Workforce IAM (Identity & Access Management) and CIAM (Customer Identity & Access Management) sound like the same thing. They're not. Using one in place of the other is one of the most expensive identity mistakes we see in Australian enterprises.
This guide compares CIAM vs IAM across the dimensions that actually matter: scale, onboarding, branding, authentication, data model, licensing, and security — and explains when to use Microsoft's modern stack (Entra ID for workforce, Azure AD B2C and Entra External ID for customers).
TL;DR: CIAM vs IAM at a Glance
| Dimension | IAM (Workforce) | CIAM (Customer) | |---|---|---| | Typical scale | 100 – 50,000 users | 10,000 – 100M+ users | | Onboarding | IT / HR provisions | User self-serves | | Identity source | HR system | The user themselves | | Branding | Corporate / Microsoft | Per-product, white-label | | Authentication | MFA mandatory, conditional access | Friction-aware, risk-based | | Data model | HR is source of truth | Consent + progressive profile | | Lifecycle | Joiner / mover / leaver | Sign-up / dormant / deletion | | Licensing | Per user, per month | Per Monthly Active User (MAU) | | Microsoft product | Entra ID | Azure AD B2C / Entra External ID | | Compliance pressure | SOX, ISO 27001 | GDPR, Privacy Act, consent |
IAM: Built for Employees
Workforce IAM (Entra ID, Okta Workforce, Ping) is optimised for a known, finite population that your IT team controls end-to-end:
- Accounts are provisioned by HR via SCIM or workflows
- Strong MFA is mandatory; phishing-resistant where possible
- Conditional access enforces device, location, and risk policies
- Privileged access is gated through PIM / PAM
- Lifecycle ends cleanly when someone leaves
The user has no say in being onboarded — they have to use it. The product is the security guardrail, not the experience.
CIAM: Built for Customers
CIAM (Azure AD B2C, Entra External ID, Auth0, Okta Customer Identity) optimises for unknown, untrusted, self-service users at internet scale:
- Users sign themselves up in seconds
- Social logins (Google, Apple, Facebook) and passwordless reduce friction
- Branding looks like your product, not Microsoft
- Progressive profiling collects data over time, not all at once
- Consent, GDPR, the Australian Privacy Act and data residency are first-class
- Risk-based auth steps up only when behaviour looks suspicious
If signup friction loses you 5% of conversions, that's revenue lost — not an IT ticket.
The Five Differences That Actually Matter
1. Scale
IAM scales to your headcount. CIAM scales to your addressable market. A 200-employee company might have 2 million CIAM users on a banking app.
2. Onboarding
IAM users are assigned identities by IT. CIAM users create their own. This single difference cascades into every other design choice — UX, licensing, data, compliance.
3. Branding
Customers won't accept the generic Microsoft login dialog. CIAM platforms ship with full white-labelling, custom domains, and per-application themes. Workforce IAM doesn't bother.
4. Authentication
IAM forces MFA on every login. CIAM has to balance security against conversion — using risk signals to step up only when a session looks anomalous. Forcing MFA on every customer login will gut your active-user numbers.
5. Data Model
IAM trusts the HR system. CIAM trusts the user, then verifies progressively. Schemas, consent, marketing preferences and data subject rights all live in the CIAM tenant — not in your CRM, not in your employee directory.
Why Mixing Them Backfires
Putting customers into your workforce tenant means:
- Conditional access policies will block legitimate customers
- Licensing cost balloons (per-user pricing × millions of MAU)
- Your IT team becomes customer support
- A breach in the customer population touches your employee directory
- Audit, SOX and ISO 27001 scope explodes
Putting employees into a CIAM tenant means:
- Losing conditional access, PIM, and device posture
- Losing HR-driven joiner / leaver automation
- Logging into corporate systems through a consumer-grade flow
Both mistakes are expensive. Both are recoverable, but only with a tenant split — which is exactly what we get called in to do.
Microsoft's Modern Stack: Entra ID, Azure AD B2C, Entra External ID
Microsoft's identity portfolio maps cleanly onto the IAM vs CIAM divide:
- Entra ID (formerly Azure AD) — workforce IAM for employees, contractors, and B2B guests.
- Azure AD B2C — established CIAM for customer-facing apps. Still fully supported, still the right choice for most existing deployments.
- Microsoft Entra External ID — the modern CIAM successor to Azure AD B2C. New external-facing apps should start here.
Both Azure AD B2C and Entra External ID run on the same underlying platform as Entra ID, but the tenants, policies, branding and user experiences stay completely separate — which is exactly what you want.
For migration paths and implementation patterns, see our Azure AD B2C and Entra External ID implementation page.
How to Choose: One Question
Ask one question: does the user choose to sign up, or are they assigned?
- Assigned by IT or HR → IAM (Entra ID)
- Chooses to create an account themselves → CIAM (Azure AD B2C or Entra External ID)
If you have both populations — and most enterprises do — run both. Separately. In separate tenants. With separate teams and separate policies. That is not duplication; that is the design.
Next Steps
If you're standing up a customer portal, marketplace, or member app and you're tempted to extend your Entra ID workforce tenant — don't. Schutz IT designs and operates separate CIAM and IAM tenants for regulated Australian enterprises, with clean migration paths from legacy identity stacks.