Why External ID B2C Licensing Surprises Finance Teams
Microsoft Entra External ID B2C — formerly Azure AD B2C — is the customer-facing identity platform for applications that need to authenticate external users: customers, consumers, citizens, and anyone outside the corporate directory. Unlike most Microsoft enterprise products priced per seat or per user, B2C uses a Monthly Active User (MAU) consumption model. The first 50,000 MAUs per month are free. Beyond that, the meter runs — and for organisations with consumer-facing applications, the accumulated cost can dwarf what finance teams initially budgeted.
The product was rebranded and reorganised under the Entra External ID umbrella in 2023, creating confusion about which product applies to which scenario: B2B (partner and supplier identity), B2C (consumer and customer identity), and the newer External ID product that partially consolidates both. Understanding these distinctions is essential before any licensing or architecture decision.
This guide covers the External ID B2C pricing model, the 50K free tier, premium feature pricing, how B2C costs scale, the B2B vs B2C vs External ID decision, and how to approach B2C costs in EA negotiations with Microsoft.
Key point: External ID B2C pricing is consumption-based and lives in the Azure billing model — it does not appear as a named line item in most Enterprise Agreement true-ups. This means B2C costs can grow significantly without triggering the procurement controls that govern EA licence additions. Organisations with consumer-facing applications should track B2C MAU consumption monthly and model forward costs before any product launch or marketing campaign that grows the external user base.
The External ID Landscape: B2B, B2C, and the New External ID
Microsoft now positions three overlapping products under the External ID brand, each designed for a different external identity use case. Conflating them leads to incorrect architecture decisions and incorrect cost forecasting.
Entra External ID for Business Partners (B2B)
B2B external identity — the original Azure AD guest access model — is designed for business partners, suppliers, and collaborators who need access to your Microsoft 365 environment, SharePoint, Teams, or internal applications. B2B users authenticate with their own organisation's identity (a Microsoft account, a social identity, or a federated corporate identity) and are managed as guest users in your Entra tenant. B2B identity is licensed through Entra ID P1 or P2 — 5 external B2B guest users are included for every Entra P1 or P2 licence you hold. This is covered in detail in our Entra External ID B2B guide.
Entra External ID B2C (Consumer Identity)
B2C is designed for consumer-facing applications: e-commerce platforms, customer portals, mobile apps, and public-facing services where end users register with email addresses, social identities (Google, Facebook, Apple), or local accounts. These users are not employees or business partners — they are customers or public users. B2C provides a customisable identity layer — branded sign-up/sign-in flows, custom policies, MFA for consumers, and token issuance for your applications. The MAU billing model reflects that consumer usage is variable and volume-based, not seat-based.
Entra External ID (New Unified Product)
Microsoft's new External ID product, generally available from 2024, consolidates B2B and some B2C scenarios into a unified platform with a shared MAU billing model. For new projects, External ID is the recommended direction — but existing B2C deployments continue to operate under the legacy B2C model, and many enterprises have substantial B2C investment that cannot be easily migrated. This guide focuses on the B2C licensing model, which remains the dominant deployment pattern for consumer identity in enterprise organisations.
The B2C MAU Pricing Model
External ID B2C pricing has two components: a base MAU charge and premium feature charges.
Base MAU Pricing
The first 50,000 Monthly Active Users are free per Azure subscription. A Monthly Active User is a unique user who authenticates to any B2C-enabled application at least once in a calendar month. Users who do not authenticate that month are not counted — which means inactive accounts and registered-but-dormant users cost nothing.
| Monthly Active Users | Price per MAU (approximately) | Monthly Cost Example |
|---|---|---|
| 0 – 50,000 | Free | £0 |
| 50,001 – 100,000 | ~£0.004/MAU (approximately £4/1,000) | Up to £200/month |
| 100,001 – 1,000,000 | ~£0.0021/MAU (approximately £2.10/1,000) | Up to £2,100/month additional |
| 1,000,001+ | ~£0.0017/MAU (approximately £1.70/1,000) | Volume discount tier |
For an organisation with 500,000 monthly active users on a consumer application, the monthly base B2C cost is approximately £1,050–£1,200 — modest relative to most enterprise software costs, and easily absorbed if the application is generating commercial value. The cost challenge arises from premium features and from rapid MAU growth during product launches or marketing campaigns.
Premium Feature Pricing: MFA
Multi-factor authentication for B2C users is billed separately from the base MAU charge. If you enable MFA in your B2C policy, every MFA event incurs an additional charge. Phone-based MFA (SMS or voice call) costs approximately £0.008–£0.009 per authentication. At 500,000 MFA authentications per month, this adds approximately £4,000–£4,500/month on top of base MAU costs — a cost that scales with authentication frequency, not simply user count.
Organisations with high-frequency applications — daily login consumer apps, banking applications, healthcare portals — find MFA costs can represent 50–80% of their total B2C bill. Email-based OTP or TOTP-based MFA (authenticator apps) is significantly cheaper; engineering teams should model MFA method costs before selecting an authentication flow.
Premium Feature Pricing: Custom Policies
Custom policies (the Identity Experience Framework) allow complex sign-in flows, conditional access integration, and custom attribute mapping. Basic user flows (standard sign-up/sign-in, profile editing, password reset) are included in the base MAU price. Custom policies that use premium features — Conditional Access in B2C, advanced claims enrichment — incur additional charges per authentication request. These costs are small individually but accumulate at scale.
Cost Modelling at Realistic Scale
Finance teams planning B2C deployments consistently underestimate three-year costs because they focus on registered user counts rather than MAU counts, and they exclude MFA costs from initial models. A realistic cost model for a mid-scale consumer application:
| Scenario | Monthly MAUs | Monthly MFA Events | Estimated Monthly Cost | Three-Year Total |
|---|---|---|---|---|
| Small consumer app | 30,000 | 30,000 | ~£240 (MFA only) | ~£8,640 |
| Mid-scale customer portal | 200,000 | 150,000 | ~£1,600 (MAU + MFA) | ~£57,600 |
| Large consumer platform | 1,000,000 | 600,000 | ~£6,800 (MAU + MFA) | ~£244,800 |
| High-frequency financial app | 500,000 | 1,500,000 (multiple daily logins) | ~£14,000 (MFA dominates) | ~£504,000 |
The high-frequency financial application scenario illustrates why MFA method selection is a commercial decision, not just a security decision. An application requiring step-up MFA on every transaction session, serving 500,000 active users who authenticate multiple times per day, can generate MFA costs that rival the total cost of the enterprise's M365 deployment. Phone-based MFA via SMS is the most expensive option; authenticator app-based TOTP is materially cheaper per authentication and should be the default where user experience allows.
Campaign launch cost spikes: Marketing campaigns that drive large volumes of new user registrations — and authentication events — can cause B2C MAU costs to spike in a single month. A consumer brand that runs a national promotion and drives 400,000 new registrations and logins in one month will pay for those 400,000 MAUs in that month, even if most users never return. B2C MAU costs should be factored into campaign budgets, not just IT operational budgets.
B2B vs B2C vs External ID: The Architecture Decision
The B2B / B2C decision is frequently made on the basis of product familiarity rather than requirements — which leads to B2C deployments for scenarios that are better served by B2B (lower cost, simpler management) and vice versa. The distinction is conceptually clear but practically blurred when organisations have hybrid use cases.
| Scenario | Recommended Product | Licensing Model | Notes |
|---|---|---|---|
| Partner accessing SharePoint, Teams, internal apps | Entra External ID B2B | Per Entra P1/P2 licence (5:1 ratio) | Managed as guest users in your tenant |
| Supplier portal with 50–200 named users | Entra External ID B2B | Per Entra P1/P2 (or External ID MAU) | Evaluate whether B2B guest model or External ID MAU is cheaper |
| Consumer e-commerce with 100K+ customers | Entra External ID B2C | MAU + MFA consumption | Branded sign-in, social identity providers, consumer UX |
| Customer self-service portal (known, registered customers) | External ID B2C or External ID | MAU consumption | External ID (new product) preferred for greenfield deployments |
| Healthcare patient portal with regulatory compliance | Entra External ID B2C | MAU + MFA + Custom Policies | Custom policy compliance flows; model MFA costs carefully |
| Internal employee application with external contractors | Entra External ID B2B | Per Entra P1/P2 | Contractors are business partners, not consumers; B2B is the right model |
The B2C-for-partners mistake: Organisations sometimes deploy B2C for business partners and suppliers because they want branded sign-in flows or because IT teams are more familiar with B2C's custom policy model. This is typically more expensive than B2B guest access (which uses existing Entra P1/P2 entitlements) and adds operational complexity. Partners who have their own Azure AD or Entra tenants are almost always better served by B2B federation.
Entra External ID (New Unified Product) vs Legacy B2C
Microsoft's new External ID product consolidates B2B and B2C capabilities into a single platform with a unified MAU billing model. For greenfield external identity deployments, External ID is the recommended architecture — it provides a simpler developer experience, better Entra conditional access integration, and a roadmap that will eventually supersede both legacy B2B guest and B2C.
The External ID MAU pricing is similar to B2C: 50,000 MAUs free, then per-MAU charges at similar rates. The key differences are that External ID supports both workforce-adjacent (B2B style) and consumer (B2C style) scenarios in the same product, and that the developer experience is built around a more modern CIAM (Customer Identity and Access Management) model.
For organisations with existing B2C deployments, migration to External ID requires application changes and is not a like-for-like lift-and-shift. The commercial incentive to migrate is limited in the near term — legacy B2C will be supported through at least 2030, and pricing parity makes immediate migration a lower priority than other identity investments. Monitor the Microsoft roadmap and plan migration into a future EA term or product lifecycle event.
B2C in the Enterprise Agreement: What Can Be Negotiated
External ID B2C lives in the Azure consumption billing model — it is not typically a named EA line item in the same way that M365 E3 or Dynamics 365 are negotiated products. This creates both a challenge and an opportunity.
MACC Inclusion
Azure B2C consumption counts toward your Microsoft Azure Consumption Commitment (MACC). If you have a MACC in your EA, B2C costs reduce your uncommitted balance — which means B2C is effectively "pre-paid" within your Azure commitment. For organisations approaching their MACC balance with workloads to absorb, B2C is a legitimate consumption category.
Commitment Discount Negotiation
For organisations with predictable, large B2C MAU volumes (100,000+ MAUs per month consistently), it is possible to negotiate a committed consumption discount on the B2C line outside the standard PAYG pricing. This requires escalation to Microsoft's commercial team and is typically handled as part of a broader Azure commitment negotiation, not a standalone B2C deal.
MFA Cost Negotiation
SMS-based MFA rates are a direct Azure Telephony billing item. For organisations with high MFA volumes, negotiating a reduced per-authentication rate as part of a larger Azure commitment is possible — but requires specific advocacy in the EA negotiation, as the default is PAYG telephony pricing.
Cost Optimisation: Engineering Controls Matter More Than Negotiation
Unlike most Microsoft licensing, the primary levers for controlling B2C cost are engineering decisions, not commercial negotiations. The five highest-impact cost optimisation decisions are:
MFA method selection: Authenticator app (TOTP) MFA costs significantly less per authentication than SMS MFA. For consumer applications where user experience allows, TOTP is the default; SMS should be reserved for user populations without smartphone access.
Session length and token lifetime configuration: Longer token lifetimes reduce re-authentication frequency. A consumer application with a 24-hour session token will generate fewer MAU authentication events per user per day than one with a 30-minute token. The security tradeoff exists, but the cost impact of session length is material for high-frequency applications.
Silent token refresh: Applications that use silent token refresh (without triggering a full B2C authentication flow) reduce the number of billable authentication events. This is an application architecture decision with material cost implications.
Dormant account management: Accounts that are not in the MAU count in a given month are free. Proactively managing dormant accounts (removing or archiving users who have not authenticated in 12+ months) reduces the registered user base and the probability of those users returning in peak months.
Azure subscription architecture: The 50,000 MAU free tier applies per Azure subscription. Organisations with multiple separate B2C tenants, each attached to separate Azure subscriptions, get 50,000 MAUs free per subscription — though this creates operational complexity. Evaluate whether the free tier arbitrage justifies the multi-tenant management overhead for your specific MAU volumes.
FAQ
Is External ID B2C included in Microsoft 365 licensing?
No. External ID B2C is an Azure service billed through Azure consumption, entirely separate from M365 licensing. Having M365 E3, E5, or any Entra ID licence does not provide any B2C entitlement beyond the 50,000 MAU free tier available to any Azure subscription.
Does the 50,000 MAU free tier reset monthly?
Yes. The free tier is 50,000 MAUs per calendar month per Azure subscription. If your application has 30,000 MAUs in January and 80,000 in February (due to a marketing campaign), you pay nothing in January and pay for 30,000 MAUs in February.
Can we use B2C for employee authentication?
Technically yes, but it is almost never the right choice. Employee authentication belongs in the corporate Entra ID tenant, not in a B2C tenant. B2C is designed for external, non-employee identities. Using B2C for employees creates compliance complexity, loses access to Entra-based Conditional Access policies, and typically costs more than standard Entra P1/P2 per-employee licensing.
How does External ID B2C appear in our Azure invoice?
B2C charges appear as separate line items in your Azure invoice: one for MAU consumption (Azure Active Directory External Identities / Monthly Active Users) and separate lines for MFA (SMS OTP, Voice Call) and any premium feature usage. Monitor these in Azure Cost Management with resource tags or subscription-level attribution.
Is there an enterprise agreement discount available for B2C?
Standard EA pricing does not include a pre-negotiated B2C discount — the default is PAYG Azure consumption rates. Volume discounts are possible through MACC inclusion and individual negotiation for high-volume deployments, but require active advocacy in EA renewal discussions rather than being offered automatically.