question

YangGeorge-4082 avatar image
0 Votes"
YangGeorge-4082 asked YangGeorge-4082 edited

Application registration on AD vs B2C

Hi,

We have recently implemented Azure B2C for a single-page application; the users of this application are mixed with customers and employees, and the employee users get authenticated with Azure AD. It works out pretty well.

We have a few internal-facing applications that will be moved to Azure in the future. The decision point is where to register those internal-facing applications on Azure, Azure AD, or Azure B2C? Logically, the internal-facing applications should be registered on Azure AD since the user store is the Azure AD. However, with the federated Id sign-in option for employees on B2C, the internal-facing applications could also be registered on Azure B2C. Could we use one Azure service (B2C) to manage all our applications(customer and internal)? One advantage we see is to have only one Azure service and authorization server to support. One disadvantage is a duplicate charge for employees (both AD and B2C count as MAU, although the dup fee is very small). What are we missing if we register the internal-facing application on Azure B2C instead of Azure AD? What are the other pros and cons?

Have you seen similar case from other client?

Thanks,
George


azure-ad-b2c
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered YangGeorge-4082 commented

@YangGeorge-4082, Before coming to the exact asks from the query above, let me try to provide some architecture details about B2C and Azure AD. To start with, when a B2C tenant is created, it is actually an Azure AD tenant/directory that gets created and on top of that directory, the B2C engine sits and helps signup/signin and other user activities. Now when user signups for the first time in B2C, the user account actually gets created in the AAD tenant beneath B2C, and the same goes for the App registrations.

Now coming to the query, the first thing to note is, if your internal applications support OAuth, OIDC or SAML, they can be directly integrated with B2C and user from your org, when logging in can choose the federated signin to login to these apps. Consumers (external users) can use other social login IDPs to login in the respective apps.

Note: If I understand correctly, your internal-facing applications are published on Internet and support OAuth, OIDC or SAML protocols. If not, and if the apps still using legacy auth protocols like Kerberos, then you might have to use App Proxy and using App-Proxy you can get the apps published on the Internet, so that AAD can handle their auth requests. More details on App-Proxy can be found here.

Summary: If the internal facing apps are published on Internet and supports OIDC, OAuth and SAML protocols, you can use B2C. But since these apps are internal to your org, I would prefer using registering it in Azure AD rather than in B2C, as B2C is mostly for consumers.




· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YangGeorge-4082 avatar image YangGeorge-4082 ·

Hi @soumi-MSFT,

Thank you for the answer. Our internal custom-built applications are SPA and support SAML. We hope to move to OIDC in the future.
We have built quite a bit of APIs that are shared by internal applications and external applications. We originally thought to use B2C as a single authorization token issuer to reduce the token validation complexity for API layers. Seems like there is no easy way for us to avoid the token validation complexity in the API gateway layer and the API implementation layer, no matter where the application is registered, AAD or B2C.

For registering applications with B2C, is there a limitation on graph API when the application needs to integrate with M365 applications like Teams, outlook365, etc. ? (Can B2C tenant application accesses AAD tenant resources?)

0 Votes 0 ·