This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Applies to: 
Workforce tenants 
External tenants (learn more)
Microsoft Entra External ID includes Microsoft's customer identity and access management (CIAM) solution. For organizations and businesses that want to make their apps available to consumers and business customers, External ID makes it easy to add CIAM features like self-service registration, personalized sign-in experiences, and customer account management. Because these CIAM capabilities are built into Microsoft Entra ID, you also benefit from platform features like enhanced security, compliance, and scalability.
When getting started with External ID for your consumer and business customer apps, you first create a tenant for your apps, resources, and directory of customer accounts.
If you've worked with Microsoft Entra ID, you're already familiar with using a Microsoft Entra tenant that contains your employee directory, internal apps, and other organizational resources. With External ID, you create a distinct tenant that follows the standard Microsoft Entra tenant model but is configured for external scenarios. This external tenant contains:
A directory: The directory stores your customers' credentials and profile data. When a consumer or business customer signs up for your app, a local account is created for them in your external tenant.
Application registrations: Microsoft Entra ID performs identity and access management only for registered applications. Registering your app establishes a trust relationship and allows you to integrate your app with Microsoft Entra ID.
User flows: The external tenant contains the self-service sign-up, sign-in, and password reset experiences you want to enable for your customers.
Extensions: If you need to add user attributes and data from external systems, you can create custom authentication extensions for your user flows.
Sign-in methods: You can enable various options for signing in to your app, including username and password, one-time passcode, and Google, Facebook, Apple or custom OIDC identities.
Encryption keys: Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords.
Learn more about password and one-time passcode sign-in, and about Google, Facebook, Apple and OIDC federation.
There are two types of user accounts you can manage in your external tenant:
Customer account: Accounts that represent the customers who access your applications.
Admin account: Users with work accounts can manage resources in a tenant, and with an administrator role, can also manage tenants. Users with work accounts can create new consumer accounts, reset passwords, block/unblock accounts, and set permissions or assign an account to a security group.
Learn more about managing customer accounts and admin accounts in your external tenant.
External ID is intended for businesses that want to make applications available to their customers using the Microsoft Entra platform for identity and access.
Add sign-up and sign-in pages to your apps. Quickly add intuitive, user-friendly sign-up and sign-up experiences for your customer apps. With a single identity, a customer can securely access all the applications you want them to use.
Add single sign-on (SSO) with social and enterprise identities. Customers can choose a social, enterprise, or managed identity to sign in with a username and password, email, or one-time passcode.
Add your company branding to the sign-up page. Customize the look and feel of your sign-up and sign-in experiences, including both the default experience and the experience for specific browser languages.
Easily customize and extend your sign-up flows. Tailor your identity user flows to your needs. Choose the attributes you want to collect from a customer during sign-up, or add your own custom attributes. If the information your app needs is contained in an external system, create custom authentication extensions to collect and add data to authentication tokens.
Integrate multiple app languages and platforms. With Microsoft Entra, you can quickly set up and deliver secure, branded authentication flows for multiple app types, platforms, and languages.
Use native authentication for your apps. Create seamless authentication experiences for mobile and desktop applications using the Microsoft Authentication Library (MSAL) for iOS and Android.
Provide self-service account management. Customers can register for your online services by themselves, manage their profile, delete their account, enroll in a multifactor authentication (MFA) method, or reset their password with no admin or help desk assistance.
Consent to your terms of use and privacy policies. You can prompt users to accept your terms and conditions during sign-up. By using customer user attributes, you can add checkboxes to your sign-up form and include links to your terms of use and privacy policies.
Learn more about adding sign-in and sign-up to your app and customizing the sign-in look and feel.
You can create a simple sign-up and sign-in experience for your customers by adding a user flow to your application. The user flow defines the series of sign-up steps customers follow and the sign-in methods they can use (such as email and password, one-time passcodes, social accounts from Google, Facebook or Apple, as well as custom OIDC identity providers). You can also collect information from customers during sign-up by selecting from a series of user built-in attributes or adding your own custom attributes.
Several user flow settings let you control how the customer signs up for the application, including:
For details about configuring a user flow, see Create a sign-up and sign-in user flow for customers.
External ID is designed for flexibility by allowing you to define actions at certain points within the authentication flow. Using a custom authentication extension, you can add claims from external systems to the token just before it's issued to your application.
Learn more about adding your own business logic with custom authentication extensions.
External ID represents the convergence of business-to-consumer (B2C) features into the Microsoft Entra platform. You benefit from platform features like enhanced security, compliance with regulations, and the ability to scale your identity and access management processes.
Microsoft Entra security. Get all the security and data privacy benefits of Microsoft Entra, including Conditional Access, multifactor authentication, and governance. Protect access to your apps using strong authentication and risk-based adaptive access policies. Because customers are managed in a separate tenant, you can tailor your access policies to users who typically use personal and shared devices instead of managed ones.
Microsoft Entra reliability and scalability. Create highly customized sign-in experiences and manage customer accounts at a large scale. Ensure a good customer experience by taking advantage of Microsoft Entra performance, resiliency, business continuity, low-latency, and high throughput.
Learn more about the security and governance features that are available in an external tenant.
The Application user activity feature under Usage & insights provides data analytics on user activity and engagement for registered applications in your tenant. You can use this feature to view, query, and analyze user activity data in the Microsoft Entra admin center. This can help you uncover valuable insights that can aid strategic decisions and drive business growth.
Learn more about the application user activity dashboards that are available in an external tenant.
If you're a new customer, you might be wondering which solution is a better fit, Azure AD B2C or Microsoft Entra External ID. Effective May 1, 2025, Azure AD B2C will no longer be available to purchase for new customers (learn more in our FAQ). Microsoft Entra External ID represents the future of CIAM for Microsoft, and new features and capabilities will be focused on this platform. By choosing the next generation platform from the start, you will receive the benefits of rapid innovation and a future-proof architecture.
Training
Module
Discover how Microsoft Entra External ID can provide secure, seamless sign-in experiences for your consumers and business customers. Explore tenant creation, app registration, flow customization, and account security.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
Microsoft Entra External ID overview - Microsoft Entra External ID
Microsoft Entra External ID allows you to collaborate with or publish apps to people outside your organization. Compare solutions for External ID, including Microsoft Entra B2B collaboration, Microsoft Entra B2B collaboration, and Azure AD B2C.
External Tenant Features - Microsoft Entra External ID
Compare features and capabilities of a workforce vs. an external tenant configuration. Determine which tenant type applies to your external identities scenario.
Plan a CIAM Deployment - Microsoft Entra External ID
Discover the steps for setting up a customer identity and access management (CIAM) solution in an external tenant, including creating a tenant, registering apps, and setting up user flows for sign-in.