Microsoft Entra External ID and authentication using Microsoft Entra federation

Masi Malmi 36 Reputation points
2024-06-05T09:50:16.89+00:00

Hello,

I have been testing the MS Entra External ID sign up and sign in user flow. It came to me as a surprise that users from other MS Entra ID tenants need to be added as Guest users to the External ID tenant. In other words, the login screen in the new CIAM works differently from the normal MS login screen, in that it tries to find the user account from the External ID tenant's directory and doesn't allow signing in unless the user account pre-exists there as Guest user (either through invitation or self-service sign up).

MS Entra External ID provides the SAML/WS-fed external identity provider as an option, but that requires additional configuration in each MS Entra ID tenant (Idp) that needs to federate to our External ID tenant. Therefore OIDC would be the preferred option here, similarly how AAD B2C does it: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant?pivots=b2c-custom-policy

When can we expect to have this OIDC option available? I'm sure a lot of other customers are asking after this as well.

Apparently it's on the roadmap for this year: https://learn.microsoft.com/en-us/answers/questions/1627828/microsoft-entra-id-for-customers-and-openid-connec?source=docs

I've been trying to look for the roadmap for Entra External ID, is it publicly available somewhere?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,701 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,082 questions
{count} votes

Accepted answer
  1. Shweta Mathur 28,691 Reputation points Microsoft Employee
    2024-06-10T10:27:46.63+00:00

    Hi @Masi Malmi ,

    Thanks for reaching out.

    It came to me as a surprise that users from other MS Entra ID tenants need to be added as Guest users to the External ID tenant.

    Microsoft Entra External ID is a customer identity and access management (CIAM) solution specifically for consumers and customers.

    For any users (consumers/customers) to sign in to application need to sign up to the application.

    Similar to Azure AD B2C, for any new users to sign in to application, first that users need to exist in the consumer tenant either by sign up or through invitation.

    Microsoft Entra External ID allows users from other tenants to directly sign-up using signUp/signIn user flow and added up as local accounts in consumer tenant. However, you can invite those users through email as well and then those accounts will consider as guest accounts.

    I have added two accounts from another tenant one using invite through link and another by sign up using user flow.

    User's image

    The ABC, which is invited through link, is added as guest user type with External Azure AD identities.

    However, the other Shweta VRD24 is another account from same tenant which is showing as local account while signing in using CIAM's user flow.

    Once these accounts exist in system, you can sign in to your application directly using user flow.

    When can we expect to have this OIDC option available? I'm sure a lot of other customers are asking after this as well.

    Yes, this is very common ask and our product team is working on it. As of now, we can't share any date.

    You can refer https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers for all the current features in External tenant.

    Keep checking https://learn.microsoft.com/en-us/entra/external-id/customers/whats-new-docs for monthly updates on external tenant.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

0 additional answers

Sort by: Most helpful