At Build 2020 Microsoft announced "self-service signup with social IDs" for Azure AD using "user flows". A feature that was originally introduced in Azure AD B2C. This is really, really exciting news! Sure, you can write your own apps and invite partners in using their Google and Facebook accounts, like Microsoft's Josh Douglas says in his Build 2020 presentation. But you could also have used Azure AD B2C for that for already 3 years. Azure AD B2C has supported social IDs as well as corporate IDs using user flows since its beginning. What Josh didn't say, is that now you can start to combine the power of regular Azure AD with the new features that coming from Azure AD B2C. Although not many people might realize, it is the combination of these two things that will allow you to build very, very exciting new scenarios!
Real quick for people that don't know what Azure AD is.... Azure AD is not a domain controller in the cloud... it is a fully re-designed Identity as a Service solution. Built on modern protocols, with lots of new and interesting features. Things like self-service password reset, delegated group management, SaaS application integration, privileged identity management, access reviews (attestation) and conditional access. There are also extensions like the Azure AD Application Proxy (identity aware reverse proxy for on-prem apps) and cloud app security (a full featured cloud access security broker). All the tools you need to move your enterprise to the zero-trust future.
In most organizations Azure AD will be synchronized with the on-prem AD and will contain all the regular employees and maybe a hand full of partners for which a regular AD account was created. The reality is, however, the more we move stuff to the cloud, the more we feel we should be able to share and collaborate with anyone. Not just employees within our own companies but across companies, with partners large and small and in some cases even with our customers. In regular AD, these sort of scenarios where a nightmare, creating and managing AD accounts for all these users. But even in Azure AD this is really not as seamless as it needs to be. This is where the functionality from Azure AD B2C comes in.
You might remember Azure AD B2C from the Real Madrid use case, Microsoft was quite vocal about it. A directory for all the football fans of Real Madrid. A customer directory which can scale up to 100s of millions of users and in which authentication, sign-up and all self-service features are completely customizable. From the URL, the UI to the exact steps, or user flows that are needed to sign-up or sign-in.
I have worked with Azure AD B2C over the last couple of years. It is a really awesome platform for authentication. The user flows, especially the more advanced Identity Experience Framework behind the user flows, are really powerful. We have been able to deliver some really cool solutions to some of our customers. The user flows however only provide authentication and self-service, which is what most customers building B2C scenarios need.
When your scenarios move from a pure Business to Consumer scenarios to more Business to Business scenarios things get more complicated. If you use Azure AD B2C, you can setup great user experiences, but if you need to delegate control over some users to a partner manager, Azure AD B2C can't help you. You need to write it yourself. If you want to share documents from SharePoint or Teams, you will not be able to, unless you build something yourself. If you choose regular Azure AD, the user experience is/was, well, not great.
So, bringing together the power of Azure AD B2C and Azure AD is really exciting to me. When you setup a user flow on regular Azure AD you can create a beautiful user friendly flow to allow new customers or partners to sign-up or sign-in. These users are now guest accounts in your Azure AD. You can setup administrative units and have a partner manager manage these accounts. You can setup periodic access reviews (attestation) and share documents in SharePoint and Teams without having to really need to do anything else. Did you know, you could even share access to on-prem applications using the Azure AD Application proxy to partners and customers in this way? We have been giving it a test drive, and it works!
Enabling user flows on Azure AD opens up a very long list of really cool scenarios to allow collaboration with just about anyone in just about any app of your choosing. And yes, I know there are still some limitations here... but there are some clever tricks around some of them. It is the next step for the Azure AD B2C and regular Azure AD integration. There is so much potential here. Let's hope Microsoft continues this path, great work @Alex Simons and team! We are very much looking forward to what is coming next!