Share via

How can I implement a unified login page in a .NET web app for both workforce or external ID tenants?

Paul Wittle 0 Reputation points
2025-05-21T11:44:00.0533333+00:00

Documentation shows that workforce tenants support internal and external Entra tenants (via B2B) and that External tenants support OpenID Connect (ODIC) providers. However it also highlights the following:

"Configuring other Microsoft Entra tenants as an external identity provider is currently not supported. Consequently, the microsoftonline.com domain in the issuer URI is not accepted."

The result is that neither solution works for a .NET web app with a mixed user base. The workforce tenant will actually be a mix of internal and external users because some will be guests via B2B and so there is no sensible logic that could be applied to know which tenant to use unless you ask the user.

This is exactly what Azure B2C did well by providing buttons to select on the first login page but you appear to be saying this functionality is to be discontinued.

Is my assumption wrong and you are still developing the ability to have an entry page where the user selects how to authenticate or are you promoting an alternative solution? If so, what is the solution you are promoting?

Microsoft Security Microsoft Entra Microsoft Entra External ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator
    2025-05-22T16:51:43.65+00:00

    Hello @Paul Wittle
    To understand about this point "This is exactly what Azure B2C did well by providing buttons to select on the first login page but you appear to be saying this functionality is to be discontinued" May I know which feature you are referring to may I have the screen shot what you are referring.

    From your comment

    The purpose workforce Tenant primarily for internal users (employees) but also supports B2B collaboration with external partners (e.g., vendors, contractors, or clients).
    These external users are added as guests using Entra ID B2B. They can use their own identity providers (Microsoft, Google, SAML, etc.) to sign in.
    If your external client is a business partner who needs access to internal apps like SharePoint, Teams, or custom line-of-business apps, they are added to the workforce tenant as guest users.

    The other side about the purpose of External Tenant Designed for consumer-facing or business customer applications (e.g., a public portal or SaaS app).
    These users sign up via self-service or are invited. They can use social identities (Google, Facebook, etc.) or local accounts.

    If you have any questions, please let me know in the comment section.

    0 comments
  2. Eric Nguyen 1,025 Reputation points Independent Advisor
    2025-05-23T03:35:04.5533333+00:00

    Hi @Paul Wittle ,
    Thank you for your inquiry. Here’s an overview of our current capabilities and the recommended approach:

    Current Limitation At present, Microsoft Entra External ID does not support using other Entra tenants as identity providers. Issuer URIs from the microsoftonline.com domain are not accepted, which means direct federation between two Entra tenants via External ID isn’t available.

    Recommended Solution:

    Custom Sign-In Page: By offering options such as “Sign in with work account” or “Sign in as a guest,” you can help guide users in choosing the correct authentication method if HRD alone does not clarify the choice.

    OpenID Connect (OIDC) for Customer Sign-In: If you are evaluating external identities (such as Google or Facebook), please note that these providers require users to already have an account with them. In an OIDC federation scenario, Microsoft Entra External ID (similarly to Azure AD B2C) acts as the service provider that delegates authentication to the third-party IdP. However, this setup only supports external users—not workforce accounts. For more details on how to set up OIDC as an external identity provider, please refer to:

    https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-custom-oidc-federation-customers

    Regarding External Identity Providers (e.g., Google or Facebook) According to this document https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-custom-oidc-federation-customers#configure-a-new-openid-connect-identity-provider-in-the-admin-center, it is by design that if you try to use a third-party IdP such as Google—even for users who aren’t Google account holders—they won’t be able to authenticate unless they already have an account with that provider. The IdP is solely responsible for verifying the user’s identity. In a typical federation scenario, Azure AD B2C (or External ID functioning in that role) acts as the service provider by delegating the authentication process to the third-party IdP. Note, however, that OIDC federation as described in our documentation only supports external users and does not extend to workforce tenant accounts. For further details on Microsoft Accounts federation, please refer to this reference https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-microsoft-accounts-federation-customers.

    If the above answer was helpful and resolved your query, do click "Accept Answer" and "Yes" for was this answer helpful.

    Best regards,
    Eric

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.