Overview of authentication in Power Pages

You may want to limit access to your site's pages and data to specific users. You can configure page permissions to protect specific pages. Power Pages uses Microsoft Dataverse contact records to associate authenticated Power Pages site users.

To get more permissions than unauthenticated users have, users must be assigned to web roles that give them specific permissions on the site. Power Pages allows users to sign in with their choice of an external account based on ASP.NET Identity. Users can also sign in using a local contact membership provider-based account, although we don't recommend it.

Note

Users must have a unique email address. If two or more contact records—including deactivated contact records—have the same email address, the contacts can't authenticate on the website.

Common identity providers

The following table lists common identity providers, the protocol you can use with the provider, and relevant documentation.

Important

Configuration information about common providers for protocols such as OpenID Connect and SAML 2.0 are given as examples. You can use the provider of your choice for the given protocol. Follow similar steps to configure your preferred provider.

Provider Protocol Documentation
Microsoft Entra ID OpenID Connect Configure an OpenID Connect provider with Microsoft Entra ID
Microsoft Entra ID SAML 2.0 Configure a SAML 2.0 provider with Microsoft Entra ID
Microsoft Entra ID WS-Federation Configure a WS-Federation provider with Microsoft Entra ID
Microsoft Entra External ID OpenID Connect Configure an OpenID Connect provider with Microsoft Entra External ID
Azure AD B2C OpenID Connect Configure the Azure AD B2C provider
Configure the Azure AD B2C provider manually
Azure Directory Federation Services (AD FS) SAML 2.0 Configure a SAML 2.0 provider with AD FS
AD FS WS-Federation AD FS with WS-Federation
Microsoft OAuth 2.0 Configure the Microsoft provider
LinkedIn OAuth 2.0 Configure the LinkedIn provider
Facebook OAuth 2.0 Configure the Facebook provider
Google OAuth 2.0 Configure the Google provider
Twitter OAuth 2.0 Configure the Twitter provider
Local authentication
(not recommended)
Not applicable Local authentication

Migrate your website to a new identity provider

If you're already using an identity provider, you can migrate your website to use a different one.

Open registration

Power Pages administrators have several ways to control account sign-up. Open registration, the least restrictive option, allows a user to register an account by providing a user identity, invitation code, or valid email address, depending on the configuration. Both local and external accounts participate equally in the open registration workflow. Users can choose which type of account they want to register.

Users can select an external identity from a list of identity providers or create a local account with a user name and password. We don't recommend the local account option. If users select an external identity, they must sign in through their chosen identity provider to prove they own the external account. In either case, registration creates a contact record in the Dataverse environment and the user is immediately registered and authenticated on the Power Pages site.

With open registration enabled, users aren't required to provide an invitation code to complete the sign-up process.

See also

Customize the Azure AD B2C user interface
Configure an OAuth 2.0 provider
Configure an OpenID Connect provider
Configure a SAML 2.0 provider
Configure a WS-Federation provider