Business Manager Unified Authentication for B2C Commerce

What is changing?
We’re unifying Business Manager user authentication by merging user logins across all Business Manager instances into Account Manager, making Account Manager the sole location for user account management, including creation and disablement. Specifically, these changes include:

• Retiring direct login to B2C Commerce through Business Manager. Users will instead log in with their Account Manager credentials. 
• Requiring Unified Authentication for all of your B2C Commerce instances and Business Manager users. Accounts must be linked to Account Manager for login.

These changes are being made by migrating all Business Manager users to elevated security stages (learn more in the “Further Information” section of this article). This migration is happening across the 21.6 Release (June) and 21.8 Release (August):

• With the 21.6 Release (June), all Business Manager instances will migrate to the “Unified Authentication Encouraged” security stage. If a user attempts to link an Account Manager account that doesn’t exist, they will still be able to log in with their Business Manager credentials. At this time, users can continue logging in directly in Business Manager while being presented the option to link their Business Manager and Account Manager accounts.
• With the 21.8 Release (August), all Business Manager instances will migrate to the “Unified Authentication Mandatory” security stage. At this time, if a Business Manager user does not have a linked Account Manager account, they will not be able to link their account or log in with their Business Manager credentials.

Note that these changes cannot be reversed by your administrator, meaning that it’s more important than ever to migrate your Business Manager users to Unified Authentication before the 21.6 Release (June). 

When did this change happen?
These change implemented with the 21.6 Commerce Release in June 2021 and the 21.8 Commerce Release in August 2021.

Why did Salesforce make these changes?
We’re making these changes to enhance Business Manager security in the following ways:

• Minimizing user access risks by migrating and unifying the logins of Business Manager users across all instances, making Account Manager the “one stop shop” for creating and deleting users. This is in addition to the B2C Commerce applications that are already integrated with Account Manager (such as Reports and Dashboards, Log Center, and Control Center). 
• Users only need to remember and update a single password for all Business Manager instances, avoiding password reuse. 
• Administrators may set a default role that allows them to grant specific Business Manager role(s) to any new users. 
• Creating consistent support for MFA across all users to better secure user access.

Further Information: Unified Authentication Onboarding and Activation Using Business Manager Security Stages
B2C Commerce has provided settings (i.e., stages) in Business Manager that give merchants the ability to control the rollout and timeline of their own migration (details below). In other words, this is a self migration process with a Salesforce-mandated completion date. 

Before using these stages, all users have to be created in Account Manager by the Account Manager Administrator. The migration stages are driven by the Business Manager Administrator and need to be proactively switched on in Administration > Preferences > Security. 

If you start your migration before the 21.6 Release in June 2021, there are five security stages (0 - 4). After the release, there are three security stages (2 - 4):

Some organizations might prefer to batch migrate all users to Account Manager. Commerce Cloud's Customer Success Group has created a migration script that is publicly available in Github. However, please note that this is not part of the Commerce Cloud Product offering.

Roll back 
Once the feature is in use and the first user has migrated, there is no way to switch the feature off, since this would lock out all migrated users. 

Please note that during the migration, the user's Business Manager password and security question responses get deleted. Once a user connects their Business Manager account to Account Manager, the user will no longer be able to log in to Business Manager with their previous Business Manager credentials. Users must use their Account Manager credentials to log in.

Unified Authentication User Status 
In the updated Security screen in Business Manager, Administrators can also review the status of their instance’s migration in the Migration Status section. There is a progress bar that shows the percentage of users that have migrated to Unified Authentication. There is also an exact count of the number of users with Unified Authentication (“Number of Users with Centralized Authentication”) versus the number of users that have yet to migrate (“Number of Users Not Yet Using Centralized Authentication”), with links to let the Administrator see the actual users in each category. 

WebDAV, OCAPI, Studio Use
Besides logging in to Business Manager, there are other access points which require a user to log in, such as WebDAV, Studio or OCAPI. Once the user has migrated to Unified Authentication, login requests from these points will also be handled by Account Manager. There will be no redirect to Account Manager (as experienced in Business Manager), but user and password will get directly verified by Account Manager. Please review our Salesforce Multi-Factor Authentication FAQ for more information.

System (or automation) Users 
System (or automation) users (i.e., user profiles that don’t belong to a specific person) cannot be migrated. We will no longer support user accounts not associated with an individual user with “Unified Authentication Mandatory” stage.