How to Support Both B2C and Workforce Users in SaaS Apps with Microsoft Entra External ID and Entra ID

If you’re running a SaaS platform, chances are you want to offer seamless sign-in experiences for both your end customers (B2C) and your own employees or partners (B2E/B2B). For Microsoft shops, the move to Entra External ID (the evolution of Azure AD B2C) is a natural fit for handling external users—but things get tricky if you also want your workforce users, who live in a separate Entra ID tenant, to access the same applications.
The Challenge: Supporting both Entra External ID and Entra ID Tenants for the Same App
Let’s say you have:
- External customers managed in an Entra External ID tenant.
- Internal employees/partners managed in your Workforce Entra ID tenant.
Ideally, both groups should be able to sign in to the same app—without confusion, extra portals, or complicated user journeys. However, as of mid-2025, Microsoft still doesn’t make it simple to “chain” or federate your Workforce tenant as an IdP to your External tenant. This leaves SaaS providers stuck with tricky workarounds, duplicated integrations, or, worse, significant code changes and SDK updates.
Here’s what we keep hearing from organizations in this position:
“We want to manage our end users in Entra External ID, but we also want our internal staff to access these same SaaS apps—preferably without maintaining two different integrations or rewriting the apps.”
The Standard Options: Not So Simple
There are a few ways people try to solve this:
- Build separate integrations for each tenant: This requires modifying your app to handle multiple IdPs and token validation, which usually means diving into SDKs and increasing your app’s complexity.
- Wait for new Microsoft features: Microsoft continues to improve Entra External ID, but direct support for this scenario (chaining your workforce tenant as an IdP) hasn’t arrived yet.
The Datawiza Approach: Proxy-Based, No/Low-Code Integration
Here’s where Datawiza comes in. Instead of overhauling your application or waiting for new platform features, you can drop Datawiza Access Proxy in front of your app. The proxy intercepts authentication requests and:
- Routes end users to Entra External ID for sign-in
- Routes internal users to your Workforce Entra ID tenant (via SAML or OIDC)
- Handles all the identity provider (IdP) logic and token validation for you

The best part: You don’t have to change your application code or deal with new SDKs. Configuration is handled in the Datawiza Management Console, not your app. That means:
- Faster rollout
- Lower risk (no app rewrites)
- Less maintenance as your authentication requirements evolve
Real-World Example
A SaaS customer recently shared:
“We ran into this exact problem. We needed to support both our customers and internal employees logging into the same app, but didn’t want to overhaul the app code using the SDKs. With Datawiza as a reverse proxy, we just configured both IdPs, and now users are routed automatically to the right login. It saved us months of development and let us move fast—no waiting on Microsoft updates.”
Key Benefits
- Support for multiple IdPs (Entra External ID, Workforce tenant, Okta, Ping, etc.) with one integration
- No changes required to your application code
- Accelerate time to market for new authentication requirements
- Future-proof: Easily add more IdPs or adapt as Microsoft evolves the platform
Ready to Solve This for Your Apps?
If you’re looking for a practical way to support both external and internal users in your SaaS apps—without the headache of app rewrites or waiting on roadmap features—Datawiza can help.
Contact us or schedule a demo to see how simple it can be.



