Skip to content
IAM Day by Day

Microsoft Entra ID B2C Architecture

The Sovereign Engine of Consumer Trust

Section titled “The Sovereign Engine of Consumer Trust”

Microsoft Entra ID B2C is the “Sovereign Engine” of modern Customer IAM (CIAM). Unlike its workforce counterpart, B2C is built to handle millions of identities, providing a highly customizable and white-labeled authentication experience for customer-facing applications. It is the architectural foundation that allows businesses to bridge the gap between social identities (Facebook, Google, Apple) and secure enterprise resources. For the IAM architect, B2C is the playground for Identity Orchestration, enabling complex, multi-step customer journeys that balance frictionless user experience with rigorous security and data privacy.

B2C CIAM

Consumer Sovereign
Core Mission
Branded Identity Orchestration. Delivering a secure, scalable, and fully customizable authentication platform that integrates external social identities while maintaining centralized user profiles and attributes.
Like a Luxury Boutique Concierge: Imagine a high-end store (Your Application). Customers don't want a complex onboarding process. They want to be recognized instantly (Social Login). The Concierge (Microsoft Entra ID B2C) greets them, offers to use their existing VIP card from another club (Federated Identity), creates a local "Loyalty Profile" (B2C User Object), and ensures that their shopping experience is seamless and secure, all while keeping the store's branding (Custom UI) front and center.
SaaS Consumer Apps / Mobile Retail Hubs / Citizen Portal Services / Digital Ecosystems

The CIAM Architectural Matrix

Section titled “The CIAM Architectural Matrix”

Developing for B2C requires choosing between out-of-the-box convenience and ultimate customization.

Strategic Development Paths

Section titled “Strategic Development Paths”
FeatureStrategic ResponsibilityIAM Implementation
User FlowsSimple & Rapid Deployment.Pre-configured Sign-up/Sign-in, Profile Edit, Password Reset.
Custom PoliciesLimitless Orchestration.IEF (Identity Experience Framework) / XML-based custom logic.
Social IdPsFrictionless Onboarding.OIDC/OAuth2 Federation with Google, Facebook, Apple, etc.
User AttributesDemographic Data Engine.Custom Claims / Profile Extensions / External Data hydration.

The Customer Journey Flow

Section titled “The Customer Journey Flow”

A B2C transaction is an orchestrated sequence of technical handshakes and data transformations.

graph LR
    Enter[User Arrival] --> Identify[Identify IdP]
    Identify --> Orchestrate[Custom Logic]
    Orchestrate --> Issue[Token Issuance]
1

Home Realm Discovery

The journey begins when the user selects their preferred sign-in method. B2C identifies if the user wants to use a traditional email/password or "federate" out to a social provider like Google or a corporate provider via SAML/OIDC.

2

The Orchestration engine

This is the heart of the "Custom Policy" (IEF). B2C can call external Rest APIs in the middle of the login flow—perhaps to check a fraud score, verify a loyalty tier, or perform a mandatory KYC (Know Your Customer) check before proceeding.

3

Claim Transformation & Token Hub

Once identity is proven, B2C "transforms" the data from various sources into a unified JWT token. It maps social attributes to your local schema, signs the token with your tenant's private key, and returns the user to your app with a sovereign identity.

Technical B2C Implementation

Section titled “Technical B2C Implementation”

Custom policies are defined via XML and uploaded to the Identity Experience Framework.

Claim Transformation (XML IEF Snippet)

Section titled “Claim Transformation (XML IEF Snippet)”
<!-- Transforming Email to UserID for Legacy App Support -->
<ClaimsTransformation Id="CreateUserIDFromEmail" TransformationMethod="FormatStringClaim">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim1" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="stringFormat" DataType="string" Value="legacy-prefix-{0}" />
  </InputParameters>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="userId" TransformationClaimType="outputClaim" />
  </OutputClaims>
</ClaimsTransformation>

CIAM Implementation Guides

Section titled “CIAM Implementation Guides”

Master the technical ceremonies of consumer identity and high-scale orchestration.

Custom Policies

Deep dive into the IEF (Identity Experience Framework) and XML orchestration.

Social Login

Configuring Apple, Google, and Facebook federation patterns in B2C.

CIAM Security

Implementing CAPTCHA, bot detection, and risk-based MFA in consumer flows.

Token Anatomy

Customizing JWT claims and scopes for your specialized B2C consumer tokens.

Next Steps

Section titled “Next Steps”