active directory - how to federate between Azure B2B and B2C

Question

We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.

We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.

Thanks In Advance

Answer 1

You can totally setup an app to authenticate with multiple directories.

Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.

On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.

You'll need to define the app twice, once in both directories.

The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.

---

Update to B2C allows you to do it all from there now

Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.

This new feature allows you to:

1. Create a B2C tenant with custom policy for employee/partner login through Azure AD
2. Send all users to authenticate with your B2C tenant
3. Users can choose if they want to sign in with social accounts or if they are an employee or partner
4. If they choose to sign in as employee or partner, they would be redirected to your Azure AD
5. In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info