What is Azure AD B2C?
Azure Active Directory B2C is a customer identity and access management (CIAM) solution that supports millions of users and billions of authentications daily. It enables businesses to provide single sign-on for consumer-facing applications while maintaining enterprise-grade security. Unlike Azure AD which targets employees, B2C is designed for external customers, partners, and citizens.
User Flows and Custom Policies
User flows provide pre-built, configurable journeys for sign-up, sign-in, profile editing, and password reset. For complex scenarios, custom policies using the Identity Experience Framework (IEF) enable advanced authentication orchestration including multi-step user journeys, API integrations, and conditional logic.
Social and External Identity Providers
B2C supports federation with social providers like Google, Facebook, Apple, and Twitter. Enterprise providers using SAML 2.0 and OpenID Connect are also supported. Users can link multiple identities to a single account, enabling seamless cross-platform authentication.
Multi-Factor Authentication
Built-in MFA supports SMS, phone call, email verification, and authenticator app methods. Conditional access policies can require MFA based on risk level, location, or device compliance. Adaptive MFA reduces friction by only challenging suspicious sign-in attempts.
API Protection
B2C issues OAuth 2.0 access tokens for API authorization. Custom scopes define fine-grained access control. Token validation middleware in backend APIs verifies token signature, issuer, audience, and expiration. Refresh token rotation prevents token replay attacks.
Customization
Custom HTML/CSS templates allow complete branding control over authentication pages. JavaScript customization enables dynamic form validation and progressive profiling. Localization supports 36+ languages with custom string overrides for each locale.
Security Features
- Identity Protection with risk-based conditional access
- Account lockout after failed attempts
- CAPTCHA integration to prevent automated attacks
- Token encryption and signing with RSA-256
- Audit logs for compliance and forensics
Pricing
Azure AD B2C pricing is based on monthly active users. The first 50,000 MAUs per month are free. Beyond that, Premium P1 costs approximately $0.00325 per authentication. MFA adds $0.03 per SMS verification. For most applications, B2C costs a fraction of building custom authentication.
Key Features and Capabilities
The following are the core capabilities that make this technology essential for modern cloud infrastructure:
Custom User Flows
Pre-built sign-up, sign-in, password reset, and profile edit flows with UI customization through HTML/CSS templates and JavaScript injection
Social Identity Providers
One-click integration with Google, Facebook, Apple, Microsoft, GitHub, and any OpenID Connect or SAML 2.0 identity provider
Custom Policies
XML-based Identity Experience Framework for complex scenarios: multi-factor step-up, progressive profiling, and external API validation during authentication
API Connectors
Call external REST APIs during sign-up and sign-in flows for identity verification, fraud detection, and business rule validation before token issuance
Conditional Access
Risk-based policies evaluating sign-in anomalies, impossible travel, and known botnet IPs to enforce MFA challenges or block suspicious authentication attempts
Real-World Use Cases
Organizations across industries are leveraging this technology in production environments:
Consumer Mobile App
A retail app supports social login, passwordless (FIDO2, email OTP), and progressive profiling that collects address only at first purchase to reduce sign-up friction
B2B SaaS Platform
A SaaS provider federates with customer Azure AD tenants for SSO while maintaining local accounts for smaller customers without corporate directories
Government Portal
A citizen-facing portal uses custom policies for ID verification through external eIDAS providers, enforcing strong authentication for document access
Healthcare Patient Portal
HIPAA-compliant patient registration with MFA, consent management, and SMART on FHIR token issuance for EHR integration
Best Practices and Recommendations
Based on enterprise deployments and production experience, these recommendations will help you maximize value:
- Start with User Flows for standard scenarios — only migrate to Custom Policies when you need multi-step orchestration or external API calls during auth
- Always customize the B2C UI with your brand — default Microsoft-branded pages have 40% higher abandonment rates than branded experiences
- Enable sign-in risk detection and Conditional Access from launch — retroactively fixing compromised accounts costs 10x more than prevention
- Use refresh token rotation (fci=true) with single-use refresh tokens to limit token theft impact in mobile and SPA applications
- Test custom policies with the B2C xml policy upload AND the Identity Experience Framework test runner before deploying to production
- Monitor authentication success/failure rates through Application Insights integration — set alerts on failed sign-in spikes indicating credential stuffing
Frequently Asked Questions
How much does Azure AD B2C cost?
First 50,000 authentications per month are free. Beyond that, standard authentications cost $0.00325 each (~$3.25 per 1,000). MFA (SMS/phone) adds $0.03 per verification. A consumer app with 100K monthly active users typically costs $150-$300/month. P1/P2 features require separate pricing.
Can B2C support passwordless authentication?
Yes. B2C supports FIDO2 security keys, email OTP, phone OTP, Microsoft Authenticator, and WebAuthn biometrics. Custom policies can implement magic links and passkey flows for fully passwordless experiences. Passwordless reduces account takeover by 99.9%.
What is the difference between Azure AD B2B and B2C?
B2B is for inviting business partners into your organizational directory with guest accounts. B2C is a separate identity store for consumer/customer-facing applications. B2B uses your Azure AD tenant; B2C uses a dedicated B2C tenant with its own user directory and policies.
