Microsoft identityIntermediate22 min read

What Does B2C identity Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

B2C identity is how a company handles login and account management for its customers, not for its employees. It lets users sign in with social accounts like Google or Facebook or create a local account. This system keeps customer data secure and separate from employee access. It is built to handle millions of users without slowing down.

Commonly Confused With

B2C identityvsAzure AD (for employees)

Azure AD is designed for internal employee identities within an organization, supporting single sign-on to Microsoft 365 and enterprise apps. Azure AD B2C is explicitly for external consumer identities, with features like social identity providers and self-service sign-up. Both use OAuth and OpenID Connect, but they operate in separate tenants.

A company uses Azure AD for employees to access Office 365 and uses Azure AD B2C for customers to log into their mobile shopping app.

B2C identityvsAzure AD B2B (business-to-business)

Azure AD B2B allows organizations to collaborate with partner companies by inviting external users as guests in the same Azure AD directory. B2C is for individual consumers, not partner organizations. B2B uses email-based invitations and redemption flows, while B2C uses self-service sign-up with social or local accounts.

Inviting a contractor from another company to access internal documents uses B2B. Allowing thousands of customers to create accounts on a public website uses B2C.

B2C identityvsActive Directory Federation Services (AD FS)

AD FS is an on-premises identity federation service that acts as a Security Token Service (STS) to provide single sign-on across organizations. It is not cloud-based and does not support consumer social sign-ins. Azure AD B2C is a cloud-native service specifically for consumer scenarios.

AD FS is used for federating identities between two companies. B2C is used for letting customers sign in with Facebook or Google to a web app.

B2C identityvsOAuth 2.0 / OpenID Connect protocols

OAuth 2.0 and OpenID Connect are the underlying protocols that Azure AD B2C uses to issue tokens. They are not identity management services themselves. Confusing the protocol with the service is common.

Azure AD B2C implements OpenID Connect to provide authentication, just like a car uses an engine to move. The engine is not the car itself.

Must Know for Exams

B2C identity is a key topic in the SC-900 Microsoft Certified: Security, Compliance, and Identity Fundamentals exam. The exam covers core identity concepts for both Azure AD (employee identities) and Azure AD B2C (external identities). Candidates must understand the differences between identity solutions for internal users versus external consumers.

In the SC-900 exam objectives, B2C identity falls under the 'Describe the capabilities of Azure AD' section, specifically related to external identities. You will encounter questions that ask you to identify scenarios where Azure AD B2C is the appropriate solution versus Azure AD. For example, you might see a scenario about a company that needs to allow customers to sign in with social accounts, and the correct answer would be Azure AD B2C.

The exam may also test your knowledge of the protocols used, such as OAuth 2.0 and OpenID Connect, and the token types like ID tokens and access tokens. Expect questions about the separation of tenants: Azure AD B2C uses a separate tenant from an organization's Azure AD tenant.

Another common question type is about user flows versus custom policies. The SC-900 exam does not require you to write configuration code, but you need to know the purpose of each. User flows are predefined sign-up/sign-in experiences.

Custom policies are customizable and used for complex scenarios. You should also understand that Azure AD B2C supports multiple identity providers, including social identity providers (Google, Facebook) and enterprise identity providers (SAML/WS-Fed). The exam may ask about security features like conditional access in B2C, which is available at Premium P1 or P2 tiers.

Know that B2C identity is multitenant by design but uses a dedicated B2C tenant. The SC-900 exam emphasizes comparing and contrasting identity solutions, so be ready to differentiate between B2B (business-to-business) collaboration and B2C (business-to-consumer) identity. B2B uses Azure AD guest users to collaborate with partner organizations, while B2C is for individual customers.

There may also be questions about licensing: some B2C features require premium licenses, while basic features are free with pay-as-you-go pricing.

Simple Meaning

Imagine you run a large online store that sells custom T-shirts. Your customers visit your website to create an account, browse shirts, and make purchases. You need a way for each customer to log in securely, track their orders, and store their preferences.

You also want them to be able to sign in with their existing Google or Facebook account instead of remembering another password. This is where B2C identity comes in. B2C stands for Business-to-Consumer, meaning your business provides services to individual customers.

An identity system handles the process of proving who a user is (authentication) and what they are allowed to do (authorization). For example, after login, the system checks if the user has paid for a premium membership before showing them exclusive content. B2C identity is different from employee identity systems because it must scale to support millions of users, handle social sign-ins, and adapt to different devices and browsers.

It also needs strong security to protect customer data and prevent fraud. Think of it like a secure digital receptionist that greets each visitor, verifies their ID, and gives them the right access based on who they are. The receptionist never confuses one customer with another and never lets someone see another person's private information.

In IT, B2C identity is often implemented using cloud services like Azure Active Directory B2C, which provides ready-made login pages, password policies, and integration with social identity providers.

Full Technical Definition

B2C identity, in the context of Microsoft identity platforms, refers specifically to Azure Active Directory B2C (Azure AD B2C), a cloud-based identity and access management service for consumer-facing applications. It is built on the same foundation as Azure AD but optimized for large numbers of users and external identities. The system uses open standards such as OAuth 2.

0 for authorization and OpenID Connect for authentication, which are industry-standard protocols for secure token-based authentication. When a user attempts to sign in, Azure AD B2C acts as a security token service (STS). It first redirects the user to an identity provider (like Google, Facebook, or Microsoft account) or to a local account login page.

After successful authentication, Azure AD B2C issues an ID token (containing user information) and an access token (used to call APIs) to the application. These tokens are JSON Web Tokens (JWTs) and are signed with a private key to prevent tampering. Key components of B2C identity include user flows (also called built-in policies) which define the sign-up, sign-in, profile editing, and password reset experiences.

Custom policies allow more advanced scenarios using XML-based Identity Experience Framework (IEF) definitions. B2C identity also supports multi-factor authentication (MFA) to add extra security, conditional access policies to block risky sign-ins, and integration with external identity providers through federation. The system stores user profiles in a directory that can hold custom attributes, such as loyalty points or subscription tiers.

For regulatory compliance, Azure AD B2C supports data residency options and GDPR requirements. From a security perspective, the service protects against brute-force attacks with account lockout policies and can detect anomalous sign-in patterns. In a real IT implementation, developers must register their applications in an Azure AD B2C tenant, configure redirect URIs, and assign API permissions.

The B2C tenant is separate from an organization's Azure AD tenant used for employees, ensuring customer identities are isolated from internal directories. This isolation prevents accidental data leaks between corporate and consumer systems. The system also supports seamless single sign-on (SSO) across multiple applications within the same B2C tenant, so users do not have to log in repeatedly.

For auditing, administrators can view sign-in logs and threat reports through the Azure portal or via programmatic access with Microsoft Graph API.

Real-Life Example

Think of a large hotel chain that has multiple properties across the country. Each hotel has its own front desk, but they all share the same loyalty program for guests. When a guest arrives at any hotel, they provide their name and membership number to the front desk clerk.

The clerk checks a central computer system to verify the guest's identity and see if they qualify for a free room upgrade or late checkout. This is similar to how B2C identity works online. The guest is the consumer, the hotel chain is the business, and the front desk clerk is the identity system.

In the digital world, instead of a physical front desk, there is a login page on a website or app. Instead of a membership card, the user provides a username and password or uses their Google account. The central computer system is Azure AD B2C, which stores the user's profile and permissions.

When the guest books a room for the first time, they create a new account (sign-up). The next time they visit, they just log in (sign-in) and the system remembers their preferences. If the guest forgets their password, they can reset it online, just like asking the front desk for a new key card.

If a guest tries to access an area they do not have permission for, like a VIP lounge for platinum members only, the system blocks them, similar to a clerk politely refusing entry. The hotel chain does not want guests to interact with the back-office employee system; instead, they have a separate, dedicated system for customers. This separation ensures that a guest cannot accidentally view employee payroll data or room service schedules.

The B2C identity system also allows the hotel to add new properties (applications) without changing the guest login process. Just like the hotel chain centralizes guest management, Azure AD B2C centralizes consumer identity management for multiple apps.

Why This Term Matters

B2C identity matters for IT professionals because it directly impacts how organizations secure customer data and deliver seamless user experiences. In today's digital economy, consumers expect to sign up quickly using their social media accounts and then access services across multiple devices. Without a proper B2C identity solution, companies would have to build custom login systems, which is time-consuming, expensive, and prone to security vulnerabilities.

Using a managed service like Azure AD B2C offloads the complexity of handling identity protocols, token management, and security best practices. For example, implementing multi-factor authentication manually would require sending SMS codes or using authenticator apps, but Azure AD B2C offers built-in MFA with just a few clicks. B2C identity also helps with compliance.

Regulations such as GDPR and the California Consumer Privacy Act (CCPA) require companies to protect personal data and allow users to delete their accounts. Azure AD B2C provides features to handle consent, data export, and account deletion automatically. For IT teams, this reduces the risk of non-compliance fines.

Another important reason is scalability. Customer bases can grow quickly, and an in-house identity system might not handle millions of concurrent sign-ins. Cloud-based B2C identity services can scale automatically based on demand.

B2C identity enables single sign-on across multiple customer-facing applications. For instance, a media company might have a streaming app, a news website, and a merchandise store. With B2C identity, users log in once and access all three services without re-entering credentials.

This reduces friction and increases user retention. For IT professionals, understanding B2C identity is essential for designing secure and user-friendly customer portals, e-commerce sites, and mobile apps. It also ties into broader identity governance strategies, where the principle of least privilege applies even to external users.

How It Appears in Exam Questions

In the SC-900 exam, B2C identity questions often appear as scenario-based multiple-choice or multiple-select questions. A typical question might describe a company that is building a customer portal and needs to allow users to sign in using their existing Google or Facebook accounts. The answer choices might include options like Azure AD (but for employees), Azure AD B2C (correct), or Active Directory Domain Services (on-premises).

Another pattern involves understanding the architecture: you might be asked which component is used to define the sign-up and sign-in experience in Azure AD B2C. The options could be user flows, custom policies, Azure AD groups, or RBAC roles. The correct answer is user flows (or user journeys).

You may also see a question about security: a customer portal needs multi-factor authentication for high-risk transactions, and the question asks which Azure AD B2C feature can be used to enforce that. The answer is conditional access, which can be applied to B2C with premium licensing. Some questions test the difference between Azure AD and Azure AD B2C tenants.

For instance, 'A company has an existing Azure AD tenant for employees. They want to manage customer identities. What should they create?' The correct answer is a new Azure AD B2C tenant.

Another common question: 'Which token is used to pass user information to the application after authentication?' Options: access token, ID token, refresh token. The correct answer is ID token.

You might also see a question about compliance: 'A company must allow customers to delete their own data. Which Azure AD B2C feature supports this?' The answer is user attributes or Graph API calls for account deletion.

There could be a question about authentication protocols: 'Which open standard does Azure AD B2C use for authorization?' Answer: OAuth 2.0. For troubleshooting scenarios, you might be asked why a user cannot sign in after changing their password on a social provider, and the explanation involves session management or token expiry.

The exam uses 'identify the appropriate solution' questions where you match a requirement to Azure AD B2C, Azure AD, or Active Directory. For example, requirement: 'Allow customers to use self-service password reset' would map to Azure AD B2C. Another pattern is 'sequence steps' where you arrange the order of a sign-up flow: user enters email, receives verification code, sets password, then receives a token.

Practise B2C identity Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A new fitness app called FitTrack wants to launch a subscription service for workout plans. They expect to have up to 500,000 users within the first year. Users must be able to sign up using their email address or their existing Apple ID.

The app needs to store basic profile information like age and weight, which will be used to personalize workouts. The company wants to offer a premium tier that unlocks advanced analytics. FitTrack's development team decides to use Azure AD B2C for the identity system.

They create a new Azure AD B2C tenant separate from their internal employee directory. They configure a sign-up and sign-in user flow that allows users to choose between email sign-up and Apple ID. For the premium tier, they set up a custom attribute called 'tier' in the user profile.

When a user purchases a premium subscription, the app updates the 'tier' attribute to 'premium' via the Microsoft Graph API. During sign-in, the app reads the 'tier' claim from the ID token and shows premium features only to users with the correct attribute. The team also enables multi-factor authentication for users who try to access payment settings, using conditional access policies within the B2C tenant.

This reduces the risk of fraudulent account changes. For users who forget their password, Azure AD B2C handles the reset flow, sending a verification code to their email. The app also uses OAuth 2.

0 to get an access token that allows it to call a custom API that stores workout history. FitTrack's IT team benefits because they did not have to build a password storage system or implement social identity provider integration from scratch. They also have audit logs available to see how many users signed up each day and which providers they used.

If the app grows to a million users, Azure AD B2C scales automatically without additional infrastructure costs. This scenario shows how B2C identity handles external consumer authentication, profile management, and security policies in a real-world application.

Common Mistakes

Thinking Azure AD B2C is the same as Azure AD for employees

Azure AD is designed for internal employees and uses organizational directories. Azure AD B2C is a separate tenant type optimized for external consumers with social identity providers and different token formats.

Always create a dedicated Azure AD B2C tenant for customer-facing identity needs, not a regular Azure AD tenant.

Confusing user flows with custom policies

User flows are preset sign-up/sign-in experiences with limited customization. Custom policies are fully customizable XML-based configurations for complex scenarios. Using user flows when custom policies are needed leads to missing features like custom domain URLs.

Use user flows for standard scenarios and custom policies only when you need to add custom logic or integrate with external identity systems.

Believing B2C identity does not support Multi-Factor Authentication

Azure AD B2C supports MFA, including SMS, phone call, and authenticator app verification. It can be triggered by conditional access policies or configured globally.

Enable MFA in the B2C tenant settings for added security, especially for sensitive actions like payments or profile changes.

Assuming B2C identity can access the same Graph API as Azure AD

Azure AD B2C uses a different Microsoft Graph API endpoint (https://graph.microsoft.com) but with a B2C tenant context. Some Graph operations for directory objects are limited in B2C compared to regular Azure AD.

Familiarize yourself with the B2C Graph API documentation and use dedicated B2C management tools for tasks like user attribute updates.

Thinking B2C identity supports on-premises Active Directory integration

Azure AD B2C is a cloud-only service for external identities. It does not replicate from on-premises AD. For hybrid scenarios, use Azure AD with AD Connect.

Keep customer identities entirely in the cloud with B2C and use Azure AD for employee identity federation with on-premises AD.

Exam Trap — Don't Get Fooled

{"trap":"A question that asks 'Which Azure service allows customers to sign in using social media accounts and also supports on-premises Active Directory authentication for legacy apps?' The answer might seem to be Azure AD B2C because it supports social logins, but the on-premises part is the trap.","why_learners_choose_it":"Learners see 'social media accounts' and quickly associate that with Azure AD B2C, forgetting that B2C does not integrate with on-premises Active Directory."

,"how_to_avoid_it":"Read the question carefully. If on-premises AD integration is mentioned, it cannot be solely Azure AD B2C. The correct answer is likely a combination of Azure AD (for on-premises integration) and Azure AD B2C (for social logins) or Azure AD with application proxy."

Step-by-Step Breakdown

1

User requests access to application

The consumer navigates to your web or mobile app and clicks 'Sign in' or 'Sign up'. The app does not have any user credentials yet, so it redirects the user to the Azure AD B2C authentication endpoint. This initiates the identity flow.

2

B2C receives the request and selects the appropriate policy

Azure AD B2C determines which user flow or custom policy to apply based on the application's configuration. For example, if the user clicked 'Sign up', the sign-up user flow is used. The policy defines the steps: which identity providers to offer, what attributes to collect, and any validation rules.

3

User authenticates with an identity provider

The user is presented with a login page that may include local account (username/password) or social identity providers like Google or Facebook. The user chooses one and proves their identity by entering credentials or through the external provider. For social logins, the user is redirected to the provider's consent page.

4

B2C validates the authentication and issues tokens

After successful authentication, Azure AD B2C validates the user's identity and checks any policies like MFA or conditional access. It then generates an ID token (containing user claims) and an access token (for API calls). The tokens are signed with a private key and returned to the application via the browser redirect.

5

Application validates the token and grants access

The application receives the ID token and validates its signature, issuer, and audience. It extracts user claims like name, email, and any custom attributes from the token payload. If the user is authorized, the application grants access to the requested resources or features based on the token claims.

6

User interacts with the application securely

The application can now use the access token to call backend APIs on behalf of the user. The token ensures that only authenticated users can access protected endpoints. The application can also refresh tokens as needed without requiring the user to sign in again.

Practical Mini-Lesson

In practice, B2C identity management with Azure AD B2C requires understanding both the administrative portal and the development integration. As an IT professional, you will often be responsible for setting up the B2C tenant, configuring identity providers, and defining user flows. The first step is to create a B2C tenant in the Azure portal, which is separate from your organization's primary directory.

You then register your application (web, mobile, or API) in that tenant, specifying redirect URIs, logout URLs, and required permissions. One key task is configuring social identity providers. For each provider like Google or Facebook, you must create an app in the provider's developer console to obtain a client ID and client secret.

These credentials are then added to the B2C tenant under 'Identity providers'. Without proper setup, social sign-ins will fail with a generic error. Another practical aspect is user attribute collection.

During sign-up, you can request custom attributes like 'country' or 'membership level'. These attributes are stored in the B2C directory and can be used for personalization. You must define these attributes in the 'User attributes' section of the user flow.

If you do not define them, the application cannot request them. For security, enable Multi-Factor Authentication (MFA) in the user flow or via conditional access. This is crucial for applications that handle financial transactions or personal data.

You can also set session behavior, such as session lifetime and single sign-on (SSO) across apps. For troubleshooting, Azure AD B2C provides sign-in logs in the Azure portal. These logs show each step of the authentication process, including failures.

Common issues include misconfigured redirect URIs, expired certificates for custom domains, and mismatched scopes for access tokens. Another practical tip: use custom domains for your B2C tenant to avoid redirecting users to 'contoso.b2clogin.

com' which can look untrustworthy. Setting up a custom domain requires verifying domain ownership and adding a CNAME record. Developers must also handle token validation on the application side.

The application must verify the token's signature using the public keys published by B2C at its well-known endpoint. Failing to validate tokens properly can allow attackers to forge tokens and gain unauthorized access. Overall, B2C identity management combines directory configuration, application security, and protocol knowledge.

Memory Tip

B2C = Business to Consumer: think 'Customers not coworkers' to remember it is for external users with social logins, separate from employee Azure AD.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can I use the same Azure AD tenant for both employees and customers?

No, you should not. Azure AD B2C requires a dedicated tenant separate from your employee Azure AD tenant to ensure proper isolation and scaling for consumer traffic.

Does Azure AD B2C support sign-in with Apple ID?

Yes, Azure AD B2C supports Apple ID as a social identity provider. You must first create an Apple Developer account and configure the service ID and key in Apple's portal.

What protocols does Azure AD B2C use?

Azure AD B2C uses OAuth 2.0 for authorization and OpenID Connect for authentication. It also supports SAML for integration with some enterprise identity providers.

Is multi-factor authentication available in the free tier of Azure AD B2C?

Basic MFA (phone call, SMS) is available with the free tier. Advanced features like time-based one-time passwords (TOTP) or conditional access-based MFA require a Premium P1 or P2 license.

Can I customize the login page of Azure AD B2C with my company branding?

Yes, you can customize the login page with your company logo, background, colors, and custom HTML/CSS using the Azure portal's company branding settings or custom policies.

How many users can Azure AD B2C support?

Azure AD B2C is designed to be highly scalable and can support millions of users per tenant. There is no hard limit, but you might need to contact support for very large deployments.

What is the difference between a user flow and a custom policy?

User flows are predefined, simple sign-up/sign-in experiences configurable through the portal. Custom policies are XML-based configurations that allow full control over the authentication journey for complex scenarios.

Can I migrate my existing customer database to Azure AD B2C?

Yes, you can import existing user accounts using the Microsoft Graph API. However, passwords must be imported as hashed values or users will need to reset them on first sign-in.

Summary

B2C identity is a specialized cloud-based identity management solution for businesses to authenticate and authorize external consumers, such as customers or partners, across applications and services. In the Microsoft ecosystem, this is implemented through Azure AD B2C, a separate tenant that supports social sign-ins, local accounts, scalable directories, and strong security features like multi-factor authentication and conditional access. Understanding B2C identity is crucial for IT professionals because it enables organizations to provide seamless user experiences while maintaining security and compliance with regulations like GDPR.

The SC-900 exam tests your ability to distinguish between B2C, Azure AD for employees, and B2B collaboration. Key exam takeaways include knowing that B2C uses a dedicated tenant, supports OAuth 2.0 and OpenID Connect, and offers user flows for simple scenarios and custom policies for complex ones.

Common mistakes to avoid include confusing B2C with employee Azure AD, misunderstanding the role of tokens, and assuming on-premises integration is possible. By mastering B2C identity, you prepare for real-world tasks like configuring identity providers, managing user attributes, and troubleshooting token validation. Overall, B2C identity is a fundamental building block for modern consumer-facing applications and a core objective for identity-related certifications.