What is Entra B2C?

Microsoft Entra ID for Customers (formerly Azure Active Directory B2C)—commonly referred to as Entra B2C—is a cloud-based identity and access management (CIAM) solution that helps businesses securely manage customer identities and access across web and mobile applications. Unlike Azure AD for enterprise (workforce) identity management, Entra B2C is purpose-built for external users like customers, citizens, or partners.

Entra B2C allows organizations to offer seamless, secure sign-up, sign-in, and profile management experiences using a wide array of identity providers (Microsoft, Google, Facebook, custom OpenID Connect, etc.). It supports multi-factor authentication (MFA), custom user journeys, API integrations, and branding, making it highly flexible for consumer-facing apps.

Major Use Cases of Entra B2C

👥 Customer Identity Management for Web & Mobile Apps

• Secure registration and login experiences for millions of consumers.
• Support for multiple identity providers and local accounts.

🔐 Authentication & Authorization as a Service

• Handle identity federation and access control without building in-house systems.
• Offload password management, security updates, and compliance responsibilities.

🛡️ Multi-Tenant SaaS Applications

• Serve customers from different organizations, allowing flexible branding and user flow customization for each tenant.

🌐 Government & Citizen Portals

• Secure and compliant identity management for government services.
• Enable social and government ID federation.

📱 Brand-Centric, Customizable User Journeys

• Customize UI/UX of login flows using HTML/CSS/JavaScript.
• Create advanced workflows with Conditional Access, MFA, and REST API integration.

How Entra B2C Works (Architecture Overview)

Entra B2C is built on Microsoft’s global, highly available Azure infrastructure. It integrates with your apps via industry-standard protocols like OAuth 2.0, OpenID Connect, and SAML. Here’s how its architecture breaks down:

🔧 Core Components

1. Identity Providers (IdPs):
   • External providers: Google, Facebook, Microsoft, GitHub, etc.
   • Local accounts: Email/password or username/password stored in the B2C directory.
   • Custom IdPs via OpenID Connect or SAML.
2. User Flows & Custom Policies:
   • User Flows: Pre-configured templates for common actions (sign-up, sign-in, password reset).
   • Custom Policies: XML-defined workflows for advanced requirements (e.g., risk-based access).
3. Relying Party Applications:
   • Apps that use Entra B2C to authenticate users via redirect-based flows.
4. Token Issuance:
   • B2C issues secure ID tokens, access tokens, and refresh tokens post-authentication.
5. REST API Integration:
   • Invoke external APIs during user journeys (e.g., risk engines, custom data validation).

🧱 Architecture Layers

• Frontend: Web/mobile app initiates authentication via redirect to Entra B2C.
• B2C Engine: Manages UI, user flow, identity provider redirection, MFA, and claims issuance.
• Directory Backend: User accounts and metadata stored securely in Microsoft Entra directory.
• Security Layer: Supports compliance (GDPR, HIPAA, ISO 27001) and features like Conditional Access and MFA.

Basic Workflow of Entra B2C

Here’s a simplified view of how Entra B2C handles an authentication flow:

1. App Initiates Login

• App redirects user to Entra B2C’s login endpoint.

2. User Selects Identity Provider

• User chooses from configured options (Google, Facebook, etc.) or uses local credentials.

3. Authentication & MFA

• Entra B2C authenticates the user and applies MFA if enabled.

4. Claims Transformation

• Claims (user profile data) are gathered, optionally enriched via external API calls.

5. Token Issued

• Entra B2C returns an ID token to the app with authenticated user data.

6. Access Granted

• App grants access based on token claims and business rules.

7. User Management (Optional)

• Users can update profiles, reset passwords, or manage consent via self-service pages.

Step-by-Step Getting Started Guide for Entra B2C

✅ Step 1: Create an Entra B2C Tenant

1. Go to Azure Portal.
2. Search for “Microsoft Entra ID for Customers” and click Create a tenant.
3. Select B2C and fill in organization details.
4. After creation, link the tenant to your Azure subscription.

✅ Step 2: Register Your Application

1. Within the B2C tenant, go to App registrations.
2. Click New registration, name your app, and provide redirect URIs.
3. Note the Application (client) ID—you’ll use it in your app code.

✅ Step 3: Define User Flows

1. In the B2C portal, go to User Flows.
2. Choose a flow type (e.g., sign-in, sign-up, password reset).
3. Configure identity providers, attributes, and claims to return.

✅ Step 4: Add Identity Providers

1. Navigate to Identity Providers in the portal.
2. Add social or custom identity providers (Google, Facebook, or OpenID).
3. Provide credentials like client IDs and secrets from those services.

✅ Step 5: Customize Branding (Optional)

• Use custom HTML, CSS, and JavaScript to personalize the user interface of each user flow.
• Host content in Azure Blob Storage or use inline options.

✅ Step 6: Integrate With Your App

• Use Microsoft Authentication Libraries (MSAL) in your front-end or backend.
• For example, in JavaScript:

const msalConfig = {
  auth: {
    clientId: "YOUR_CLIENT_ID",
    authority: "https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/B2C_1A_SIGNIN",
    redirectUri: "http://localhost"
  }
};

• Use loginPopup() or loginRedirect() to authenticate users.

✅ Step 7: Test and Go Live

• Test each flow: sign-up, sign-in, password reset, and profile edit.
• Monitor usage and logs in Azure Monitor and Audit Logs.
• Apply Conditional Access if needed for enhanced security.