Supported features in Microsoft Entra External ID (preview)
Microsoft Entra External ID is designed for businesses that want to make applications available to their customers, using the Microsoft Entra platform for identity and access. With the introduction of this feature, Microsoft Entra ID now offers two different types of tenants that you can create and manage:
A workforce tenant contains your employees and the apps and resources that are internal to your organization. If you've worked with Microsoft Entra ID, this is the type of tenant you're already familiar with. You might already have an existing workforce tenant for your organization.
A external tenant represents your customer-facing app, resources, and directory of customer accounts. an external tenant is distinct and separate from your workforce tenant.
Important
Microsoft Entra External ID for external-facing apps is currently in preview. See the Universal License Terms for Online Services for legal terms that apply to Azure features and services that are in beta, preview, or otherwise not generally available.
Compare workforce and external tenant capabilities
Although workforce tenants and external tenants are built on the same underlying Microsoft Entra platform, there are some feature differences. The following table compares the features available in each type of tenant.
Note
During preview, features or capabilities that require a premium license are unavailable in external tenants.
Feature | Workforce tenant | External tenant |
---|---|---|
External Identities | Invite partners and other external users to your workforce tenant for collaboration. External users become guests in your workforce directory. | Enable self-service sign-up for customers and authorize access to apps. Users are added to your directory as customer accounts. |
Identity providers | - Microsoft Entra accounts - Microsoft accounts - Google federation- Facebook federation- SAML/WS-Fed federation | - Google federation- Facebook federation |
Authentication methods | - Username and password- Microsoft Authenticator- FIDO2- SMS- Temporary Access Pass- Third-party software OATH tokens- Voice call- Email one-time passcode- Certificate-based authentication | - Username and password- Email one-time passcode |
Multifactor authentication | - Microsoft Authenticator- Authenticator Lite- FIDO2 - Certificate-based authentication- Temporary Access Pass (TAP)- SMS- Voice call Third-party software OATH tokens Learn more | - Email one-time passcode |
Groups | Groups can be used to manage administrative and user accounts. | Groups can be used to manage administrative accounts. Support for Microsoft Entra groups and application roles is being phased into customer tenants. For the latest updates, see Groups and application roles support. |
Roles and administrators | Roles and administrators are fully supported for administrative and user accounts. | Roles aren't supported with customer accounts. Customer accounts don't have access to tenant resources. |
Custom domain names | You can use custom domains for administrative accounts only. | Not currently supported. However, the URLs visible to customers in sign-up and sign-in pages are neutral, unbranded URLs. Learn more |
Roles and administrators | Roles and administrators are fully supported for administrative and user accounts. | Roles aren't supported with customer accounts. Customer accounts don't have access to tenant resources. |
Custom domain names | You can use custom domains for administrative accounts only. | Not currently supported. However, the URLs visible to customers in sign-up and sign-in pages are neutral, unbranded URLs. Learn more |
Identity protection | Provides ongoing risk detection for your Microsoft Entra tenant. It allows organizations to discover, investigate, and remediate identity-based risks. | A subset of the Microsoft Entra ID Protection risk detections is available. Learn more. |
Custom authentication extension | Add claims from external systems. | Add claims from external systems. |
Token customization | Add user attributes, custom authentication extension (preview), claims transformation and security groups membership to token claims. | Add user attributes, custom authentication extension and security groups membership to token claims. Learn more. |
Self-service password reset | Allow users to reset their password using up to two authentication methods (see the next row for available methods). | Allow users to reset their password using email with one time passcode. Learn more. |
Company branding | Microsoft Entra tenant supports Microsoft look and feel as a default state for authentication experience. Administrators can customize the default Microsoft sign-in experience. | Microsoft provides a neutral branding as the default for the external tenant, which can be customized to meet the specific needs of your company. The default branding for the external tenant is neutral and doesn't include any existing Microsoft branding. Learn more. |
Language customization | Customize the sign-in experience based on browser language when users authenticate into your corporate intranet or web-based applications. | Use languages to modify the strings displayed to your customers as part of the sign-in and sign-up process. Learn more. |
Custom attributes | Use directory extension attributes to store more data in the Microsoft Entra directory for user objects, groups, tenant details, and service principals. | Use directory extension attributes to store more data in the customer directory for user objects. Create custom user attributes and add them to your sign-up user flow. Learn more. |
Application registration
The following table compares the features available for Application registration in each type of tenant.
Feature | Workforce tenant | External tenant |
---|---|---|
Protocol | SAML relying parties, OpenID Connect, and OAuth2 | OpenID Connect and OAuth2 |
Supported account types | The following account types:
|
For customer-facing applications, always use Accounts in this organizational directory only (Single tenant). |
Platform | The following platforms:
|
Same as workforce. |
Authentication > Redirect URIs | The URIs Microsoft Entra ID accepts as destinations when returning authentication responses (tokens) after successfully authenticating or signing out users. | Same as workforce. |
Authentication > Front-channel logout URL | This URL is where Microsoft Entra ID sends a request to have the application clear the user's session data. The Front-channel logout URL is required for single sign-out to work correctly. | Same as workforce. |
Authentication > Implicit grant and hybrid flows | Request a token directly from the authorization endpoint. | Same as workforce. |
Certificates & secrets | Same as workforce. | |
Token configuration |
|
|
API permissions | Add, remove, and replace permissions to an application. After permissions are added to your application, users or admins need to grant consent to the new permissions. Learn more about updating an app's requested permissions in Microsoft Entra ID. | For customer-facing applications, the following are the allowed permissions: Microsoft Graph offline_access , openid , and User.Read and your My APIs delegated permissions. Only an admin can consent on behalf of the organization. |
Expose an API | Define custom scopes to restrict access to data and functionality protected by the API. An application that requires access to parts of this API can request that a user or admin consent to one or more of these scopes. | Define custom scopes to restrict access to data and functionality protected by the API. An application that requires access to parts of this API can request that admin consent to one or more of these scopes. |
App roles | App roles are custom roles to assign permissions to users or apps. The application defines and publishes the app roles and interprets them as permissions during authorization. | Same as workforce. Learn more about using role-based access control for applications in an external tenant. |
Owners | Application owners can view and edit the application registration. Additionally, any user (who might not be listed) with administrative privileges to manage any application (for example, Global Administrator, Cloud App Administrator, etc.) can view and edit the application registration. | Same as workforce. |
Roles and administrators | Administrative roles are used for granting access for privileged actions in Microsoft Entra ID. | Only the Cloud Application Administrator role can be used for customer-facing applications. This role grants the ability to create and manage all aspects of application registrations and enterprise applications. |
Assigning users and groups to an app | When user assignment is required, only those users you assign to the application (either through direct user assignment or based on group membership) are able to sign in. For more information, see manage users and groups assignment to an application | Not available |
OpenID Connect and OAuth2 flows
The following table compares the features available for OAuth 2.0 and OpenID Connect authorization flows in each type of tenant.
Feature | Workforce tenant | External tenant |
---|---|---|
OpenID Connect | Yes | Yes |
Authorization code | Yes | Yes |
Authorization code with Code Exchange (PKCE) | Yes | Yes |
Client credentials | Yes | v2.0 applications |
Device authorization | Yes | No |
On-Behalf-Of flow | Yes | Yes |
Implicit grant | Yes | Yes |
Resource Owner Password Credentials | Yes | No |
Authority URL in OpenID Connect and OAuth2 flows
The authority URL is a URL that indicates a directory that MSAL can request tokens from. For customer-facing applications, always use the following format: <tenant-name>.ciamlogin.com
The following JSON shows an example of a .NET application app settings with an authority URL:
{
"AzureAd": {
"Authority": "https://<Enter_the_Tenant_Subdomain_Here>.ciamlogin.com/",
"ClientId": "<Enter_the_Application_Id_Here>"
}
}
Conditional Access
The following table compares the features available for Conditional Access in each type of tenant.
Feature | Workforce tenant | External tenant |
---|---|---|
Assignments | Users, groups, and workload identities | Include all users, and exclude users and groups. For more information, Add multifactor authentication (MFA) to a customer-facing app. |
Target resources | ||
Conditions | ||
Grant | Grant or block access to resources | |
Session | Session controls | Not available |
Account management
The following table compares the features available for user management in each type of tenant. As noted in the table, certain account types are created through invitation or self-service sign-up. A user admin in the tenant can also create accounts via the admin center.
Feature | Workforce tenant | External tenant |
---|---|---|
Type of accounts |
|
|
Manage user profile info | Programmatically and by using the Microsoft Entra admin center. | Same as workforce. |
Reset a user's password | Administrators can reset a user's password if the password is forgotten, if the user gets locked out of a device, or if the user never received a password. | Same as workforce. |
Restore or remove a recently deleted user | After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. | Same as workforce. |
Disable accounts | Prevent the new user from being able to sign in. | Same as workforce. |
Password protection
Feature | Workforce tenant | External tenant |
---|---|---|
Smart lockout | Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in | Same as workforce. |
Custom banned passwords | The Microsoft Entra custom banned password list lets you add specific strings to evaluate and block. | Not available. |
Next steps
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for