You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
- Create a B2C tenant with custom policy for employee/partner login through Azure AD
- Send all users to authenticate with your B2C tenant
- Users can choose if they want to sign in with social accounts or if they are an employee or partner
- If they choose to sign in as employee or partner, they would be redirected to your Azure AD
- In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…