Managing customer identities and access is crucial for ensuring a secure and seamless user experience. Customer Identity and Access Management (CIAM) systems play a pivotal role in this, handling large volumes of external user identities, providing robust security, and facilitating a frictionless customer journey across various digital touch-points.
Microsoft Entra External ID emerges as a cutting-edge solution in this realm, offering a developer-friendly CIAM platform that integrates seamlessly into your customer-facing applications. As part of the broader Microsoft Entra suite, External ID is designed to bolster security, enhance scalability, and provide a customizable user experience that aligns with your application’s unique requirements.
What is B2C CIAM and Why Separate Customers from Your Workforce?
Before diving into the specifics of Microsoft Entra External ID, it’s essential to understand the need for a dedicated CIAM solution. CIAM focuses on managing and securing customer identities and their access to digital platforms and services. Separating CIAM from your primary directory, typically used for internal workforce management, is crucial for several reasons:
- Enhanced Security: Isolating customer data from employee data allows organisations to implement specific security measures tailored to the unique requirements of customer-facing applications, reducing the risk of data breaches and unauthorized access.
- Scalability: CIAM solutions are built to scale with the business, efficiently managing millions of customer identities and transactions, which might overwhelm traditional IAM systems designed for a finite number of internal users.
- Regulatory Compliance: Businesses can ensure compliance with various data protection regulations by providing customers with control over their personal information and consent preferences.
- Improved Customer Experience: A dedicated CIAM system allows for frictionless customer interactions, such as single sign-on (SSO) and social logins, leading to higher engagement and retention rates. Login flows can be customized to integrate the experience into your product's user journey.
You must understand what Cloud First IAM Architecture using Entra ID which you need to support your blueprint and Customer IAM strategy.
Microsoft Entra External Identity
Microsoft Entra External ID is a comprehensive identity management solution designed to facilitate secure access to applications for your customers. It’s part of the Microsoft Entra suite, focusing on securing and managing identities across various platforms.
External Identity Tenant
The tenant lives side-by-side with your workforce tenant. The admins of the External ID tenant are guests invited from the workforce tenant. This tenant is completely separate from Azure Subscriptions, which is beneficial but requires planning for application integrations where Managed Identities are used for service-to-service integrations. The tenant is fully owned by the workforce tenant but can be separately administrated, with billing tied to a workforce tenant's Azure Subscription.
Entra External Identity Licensing / Pricing
Microsoft Entra External ID offers a cost-effective and scalable pricing model. The core offering is free for the first 50,000 monthly active users (MAU). Beyond this free tier, additional active users are priced at AUD 0.05 (USD 0.03) per MAU. This pricing structure charges you only for active users instead of all user objects in the directory, allowing organisations to scale with predictable pricing.
Auth Flow Customization
One of the standout features of Microsoft Entra External ID is the ability to create custom-branded sign-up experiences. organisations can configure self-service registration flows, add their own background images, logos, and text, and collect information from customers during sign-up using built-in or custom user attributes. Custom verification can be done before and after the user completes the custom sign-up flow.
Migration from Azure B2C to Entra External ID
Currently, there is no official migration plan for customers to move from Azure AD B2C to Microsoft Entra External ID. However, public comments suggest that migration tools will be available in the future. Transferring passwords between these systems may prove challenging. Azure AD B2C is not deprecated and will be supported for the foreseeable future.
Capability Comparison: Azure B2C and Entra External ID
When it comes to managing external identities, both Azure Active Directory B2C (Azure B2C) and Entra External ID offer robust solutions. Here's a breakdown of their key capabilities:
Azure B2C
Azure B2C offers a high degree of flexibility, allowing for extensive customization of CIAM authentication flows. However, this flexibility often comes at a cost. When organisations need to configure complex authentication flows, they must delve into building XML-based custom policies. This complexity can make the platform unwieldy, presenting one of its major downsides. While these custom policies enable Azure B2C to meet almost any specific requirement, they can also lead to significant management overhead.
Companies that heavily customize their Azure B2C implementations often face substantial management costs. These costs arise from the need to employ highly skilled professionals who are capable of maintaining and updating the intricate custom policies over time. Such professionals must possess a deep understanding of XML, policy structure, and the nuances of identity management. As the system evolves and grows, the complexity can increase, leading to potential challenges in scaling and maintaining a secure, efficient identity solution.
Additionally, the ongoing need for updates to accommodate new business requirements or changes in security protocols further contributes to the overall maintenance burden. Therefore, while Azure B2C's flexibility is a powerful asset, it requires careful consideration and resource planning to ensure that the benefits outweigh the associated complexities and costs.
High Level Overview:
- User Management: Azure B2C allows for extensive customization of user journeys, enabling personalized and secure user experiences.
- Authentication: Supports multiple authentication methods, including social identity providers (like Facebook and Google), local accounts, and enterprise identities.
- Customization: Offers high-level customization options for sign-up, sign-in, and profile editing experiences using custom policies.
- Security: Provides advanced security features like Multi-Factor Authentication (MFA) and Conditional Access.
- Integration: Easily integrates with a wide range of applications and services via standard protocols such as OAuth 2.0, OpenID Connect, and SAML.
Entra External ID
In contrast to Azure B2C, Entra External ID does not use XML for configuring CIAM authentication flows, which simplifies its management and reduces the need for specialized skills. However, this simplification comes with trade-offs in terms of customization. Entra External ID is not as highly customizable, and the layout of authentication flows is minimal and more restricted. For instance, the ability to tailor the user experience in sign-up and sign-in processes is limited compared to Azure B2C. Additionally, Entra External ID lacks the capability to directly access SSO provider tokens from platforms like Google and Facebook. This limitation makes it challenging to tightly couple Entra External ID with these external identities, potentially restricting integration possibilities and the seamless user experience that some organisations might require. Despite these constraints, Entra External ID offers a streamlined, easier-to-manage solution for organisations that prioritize simplicity and reduced administrative overhead.
- Unified Identity Management: Entra External ID consolidates external identity management within the broader Entra ecosystem, streamlining operations.
- Single Sign-On (SSO): Provides seamless SSO experiences across multiple applications and environments.
- Lifecycle Management: Includes comprehensive lifecycle management for external users, ensuring proper access and governance throughout their engagement.
- Security and Compliance: Offers advanced security measures, including identity protection, risk-based conditional access, and compliance features.
- Scalability: Designed to scale with your business needs, accommodating both small and large user bases efficiently.
Should I Use Entra External ID Yet?
Deciding whether to adopt Entra External ID depends on your organisation's specific needs and current infrastructure. If you are already invested in the Microsoft ecosystem and require a unified approach to managing external identities, Entra External ID could be a strategic choice. However, if you need extensive customization for user journeys and integration with social identity providers, Azure B2C remains a strong contender.
Managing Entra External ID Access Management
Effective access management is crucial for leveraging Entra External ID to its fullest potential. Centralisation of customer identities to a single identity provider has many benefits including centralised monitoring and reporting. However, it is important that you have the right capabilities in place to manage access to your various applications.
Challenges of CIAM Access Management
Customer Identity and Access Management (CIAM) presents several challenges that organisations need to address:
- Complex User Journeys: Designing and managing user journeys that cater to diverse user groups can be complex and time-consuming.
- Security Concerns: Balancing user experience with robust security measures is a constant challenge, especially with the increasing sophistication of cyber threats.
- Scalability: Ensuring that your CIAM solution can scale effectively with the growth of your user base without compromising performance.
- Customer IAM Reporting & Compliance: Navigating and adhering to various regulatory requirements, such as GDPR and CCPA, requires meticulous attention to detail and ongoing effort.
Using Apporetum to Orchestrate your Customer's Identity & Access
Apporetum provides these capabilities to delegate the access management to your application owners and give you the reports you need to effectively understand how customers are accessing your applications.
Recent Applications of Apporetum into CIAM Use Cases
Apporetum universal data source connectors integrates with Entra External ID and Azure B2C to give you business continuity when migrating accounts and business process. We have worked first hand with large organisations to migrate their legacy B2C applications and environments to this modern approach. Here are some of just a few use cases which we have experienced.
Delegation of Access Managements to sub-agencies
Apporetum enables centralized IT to delegate access management to business teams within smaller organisations, easing the management burden. This creates an intriguing use case for MSPs and service providers, allowing their customers to manage access for customer-facing applications directly, reducing the need for ITSM tools.
Customer Access auditability
Consumer-facing applications sometimes handle sensitive information that requires request-based access with approval flows for each resource. Apporetum enables you to implement the necessary controls, such as limiting access to specific domains and resources, allowing app owners to manage these resources effectively. Apporetum also provides full retention of access management events, offering a detailed timeline of when, who, and how a customer gained access to a resource, along with the ability to revert to a previous state if needed.
Apporetum Capabilities for Customer Access Reviews
Customer identities vary widely, making it crucial to identify and thoroughly review high-risk customers who have access to sensitive information. Apporetum provides a comprehensive and detailed view of customer access within your B2C environment. Additionally, these features can extend beyond your B2C environment, correlating customer identities with workforce accounts to detect potential cross-contamination.
Apporetum Capabilities for Customer Lifecycle Management
Complex customer use cases often involve access to business applications that require careful lifecycle management. This ensures that customer access is properly handled when they cancel their subscription or request the removal of their information from your systems. Customers have unique requirements that go beyond standard workforce lifecycle management.
Conclusion
Both Azure B2C and Entra External ID offer valuable capabilities for managing external identities. Evaluating your organisation's specific needs and challenges will help determine the best fit for your CIAM strategy.
With the extensive experience our team and product have gained, we are ready to support and guide you through your journey with this newly released product. We offer free consultation sessions for you and your team to discuss requirements and even if we can't help we have partners who are experts in the Customer Identity and Access Management field.