Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra External ID vs Azure AD B2C

Microsoft has two products for customer identity. Here's the difference and which to pick today.

For organisations building customer-facing apps, Microsoft has two identity products: the older Azure AD B2C, and the newer Microsoft Entra External ID. They solve the same problem — letting customers sign up, sign in, and manage their accounts — but External ID is where Microsoft is investing.

Azure AD B2C

Azure AD B2C has been around for years. It runs as a separate B2C tenant distinct from your workforce tenant. Apps integrate with B2C, and users get sign-up/sign-in pages branded for the app. It supports:

  • Local accounts and social identity providers (Google, Facebook, Apple, Microsoft account).
  • Custom user flows (built-in templates) and custom policies (XML-driven, very flexible, hard to maintain).
  • Custom branded sign-in pages.
  • MFA, conditional access, and (limited) Identity Protection.

B2C works, but its UX is dated, its policy authoring (custom policies) is famously painful, and it's separate from the rest of Entra.

Microsoft Entra External ID

External ID is the modern replacement for B2C. It lives inside Entra — the same admin center, the same APIs, the same governance tooling. It supports:

  • Customer-facing apps via External ID tenants (still separate from your workforce tenant by design, but managed in the same surface).
  • Sign-up, sign-in, password reset, MFA flows out of the box.
  • Social identity providers.
  • Conditional Access.
  • Modern branded sign-in pages with no-code editing.
  • API integration via standard OIDC / SAML.
  • Future-state self-service identity governance for customers.

External ID also has the older workforce flavour that lets you bring guests into your existing workforce tenant — that's the same B2B story.

Which should you use today

  • New customer-facing apps: Microsoft Entra External ID. It's where investment is going and where new features ship first.
  • Existing apps on Azure AD B2C: continue running for now. Microsoft has stated B2C is supported through 2030, but planning a migration to External ID over the medium term is wise. Migration tooling exists.

Cost model

Both products price by monthly active users (MAU): the first N MAU per month are free, with tiered pricing above that. The free tier is generous for early-stage apps.

What External ID still lacks

If your app needs deep customisation that B2C custom policies provide today, check carefully — some advanced scenarios (complex token issuance, REST API steps in the flow, sophisticated user attribute manipulation) are still landing in External ID. As of 2026 the gap is shrinking fast.

For a new project, default to External ID unless a known feature gap forces you to B2C.