Microsoft Entra External ID's (Preview)
Or Azure AD for customers, yes Azure AD for customers. That's the name of the game. Microsoft released this excellent feature at Build yesterday and I wanted to elaborate it a bit more.
Why to use it?
Azure AD makes it simple for organizations and enterprises to integrate CIAM capabilities like self-service registration, customized sign-in experiences, and customer account management to their public-facing apps. Because these CIAM capabilities are embedded into Azure AD, you also gain platform benefits like as improved security, compliance, and scalability.
Sounds familiar to all you B2C admins? Well this will make your life easier and the documentation is extensive, please see it on Learn.
Azure AD for customers documentation - Microsoft Entra
What you will get with the free trial?
| Features | Azure AD for customers Trial (without credit card) | Azure Active Directory account includes Partners (needs credit card) |
|---|---|---|
| Self-service account experiences (Sign-up, sign-in, and password recovery.) | ✔️ | ✔️ |
| MFA (With email OTP.) | ✔️ | ✔️ |
| Custom token augmentation (From external sources.) | ✔️ | ✔️ |
| Social identity providers | ✔️ | ✔️ |
| Identity Protection (Conditional access for adaptive risk-based policies.) | ❌ | ✔️ |
| Default, least-access privileges for CIAM end-users. | ✔️ | ✔️ |
| Rich authorization (Including group and role management.) | ✔️ | ✔️ |
| Customizable (Sign-in/sign-up experiences - background, logo, strings.) | ✔️ | ✔️ |
| Group and User management. | ✔️ | ✔️ |
| Cloud-agnostic solution with multi-language auth SDK support. | ✔️ | ✔️ |
Identity protection is the only that you cannot try out for free as it needs Azure AD P2 license to work.
Customer and Workforce
Microsoft Entra now allows you to provision and manage two sorts of tenants.
- A workforce tenant incorporates your workers as well as your organization's internal apps and resources. If you've dealt with Azure AD, you're already familiar with this sort of tenancy. You might already have a workforce tenant for your firm.
- A customer tenant represents your client-facing app, resources, and customer account directory. A customer tenant is unique from your workforce tenant.
See from Learn on the differences.
Supported features in customer tenants - Microsoft Entra
How to try it out?
Open https://aka.ms/ciam-free-trial and once there, you can choose your Region and name of the tenant, it will suggest one for you but you can change if needed.
And wait for about 3-5mins until it's done.
And once done, you can choose the default method for users to sign-in with.
Customers can choose from the social identity providers alternatives you've made accessible on the sign-up page when you allow social identity providers. Create an application at the identity provider and setup credentials to set up social identity providers in your client tenant. You will be given a client or app ID as well as a client or app secret, which you will then add to your customer tenant.
You can customize the experience with your own logo, background color and alignment of the login screen.
Notice that time you start to customize the Tenant, you will see the new name in the address bar
And done!
And the final product! How cool is that!
Creating an account
Choose Create one.
And type in your email address.
And you will get a prompt for OTP
Type it in and hit next.
Then you have to give additional information
Using Google as IdP
This is also possible, just login to your tenant directly with Google account and with Google authentication services.
And configured Identity providers (IdP) are also here
You add Google with the following. Once all done, you can hit "Save and Continue"
Then go to Credentials and Create credentials
Choose OAuth Client ID
And give the following URIs, please note that you need you Tenant ID in the first one and Tenant Prefix in the second.
When you are displayed the ID the Secret, copy them accordingly.
And we have Google as an IdP
See more from Microsoft Learn,
Add Google as an identity provider for B2B - Microsoft Entra
User flows
You can find the created users flows from https://entra.microsoft.com/?feature.msaljs=false#view/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/~/UserFlows/menuId/UserFlows
Under the flow you can see the settings we specified during the initial setup
Under Identity providers you can change the IdP that is to be used.
And Microsoft attached jwt.ms as an application with the wizard so you can easily try it out.
Testing the User flow
If you want to try it out, you can use this URL
https://login.microsoftonline.com/YOUR_TENANT_PREFIX.onmicrosoft.com/oauth2/v2.0/authorize?client_id=APPLICATION-ID&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid&response_type=id_token&prompt=login
Creating the users with Google, now we notice a new sign-in.
Enter your credentials and login.
And you will be presented with additional information prompt
Seems familiar, right?
API
For management you can use Azure REST API
Management APIs for Azure Active Directory for customers - Microsoft Entra
And Branding, User flow and extension management you can do with the Microsoft Graph API.
Manage branding resources with Microsoft Graph - Microsoft Entra
Manage user flow resources with Microsoft Graph - Microsoft Entra
Manage custom extension resources with Microsoft Graph - Microsoft Entra
Closure
Beautiful, this a major improvement for already huge feature pack of Azure AD. And Azure AD for Customers isn't rebranded B2C, see the FAQ for similar questions and answers.
Frequently asked questions - Microsoft Entra
