question

RahulMetangale-9479 avatar image
0 Votes"
RahulMetangale-9479 asked ·

Azure B2B on-behalf flow

Hi All,

We were thinking on using Azure B2C but we ran into limitation where B2C does not support on-behalf of flow. API generating token on users behalf is very critical for some integrations. Since B2B can also store external users, i would like to know:
1. Is it a good strategy to store external user in B2B?
2. Will B2B support on-behalf of flow?

Any other suggestion that would allow us to use Azure B2C but support on-behalf flow?


azure-ad-b2cazure-ad-b2b
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered ·

Yes, On-behalf of flow is supported for guest users but you need to keep in mind that the guest accounts work for single tenant applications only. Please refer to the documentation - Who can sign in. I also recommend you to refer to the Compare B2B collaboration and B2C in Azure AD documentation to learn more about applying appropriate features to your external identity scenarios.


(Please don't forget to accept helpful replies as answer)


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you Saurabh for your quick response.

I went through the links you shared and here is what i understood please confirm if this is correct:

  • If guest users are going to use personal accounts, like Microsoft, gmail, Facebook etc then any applications developed for those users i will have to use Microsoft identity platform end point

  • For internal organizational users stored in same AD, and application specifically developed for internal users, we will have a choice between v1.0 and Identity platform. So we can use any but recommended approach is use Identity platform

  • Azure B2B support all the OAuth flows like on behalf and other that are supported by AD and B2C correct?

  • any security issue that i should be aware of if we use B2B instead of B2C for external users? Since external users are part of the Azure AD tenant rather than separate tenant like B2C has? or any documentation that you can suggest which can answer this question?


Thanks,
Rahul



0 Votes 0 ·

@RahulMetangale-9479 Here are answers to your questions -

  1. No, I think you are a bit confused. If you are talking about guest users then it is supported by V1.0 endpoint as well. However, Microsoft Identity platform allows users to use their
    personal accounts to sign in. Users do not need to be a guest user of the tenant to use this end point.

  2. yes, that is correct.

  3. yes, you can also refer to Scenarios and supported authentication flows documentation for details.

  4. I think you can refer to Microsoft identity platform best practices and recommendations which can help you guide for a secure Azure AD integration.

(Please don't forget to accept helpful replies as answer)

0 Votes 0 ·