Comparing Azure AD B2C to Entra External ID
Building an application that requires user authentication? We all used to build this directly in our api / web application, but with all the security requirements and continuing hacking attempts, I would recommend against doing this part yourself. You cannot possibly spent as much money on security as the big companies do. So why not leverage their knowledge and experience?
Azure AD B2C vs Entra External ID
Microsoft is one of those companies that can help you with user authentication for your application. They used to offer Azure AD B2C (Business to Consumer) for this, since a year or so they also offer Entra External ID. Both are identity solutions, but what are the differences between the two? And which one should you choose for your application? I’ll start with a comparison table and then try to explain those differences in more detail. Microsoft is not the only company that offers identity solutions, but they are the only one I have experience with. If you have experience with other solutions, please let me know in the comments.
Comparison table
The following table compares the features of Azure AD B2C and Entra External ID. For more details on these features, click the links in the table. I marked the product that I think wins the round with a ✅.
| Feature | Azure AD B2C | Entra External ID |
|---|---|---|
| Pricing | ✅ Free* / € 0,0031 | Free* / € 0,0156 |
| Browser based authentication | Yes | Yes |
| Native authentication | No | ✅ Yes |
| Email OTP | Yes *cp | ✅ Yes |
| OpenID Connect | ✅ Yes | Yes (public preview) |
| Social logins | Yes | Yes |
| Support | Yes (at least 2030) | Yes |
| New features | No | ✅ Yes |
| Migration | ? | ? |
Azure AD B2C has a lot of features, that can only be accomplished with
custom policies. In the table above these are explicitly marked with*cp. These custom policies are written in XML and can be quite complex. If you need these features, you need to be prepared to spend some time on learning how to write these policies.
Pricing
Both Azure AD B2C and Entra External ID are free for the first 50.000 monthly active users (MAU). After that you pay per MAU. The Azure AD B2C pricing and the Entra External ID pricing are really confusing (redirect to the old information), but I think they are the same. So this round is a tie.
Azure AD B2C and Entra External ID have a pricing based on monthly active users, that means you pay (a small amount) for each user (above) the first 50k users. After the first 50k users, you pay € 0,003101 per user for Azure AD B2C P1, € 0,015503 per user for Azure AD B2C P2 and € 0,0156 per user for Entra External ID.
For this amount Microsoft handles all the security for you, and you can focus on building your application. If you have a subscription service, what is the real cost into keeping those accounts secure? The generous free tier of 50.000 users will get you started fast (and free) and once you scale above that you pay a small fee (less then two cents per user per month) for all the security you get.
| Monthly Active Users | Cost per month (B2C P1) | Cost per month (Entra External ID) |
|---|---|---|
| 100 | € 0.00 | € 0.00 |
| 20.000 | € 0,00 | € 0,00 |
| 50.000 | € 0,00 | € 0,00 |
| 100.000 | € 155,05 | € 780,00 |
| 200.000 | € 465,15 | € 2.340,00 |
| 1.000.000 | € 2.945,95 | € 14.820,00 |
Pricing: Previously this article state that both solutions were roughly the same price, now that I received the correct link for the pricing information on Entra External ID, I have to conclude that Azure AD B2C is cheaper than Entra External ID, as long as you don’t need the P2 features. The new pricing is reflected in the table. On the other hand paying less than 20 cents per user per year for all the security you get is still a good deal.
Note: The pricing for Azure AD B2C is a bit more complex than just the MAU. It is possible that you were on a different pricing plan before, and are still on that plan. I think you can no longer create new tenants on the old pricing plan, but I’m not sure. If you are on the old pricing plan, you might be charged differently.
Browser based authentication
Both Azure AD B2C and Entra External ID support browser based authentication. This means that to login in your application, the user is presented with a “system browser” to login. This has the advantage that the application has no access to what you enter in the login screen and that you can redirect the user to some (social) identity provider to login. This is a good way to keep your application secure and to keep the user in control of their own data.
This round is a tie.
Native authentication
Native authentication is a way to login in your application without opening a browser, for a more “native” feeling. You would use this if the application and the api you want to connect to are operated by the same company. For example in the Email OTP flow your application would ask the user for their email address, call an api that this user wants an OTP and then show a screen to enter the OTP. After the user has received the token they can enter it in a native screen in your application, and then use this code to authenticate the user by doing another api call.
Native authentication has no support for (social) identity providers, since those would require a redirect to a browser anyway, but can be a nice solution if you want to keep the user in your application. Do you want to use this in your application? Then you should go with Entra External ID, since Azure AD B2C does not support this.
Email OTP
Email OTP is a way to login using without a password. Each time you want to login, you enter your email address and you receive a one-time code in your email. This way you don’t have to remember any password and you get access to the application if you can access the email address. Personally, I’m not a fan of this way of authentication because it does not work with my password manager and I have to switch to a different application to get the code. But if your users keep forgetting their passwords, this might be a good solution for your application.
If your want to enable this in Azure AD B2C, you need to create a custom policy. In Entra External ID, this is a standard feature.
I would say Entra External ID wins this round.
OpenID Connect
Explaining OpenID Connect is a bit out of scope for this post, but it is a way to authenticate users in your application. Both Azure AD B2C and Entra External ID support this on the inside, so to your application. This is the main way to use either of these identity solutions in your application.
On the identity side, it is a different story. Using an external identity provider in your application has been supported for a long time in Azure AD B2C. Entra External ID just released support for this, as public preview. If your users already have an account with another identity provider, that supports OpenID Connect, you should consider if you want to use a public preview feature in your application, or go with Azure AD B2C for now.
Social logins
Social logins is my generic term for Login with Google, Login with Facebook, Login with Apple, etc. Supporting social logins helps lowering the barrier of using your application. You already have an account somewhere and don’t want yet another password to remember, with the press of a button (and a “consent message”) you can login (or register) in the application.
This is a really convenient way to login, but some (potential) users might have privacy concerns. “Why does my banking application wants to know my Facebook account?” is a question I can imagine. And the security downside of this is that you completely rely on the security of the social identity provider. If they get hacked, your application is also hacked. Or more recently, if people start deleting their social media accounts, they might also loose access to your application. Both solutions require you to configure this in the interface. And with the support for OpenID Connect you can also use other identity providers.
Both Azure AD B2C and Entra External ID support social logins, so this round is a tie. But remember this feature cannot be supported in native authentication.
Future support
When Microsoft announced Entra External ID as their “new CIAM” (Customer Identity and Access Management) solution, they also announced that Azure AD B2C will be supported until at least 2030. This means that you can still use Azure AD B2C for a long time, but that you should consider Entra External ID for new applications. Entra External ID if the future CIAM solution from Microsoft.
How does this preview affect me? No action is required on your part at this time. We remain fully committed to supporting your current Azure AD B2C solution. There are no requirements for Azure AD B2C customers to migrate at this time and no plans to discontinue the current Azure AD B2C service. source
And while this means Microsoft will support it until at least 2030, it also means that they probably won’t add any new features to Azure AD B2C this also includes simplifying features that you can only control with custom policies.
In my opinion, Entra External ID wins this round, because it will receive new features and improvements in the future.
Migration (and vendor lock-in)
If you’re currently using Azure AD B2C and want to migrate to Entra External ID, there is now a (public preview) migration path, you can configure your “old” Azure AD B2C tenant as an identity provider in your new Entra External ID tenant. This way you can slowly migrate your users to the new tenant, but this requires all your users to login once again, and this is not an automated process where you can just move all the users to the new tenant.
Choosing for Microsoft as your CIAM solution early on, gets you started for free. Effectively the login part (except the native auth stuff) is just OpenID Connect (an open standard to do federated authentication), so if you ever want to switch to another provider, changing this has some impact, but should not be a showstopper. If the other provider has support for custom OpenID Connect providers, you can use the tactic described about to slowly migrate your users to the new provider.
Conclusion
The conclusion is not an easy recommendation for everybody and this also depends on where in the process you are. If you are building a new application, I would recommend to start with Entra External ID. It is the future CIAM solution from Microsoft and will receive new features and improvements in the future. If you are already using Azure AD B2C, you can continue to use this for a long time. Microsoft will support it until at least 2030, but don’t expect any new features or improvements.
If you’re planning to mostly use social logins and don’t plan on using native authentication and/or email OTP, you can go with either of these solutions. If you want to use native authentication and/or email OTP, you should go with Entra External ID. And if you want to use custom external identity providers through OpenID Connect, you should go with Azure AD B2C (if you don’t want to use public preview features for your new application).
And lastly if you’re only looking a price, Azure AD B2C P1 is a lot cheaper than Entra External ID. This should not be the reason to choose one of these solutions, if 20 cents per user per year is a showstopper for your application, you should reconsider your business model.
If you are organizing a conference, or know someone who is, that has a call for speakers open. Please let me know, I enjoy sharing the knowledge I gained in the past 15 years as a security minded software architect MVP Profile. And if you want to connect, you can find me on LinkedIn or Bluesky.