{"id":777,"date":"2025-04-22T14:42:38","date_gmt":"2025-04-22T12:42:38","guid":{"rendered":"https:\/\/www.cloudtango.net\/blog\/?p=777"},"modified":"2025-04-22T14:42:38","modified_gmt":"2025-04-22T12:42:38","slug":"selecting-the-right-microsoft-identity-management-solution","status":"publish","type":"post","link":"https:\/\/www.cloudtango.net\/blog\/2025\/04\/22\/selecting-the-right-microsoft-identity-management-solution\/","title":{"rendered":"Selecting the Right Microsoft Identity Management Solution"},"content":{"rendered":"<p>The digital landscape is continuously evolving, prompting organisations to prioritise secure and efficient identity management systems. The rapid evolution, and occasional rebranding, of Microsoft\u2019s\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/architecture\/guide\/design-principles\/identity\" rel=\"noopener\">Identity-as-a-Service (IDaaS)<\/a>\u00a0offerings can leave developers and architects\u00a0 a little confused.<\/p>\n<p>This article covers a few of the options of Microsoft Identity Management Solutions.<\/p>\n<h2>What is IDaaS?<\/h2>\n<p>Identity-as-a-service (IDaaS) refers to cloud-based solutions that provide identity and access management (IAM) functionalities. These services help organisations manage user identities, authenticate users, and control access to resources in a secure and scalable manner.<\/p>\n<h2>Entra ID (formerly Azure Active Directory, Azure AD)<\/h2>\n<p>Microsoft introduced Active Directory as an Identity Management solution with Windows 2000 a quarter of a century ago, and after countless enhancements, it is now the standard for user authentication and management within organisations. AD offered enhanced security, scalability and improved integration, providing a single sign-on experience across multiple systems within an enterprise, reducing the number of passwords users needed to remember and simplifying the management for IT staff.<\/p>\n<p>In 2008 Microsoft took AD into the cloud to create Azure Active Directory (now\u00a0<a href=\"https:\/\/www.microsoft.com\/en-gb\/security\/business\/identity-access\/microsoft-entra-id\" rel=\"noopener\">Entra ID<\/a>).<\/p>\n<h3>Entra ID features include<\/h3>\n<ul>\n<li>Single sign-on (SSO)<\/li>\n<li>Multi-factor authentication (MFA)<\/li>\n<li>Conditional access<\/li>\n<li>Self-service password reset<\/li>\n<li>Integration with Microsoft 365<\/li>\n<li>Multi-language support: provides a user interface in multiple languages<\/li>\n<\/ul>\n<p>Although designed primarily to manage users within a single Azure tenant, Entra ID does allow authentication of users from other directories through federation, guest users, or by registering multi-tenant apps with bespoke authorisation rules.<\/p>\n<h2>Azure AD Business-to-Consumer (B2C)<\/h2>\n<p>Without cluttering up your AD with large numbers of inactive guest users, the only option for securing public-facing web applications was once to create a bespoke identity solution. Microsoft introduced\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory-b2c\/overview\" rel=\"noopener\">Azure AD B2C<\/a>\u00a0in 2015 to solve this problem, allowing an app developer to use multiple third-party identity platforms for authentication.<\/p>\n<p>The idea of a third-party identity provider seems counter-intuitive but it\u2019s not much different to the idea of passports. I have a passport issued by HM Passport Office; if I travel to the USA, I can use my passport for identification because the USA government trusts HM Passport Office. Similarly, if you are developing an app, you can decide which of a number identity providers that you want to trust, e.g. Google, Facebook. But, just as a UK passport won\u2019t grant me entry to the USA without a visa granted by the USA government, a token from a third-party ID provider serves only as a means of identification and does not convey permissions \u2013 the owner of the tenant in which the app resides has full control over who is allowed in and what they are allowed to do once they\u2019re in.<\/p>\n<h3>AD B2C features, beyond those of Entra ID:<\/h3>\n<ul>\n<li>Customisable user journeys: fully customisable processes for sign-up and sign-in, including MFA, conditional access and a branded user interface<\/li>\n<li>Social and local account integration<\/li>\n<li>Self-service sign-up and password reset<\/li>\n<li>Scalability: designed to handle millions of users and transactions<\/li>\n<\/ul>\n<h3>Limitations<\/h3>\n<p>Although highly customisable, once you move past the limited number of out-of-the-box options available through the\u00a0<a href=\"https:\/\/www.transparity.com\/microsoft-azure-consulting-partner\/\">Azure<\/a>\u00a0portal, customisation becomes exponentially more complex. In our experience at Transparity, most implementations require custom policies, generated from lengthy hand-authored XML files. The lack of developer tools for customisation, the complexity of customisation, and ongoing management create a large technical overhead in many implementations.<\/p>\n<p><em>Although still fully supported, Azure AD B2C is now considered by Microsoft to be a \u201dlegacy solution\u201d.<\/em><\/p>\n<h2>Entra External ID<\/h2>\n<p>In 2023 Microsoft addressed the known shortcomings of AD B2C with their newest IDaaS offering,\u00a0<a href=\"https:\/\/www.microsoft.com\/en-gb\/security\/business\/identity-access\/microsoft-entra-external-id\" rel=\"noopener\">Entra External ID<\/a>. \u00a0Built on a zero-trust architecture, External ID significantly simplifies the configuration process for administrators and developers and provides a more consistent experience for users. Hand editing of XML files is no longer required to create user flows, with Microsoft claiming that custom policies are no longer needed with External ID. In addition to a much improved administrator experience, External ID also has integrations for Visual Studio and Visual Studio Code to aid developer productivity.<\/p>\n<h3>External ID features, beyond those of AD B2C<\/h3>\n<ul>\n<li>All customisation options available through the Azure Portal<\/li>\n<li>Create within own tenant or in an external tenant<\/li>\n<li>Neutral (non-Microsoft) branding for default UI<\/li>\n<li>\u2018Native\u2019 authentication (i.e. not browser-based) for a fully customised sign-in experience within apps<\/li>\n<li>Custom user roles<\/li>\n<li>Visual studio integration<\/li>\n<li>Identity Protection \u2013 uses AI to detect and mitigate risky user activity<\/li>\n<li>B2B direct connect \u2013 creates a trust relationship with another organisation<\/li>\n<li>B2B collaboration \u2013 grants access for users from another organisation to resources in your tenant<\/li>\n<\/ul>\n<h3>Limitations<\/h3>\n<p>Not many, but this is relatively new technology and there are a few idiosyncrasies that will no doubt be ironed out in time. The lack of custom policies, and current lack of policy migration tools, might eventually drive some developers back to using \u201clegacy\u201d AD B2C.<\/p>\n<h2>Build Your Own<\/h2>\n<p>The availability of feature-rich IDaaS offerings means that there are now very few scenarios where you would need to build your own fully bespoke identity solution. However, if you needed that flexibility, then Microsoft Authentication Library (MSAL) makes it relatively simple to write .NET code to create and validate your own JSON web tokens (JWT), a core requirement of modern authentication solutions. This is the tip of the iceberg though. On top of the basic token creation and evaluation, just for an MVP you also need a secure and performant data store for your users\u2019 data; governance to ensure compliance with relevant data protection laws; fully bespoke and secure user management functionality including sign-in, sign-up, profile editing, password reset; and the ability to monitor and review logins to detect suspicious activity.<\/p>\n<p>This all amounts to a significant development and ongoing management overhead, and unless you are a very large organisation, a government, or a new social media platform, have a large team of developers at your disposal, and a substantial budget, this option should usually be avoided.<\/p>\n<h2>Comparison<\/h2>\n<p>Common features of Entra ID, Entra External ID and Azure AD B2C:<\/p>\n<ul>\n<li>Cloud native<\/li>\n<li>Single sign on (SSO)<\/li>\n<li>MFA<\/li>\n<li>Authentication of users from external Entra ID directories<\/li>\n<li>Custom user profile attributes<\/li>\n<li>Custom token claims<\/li>\n<li>Conditional access policies<\/li>\n<\/ul>\n<p>This table shows some of the key differentiating features.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-124932\" title=\"Selecting the Right Microsoft Identity Management Solution 2\" src=\"https:\/\/www.transparity.com\/wp-content\/uploads\/2025\/04\/Selecting-the-Right-Microsoft-Identity-Management-Solution-2.png\" alt=\"Selecting the Right Microsoft Identity Management Solution.  Table of differentiating features between Entra ID, AD B2C and Entra External ID\" width=\"1200\" height=\"630\" \/><\/p>\n<h1>Migration<\/h1>\n<p>Whereas migrating legacy systems from Azure AD B2C to Entra External ID would seem like an obvious move, there is currently very little in the way of tools to migrate custom policies. We are led to believe that this is something Microsoft are working on. Currently Entra External ID would seem to be a better candidate for greenfield development and it might be prudent to wait a while before migrating existing systems using AD B2C.<\/p>\n<h1>Conclusion<\/h1>\n<p>When deciding which Microsoft Identity Management solution to select for a new development, the following simple rules should help.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-124933\" title=\"Selecting the Right Microsoft Identity Management Solution 3\" src=\"https:\/\/www.transparity.com\/wp-content\/uploads\/2025\/04\/Selecting-the-Right-Microsoft-Identity-Management-Solution-1.png\" alt=\"Selecting the Right Microsoft Identity Management Solution - simple rules to help you choose\" width=\"1200\" height=\"630\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The digital landscape is continuously evolving, prompting organisations to prioritise secure and efficient identity management systems. The rapid evolution, and occasional rebranding, of Microsoft\u2019s\u00a0Identity-as-a-Service (IDaaS)\u00a0offerings can leave developers and architects\u00a0 a little confused. This article covers a few of the options of Microsoft Identity Management Solutions. What is IDaaS? Identity-as-a-service (IDaaS) refers to cloud-based solutions[\u2026] <a class=\"read-more\" href=\"https:\/\/www.cloudtango.net\/blog\/2025\/04\/22\/selecting-the-right-microsoft-identity-management-solution\/\">Read<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" enable-background=\"new 0 0 24 24\" height=\"16px\" viewBox=\"0 0 24 24\" width=\"16px\" fill=\"#091926\"><rect fill=\"none\" height=\"16\" width=\"16\"\/><path d=\"M14.29,5.71L14.29,5.71c-0.39,0.39-0.39,1.02,0,1.41L18.17,11H3c-0.55,0-1,0.45-1,1v0c0,0.55,0.45,1,1,1h15.18l-3.88,3.88 c-0.39,0.39-0.39,1.02,0,1.41l0,0c0.39,0.39,1.02,0.39,1.41,0l5.59-5.59c0.39-0.39,0.39-1.02,0-1.41L15.7,5.71 C15.32,5.32,14.68,5.32,14.29,5.71z\"\/><\/svg><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,7],"tags":[],"class_list":["post-777","post","type-post","status-publish","format-standard","hentry","category-azure","category-cybersecurity"],"_links":{"self":[{"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/posts\/777","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/comments?post=777"}],"version-history":[{"count":1,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/posts\/777\/revisions"}],"predecessor-version":[{"id":778,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/posts\/777\/revisions\/778"}],"wp:attachment":[{"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/media?parent=777"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/categories?post=777"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/tags?post=777"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}