Hi,

we would like to test/use Entra as an IDP for external users. In our case that are customers and sales partners needing access (authentication) with different roles (autorisation) to different webservices. Customers and partners are all defined within Business Central (Dynamics 365). A classical CIAM usecase, I guess :)

We are kind a confused what's the best way to achieve this through Entra. May be someone can help here and give some content to our 3 (?) possible ways to do this.

1. Entra External Identities with App registrations
There's a menu within Entra -> Identity -> External identities. Combined with Application registration. I guess Entra security groups will come along for defining the different roles here?
There is that YT where MS chooses this way https://youtu.be/ZxHnv7OTzXI?si=9ZC4UiIgg757VJAW
For now we use that for our guest users only, which are more internal users than externals.

2. B2C Tenant
There is also a way to create B2C Tenant through an Azure Service. Things are similiar to (1) but also different coming to the details.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant

3. External ID Tentant
And there is "External ID" which seems to be like (2) but also "better" (in MS marketing speech). Is this just the new way to do (2) or really something new? Not really looked into this. It seems that you create that tenant through Entra and not through Azure like (2).
https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-create-external-tenant-portal

Besides my confusion about naming and presenting "hundreds of ways" (documentations) to solve our CIAM issue. What's your recommendation? Are there any differences with the "50k MAU" rules for licensing?