Azure AD Ignite 2018 Recap 2: External Identities (B2B and B2C)
Published Dec 06 2018 09:58 AM 8,529 Views

Hey everyone - it's time for the next installment of the Ignite recap blogs. This one is brought to you by Elisabeth and Jose from the external identities team. They are doing a ton of exciting work and having a huge impact with customers like Subway (which they detail below). Getting external identities under management is a really key security step. Thoughtful application of things like terms of use agreements, conditional access and multi-factor authentication are essential security and compliance enablers as you bring your customers and partners along on our digital transformation. 


There's a ton of cool new stuff here to help you bring your B2C and B2B accounts under management - access reviews, one time passcodes, sign in with Google accounts, direct federation, java customization . . .  read on!







Hi everyone!  It’s Jose and Elisabeth from the Identity team at Microsoft, here to talk to you about all the awesome B2C and B2B stuff we presented and learned at the Microsoft Ignite conference this year.


First up, let's talk about B2C.  Ignite was a real treat for our Identity team - our friends at Subway shared the success of phase one of their digital transformation journey with B2C as their cornerstone platform.  Subway is the largest sub-style sandwich franchise in the world with more than 45,000 stores in over 100 countries and tens of millions of digital customers. What a joy to have a prized customer like that betting on the service and loving it!  


It has been exciting to see Azure AD B2C serving as the foundation of so many digital transformation efforts.  We partnered with Subway to help them move away from siloed, proprietary identity databases that could not deliver the varied login options, the multi-device support, and the security they needed to meet their customer’s digital-access expectations. 


Subway delivered on their goal to establish a standard approach to unify identity across their global customer base and across many applications such as in store, online ordering, and loyalty.  They were especially concerned about migrating millions of existing users from their old system and unifying user databases without resetting passwords or inconveniencing their users.  No surprise, their timelines were aggressive and there were many stakeholders to bring along.  Check out the video below to hear directly from Karen Perez Diaz, Lin Ma, and Pablo Aymerich—all from Subway—to learn how they did this on an Azure-based architecture:




In addition to highlighting the great partnership with Subway, we announced and demonstrated some new features that are available now:

  • Improved development experience. Simplified flows make it easier and faster to get started and create your own policies.  We’ve placed the most popular guides right on the new overview page.  Want to try it? Open your B2C tenant in the Azure Portal and click on the purple bar to switch to the new experience.

Azure AD B2C PreviewAzure AD B2C Preview

  • Every tenant can now have an authentication destination that does not distract with “Microsoft” in the domain name.  This new domain space also avoids situations where users are prompted to select from other Microsoft-powered login options. Learn more here.
  • Lastly, we shared some hot features that are currently in private preview: customization with JavaScript, and Cloud Solution Provider subscription support. Write to us to be included in the preview:

We also had a great week at Ignite talking about B2B!  It was an amazing whirlwind of conversations with dozens of customers who took the time to talk to us about their scenarios and experiences.  We learned tons and met so many great people, thank you to everyone we talked to (you know who you are)!

Customers were excited to learn more about these features:

  • Google federation enables guests to sign in using the Gmail account you invited rather than needing to create new credentials in order to collaborate with you. It's available now in public preview, and you can check out our docs to learn how to set it up today. 
  • Direct federation lets you to set up a trust relationship with any identity provider that supports SAML or WS-Fed (such as ADFS). Guests with accounts in those systems can then sign in with their existing credentials. This feature is in private preview, but you can sign up here to be notified when the feature enters public preview. 
  • One-time passcodes will be the new fallback experience for users who don’t already have an account we can federate to, rather than forcing the user to create a new account just for B2B experiences. This feature is in private preview, but you can sign up here to be notified when the feature enters public preview. 
  • Guest access reviews: Use our existing Access Reviews feature and apply it to guests today to audit guest access to valuable resources! (Soon we’ll support automatically disabling or removing guest accounts that don’t pass the review!)
  • Entitlement lifecycle management for B2B has some great features around self-service guest sign up and easier guest lifecycle management - check out our docs on identity governance for ideas and submit your request to join the preview here
  • Invitation redemption status via API lets you use the externalUserState and externalUserStateChangeDateTime properties we just rolled out on the User object in Microsoft Graph and Azure AD PowerShell to do things like generate a list of guest users older than 30 days who have not accepted their invitation yet. 

There’s even more in the full talk! Watch the session to learn about all the great new and up-coming stuff in B2B (and to see the most complicated demo Elisabeth has ever built!): 



Elisabeth also talked about using the B2B Invitation API in general as part of a session on using Microsoft Graph to automate business processes along with our colleagues Jeff Sakowicz and Mark Wahl, so check that out too!


One of the things we were most surprised by at the conference was that some customers didn’t know how well B2B works with MFA, conditional access, and the other great security features in Azure AD Premium.  This is really important to a lot of customers who want to do business securely and ensure that their guests interact with their resources in the most secure manner possible as well.  The default assumption should be that features like conditional access and access reviews will work with guest users with a few exceptions, even one-time passcode guests!


Thanks everyone for the great conference, we’re already looking forward to going back next year!  In the meantime if you want to keep in touch, you can find Elisabeth on Twitter as @elisol and Jose as @jjrred  You can file or upvote feedback in User Voice for B2C and B2B.

Version history
Last update:
‎Jul 24 2020 01:48 AM
Updated by: