In Entra External ID CIAM, will it be possible to add any external identity provider without a verified domain or DNS change?

Question

In Entra External ID CIAM, will it be possible to add any external identity provider without a verified domain or DNS change?

Anonymous

We have various customers that have IdPs with their own companies and would like to use their identities to log in to our customer-facing applications. In Entra External ID CIAM, will it be possible to add any external identity provider without a verified domain or DNS change? It's not clear how we would federate CIAM users to an external IdP that isn't a social IdP. The lines seem blurred between CIAM and B2B at this point. In a CIAM tenant I would expect to be able to add any external IdP via SAML or OIDC without requiring a verified domain or a DNS change to make it work (this is not a partner relationship). How would I federate to Okta, for example?

Akshay-MSFT 18,016 Reputation points Microsoft Employee Moderator

2024-05-07T07:20:43.05+00:00

@Craig

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on adding an IDP in CIAM without a verified DNS.

I am currently reviewing this ask with my resources and will get back to you with further inputs.

Thanks,

Akshay Kaushik
Lukatskiy, Yevgeniy (Acxiom) 0 Reputation points

2024-05-08T14:45:27.44+00:00

Could you please provide clarification for your previous answer? Is SAML/WS federation supported or planned to be supported by an Entra External ID external tenant? According to the following article, external tenants do not support SAML/WS federation IDPs; only the Entra External ID workforce tenants do, as part of B2B collaboration. https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers#general-feature-comparison
Akshay-MSFT 18,016 Reputation points Microsoft Employee Moderator

2024-05-15T03:41:40.38+00:00

@Craig

Hope you got a chance to review updated answer below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

1 answer

Your answer

Akshay-MSFT 18,016 Reputation points Microsoft Employee Moderator

2024-05-07T07:20:43.05+00:00

@Craig

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on adding an IDP in CIAM without a verified DNS.

I am currently reviewing this ask with my resources and will get back to you with further inputs.

Thanks,

Akshay Kaushik
Lukatskiy, Yevgeniy (Acxiom) 0 Reputation points

2024-05-08T14:45:27.44+00:00

Could you please provide clarification for your previous answer? Is SAML/WS federation supported or planned to be supported by an Entra External ID external tenant? According to the following article, external tenants do not support SAML/WS federation IDPs; only the Entra External ID workforce tenants do, as part of B2B collaboration. https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers#general-feature-comparison
Akshay-MSFT 18,016 Reputation points Microsoft Employee Moderator

2024-05-15T03:41:40.38+00:00

@Craig

Hope you got a chance to review updated answer below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Answer 1

Akshay-MSFT 18,016 Microsoft Employee Moderator

@Craig

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on adding an IDP in CIAM without a verified DNS.

Please do correct me if this is not the ask by responding in the comments section.

As of now we cannot federate any other identity provider with CIAM tenant apart from ones mentioned below.

The following table compares the identity providers and methods available for primary authentication and multifactor authentication (MFA) in workforce and external tenants.

User's image

If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Anonymous

2024-05-07T15:22:55.64+00:00

This is not a solution for CIAM. Invite implies B2B. What is the CIAM solution? All other major CIAM providers (Ping, Okta, OneLogin, etc.) provide the ability to add external IdPs without requiring a passive sign in DNS change. Will Entra External ID CIAM be offering this?
Akshay-MSFT 18,016 Reputation points Microsoft Employee Moderator

2024-05-08T05:02:36.8366667+00:00

@Craig

Seems like I misunderstood your query, thanks for clarification. I will be looking for the possibilities and will get back to you.

Thanks,

Akshay Kaushik
Akshay-MSFT 18,016 Reputation points Microsoft Employee Moderator

2024-05-13T10:47:24.3533333+00:00

@Craig

Thanks for your time and patience, I was able to check this and found that as of now External tenanat (CIAM) does not support any SAML-Fed tenant for self service signup.

The following table compares the identity providers and methods available for primary authentication and multifactor authentication (MFA) in workforce and external tenants.

Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik
Anonymous

2024-05-15T16:05:05.44+00:00

Thanks for this @Akshay-MSFT . Any chance you could let me know if it's on the roadmap to add external IdPs or just generic SAML or OIDC external IdPs?
Akshay-MSFT 18,016 Reputation points Microsoft Employee Moderator

2024-05-16T04:49:18.9066667+00:00

@Craig

Currently we don't have this on the roadmap for IDP. Since this is a new feature, we are open for feedback, and I would recommend you post your idea on our feedback portal and let me know the link so that I could vote for it. This would be visible to our service engineering team.

Thanks,

Akshay Kaushik
Akshay-MSFT 18,016 Reputation points Microsoft Employee Moderator

2024-05-20T07:56:15.45+00:00

@Craig

I am following up to see if you were able to follow the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggested answer is as per your business need, please "Accept the answer", This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Share via

In Entra External ID CIAM, will it be possible to add any external identity provider without a verified domain or DNS change?

1 answer

Your answer