I am starting some cloud work on an SaaS application which will be hosted in our Azure tenant. We offer this SaaS application to different businesses, and we want to create custom roles for each company, ie: an admin role to create invite/create users, general user role etc. I don't want any of these external users to be able to collaborate or interact with my Azure resources. Random users will not access the app and sign up, only external business users. I am so confused about whether to use External ID in external tenants, B2B, B2C, B2B with entitlement management, B2B collaboration. I feel like this is a simple scenario but the more I read the more confused I get. Can anyone help me by pointing me to what I should be looking at? Thanks,
Azure has so many identity options, and it’s not always clear which one fits best. For what you’re doing, Entra ID B2B collaboration is probably the way to go. It lets external businesses use their own Entra ID accounts to access your SaaS app without managing separate logins. They stay as guest users in your tenant, meaning they can’t mess with your Azure resources, just your app.
If you need to give them different roles, like an admin role for managing their own users, you can handle that inside your app using app roles in Entra ID. If you don’t want to invite every single user manually, entitlement management is worth looking into—it lets company admins request access for their people without you having to be involved every time.
B2C isn’t the right fit here since that’s more for open sign-ups, like if you were letting random users register. Your setup is strictly for business customers, so B2B keeps things cleaner and more secure.