anything being migrated.

Microsoft refers to Azure AD workforce scenarios and CIAM customer scenarios in the documentation.

“A workforce tenant contains your employees and the apps and resources that are internal to your organisation. If you’ve worked with Azure Active Directory, a workforce tenant is the type of tenant you’re already familiar with. You might already have an existing workforce tenant for your organisation.

In contrast, a customer tenant represents your customer-facing app, resources, and directory of customer accounts. A customer tenant is distinct and separate from your workforce tenant. A customer tenant is the first resource you need to create to get started with Azure AD for customers. To establish a CIAM solution for a customer-facing app or service, you create a new customer tenant”.

Didn’t Azure AD already have external identities?

Yes, but that was for B2B — guest accounts — inside the Azure AD tenant.

“B2B Collaboration remains generally available today. It lives in the same location on the Microsoft Entra admin portal within the Workforce tenant.”

CIAM sits inside a “different” tenant separate from the company and guest accounts.

Where now for custom policies?

Good question!

There was a lot of feedback around the steep learning curve and lack of a decent debugging flow for the Identity Experience Framework aka custom policies.

My guess is that the CIAM version of custom policies will not use XML, and the back end will be API based (much the same as e.g. “ReadByObjectID” is in a custom policy) (and possibly using custom extensions) with a front end that is possibly built around some kind of point-and-click workflow.

In other words, some kind of lo-code approach?

Can you migrate using a utility from B2C to CIAM?

Not at the moment.

This is a key requirement.

Nobody has the time or budget to redo all the thousands of user and custom policies out there!

People only started migrating from ADFS to Azure AD when Microsoft provided some really good reporting and migration tools, e.g. this ADFS relying party can be migrated, and here’s a PowerShell script to do it.

Hopefully, Microsoft will do something similar with B2C.

Should we go ahead with new custom policy development?

Yes, as above, B2C is not going to disappear any time soon.

Or should we start using CIAM now?

Have a read of the above documents. If that fits your use case, by all means, have a go. Just remember that it is still in public preview; not GA so it affects SLA etc.

FAQ

The FAQ is here.

See also

There is a comparison of the two products here.

All good!