Microsoft Entra ID External Identities vs Azure AD B2C.


A summary of differences between Entra ID and Azure AD B2C. Entra ID in this article is used to build a product.

Differences between Entra ID and Azure AD B2C

To share resources from your organization (Entra ID) like PowerBi, OneDrive, and SharePoint - use B2B collaboration. Please remember: in many cases, you must assign the expected licenses - PowerBI*, for example, and you will be able to use PowerBI Portal.

This solution is also possible when you want to build a product based on PowerBI or OneDrive - In that case, you should consider setting up a dedicated ‘product’ tenant - to separate access to the resources.

The best option for a custom-developed application (SaaS) is Azure AD B2C. You can federate with many identity providers like Entra ID, Facebook, and Google.

service nameB2B CollaborationAzure AD B2C
PowerBIYes *No
OneDriveYes *No
  • There are some limitations to accessing resources in Microsoft Entra ID B2B collaboration.

Sample scenario diagram


Table with details of the scenario

UserDescriptionSlowFood PortalSlowFood OneDrive *SlowFood PowerBi *
[email protected]Facebook useryes, SSO via Facebook federationnono
[email protected]Entra ID useryes, SSO via federationyes, SSOyes, SSO
[email protected]Entra ID useryes, SSO via federationyes, SSOyes, SSO
[email protected]Azure AD B2C useryes, password in Azure AD B2Cnono
[email protected]Azure AD B2C useryes, password in Azure AD B2Cnono
  • The access to OneDrive/PowerBI is expected as standard Microsoft Entra ID (from the organization) user, not direct one-time access to file/report.


Microsoft is working on the new feature - Microsoft Entra External ID. Maybe they will extend possibilities with B2B collaboration from the new CIAM tenant type. Will see…. Also, instead of working with Custom Policies (XML), there will be a user journey with API support. For example, you can call API to enrich the token with additional claims.

Additional cases

Also, to access the Microsoft 365 resources, you can use Service Principal access. So, without direct user access and permissions, you can share/connect Sharepoint to share the data. It is a good option for a custom-developed application (SaaS) that can use only Azure AD B2C (or Entra External ID in the future) and with the backend service (API) to access the data via the service principal.

Documentation & Links