With Microsoft Entra External ID, you can create secure, customized sign-in experiences for your consumer- and business customer-facing apps. In an external tenant, there are several ways for users to sign up for your app. They can create an account using their email and either a password or a one-time passcode. Or, if you enable sign-in with Facebook, Google, Apple or a custom OIDC identity provider, they can sign in with their own account.
This article describes the identity providers that are available for primary authentication when signing up and signing in to apps in external tenants. You can also enhance security by enforcing a multifactor authentication (MFA) policy that requires a second form of verification each time a user signs in (learn more).
Email and password sign-in
Email sign-up is enabled by default in your local account identity provider settings. With the email option, customers can sign up and sign in with their email address and a password.
Sign-up: Customers are prompted for an email address, which is verified at sign-up with a one-time passcode. The customer then enters any other information requested on the sign-up page, for example, display name, given name, and surname. Then they select Continue to create an account.
Sign-in: After the customer signs up and creates an account, they can sign in by entering their email address and password.
Password reset: If you enable email and password sign-in, a password reset link appears on the password page. If the customer forgets their password, selecting this link sends a one-time passcode to their email address. After verification, the customer can choose a new password.
Email with one-time passcode is an option in your local account identity provider settings. With this option, the customer signs in with a temporary passcode instead of a stored password each time they sign in.
Sign-up: Customers can sign up with their email address and request a temporary code, which is sent to their email address. Then they enter this code to continue signing in.
Sign-in: After the customer signs up and creates an account, each time they sign in they'll enter their email address and receive a temporary passcode.
You can also configure options for showing, hiding, or customizing the self-service password reset link on the sign-in page (learn more).
Social identity providers: Facebook, Google and Apple
For an optimal sign-in experience, federate with social identity providers whenever possible so you can give your customers a seamless sign-up and sign-in experience. In an external tenant, you can allow a customer to sign up and sign in using their own Facebook, Google, or Apple account. When a customer signs up for your app using their social account, the social identity provider creates, maintains, and manages identity information while providing authentication services to applications.
When you enable social identity providers, customers can select from the social identity providers options you make available on the sign-up page. To set up social identity providers in your external tenant, you create an application at the identity provider and configure credentials. You obtain a client or app ID and a client or app secret, which you can then add to your external tenant.
Google sign-in (preview)
By setting up federation with Google, you can allow customers to sign in to your applications with their own Gmail accounts. After you add Google as one of your application's sign-in options, on the sign-in page, users can sign in to Microsoft Entra External ID with a Google account.
The following screenshots show the sign-in with Google experience. In the sign-in page, users select Sign-in with Google. At that point, the user is redirected to the Google identity provider to complete the sign-in.
By setting up federation with Facebook, you can allow invited users to sign in to your applications with their own Facebook accounts. After you add Facebook as one of your application's sign-in options, on the sign-in page, users can sign-in to Microsoft Entra External ID with a Facebook account.
The following screenshots show the sign-in with Facebook experience. In the sign-in page, users select Sign-in with Facebook. Then the user is redirected to the Facebook identity provider to complete the sign-in.
By setting up federation with Apple, you can allow invited users to sign in to your applications with their own Apple accounts. After you add Apple as one of your application's sign-in options, on the sign-in page, users can sign-in to Microsoft Entra External ID with an Apple account.
The following screenshots show the sign-in with Apple experience. In the sign-in page, users select Sign-in with Apple. Then the user is redirected to the Apple identity provider to complete the sign-in.
Learn how to add Apple as an identity provider.
Custom OIDC identity provider (preview)
You can set up a custom OpenID Connect (OIDC) identity provider to enable customers to sign up and sign in to your applications with their own accounts. When a customer signs up for your app using their custom OIDC identity provider, the identity provider creates, maintains, and manages identity information while providing authentication services to applications.
You can also federate your sign-in and sign-up flows with an Azure AD B2C tenant using the OIDC protocol.
At any time, you can update the sign-in options for an app. For example, you can add social identity providers or change the local account sign-in method.
When you change sign-in methods, the change affects only new users. Existing users continue to sign in using their original method. For example, suppose you start out with the email and password sign-in method, and then change to email with one-time passcode. New users sign in using a one-time passcode, but any users who already signed up with an email and password continue to be prompted for their email and password.
Microsoft Graph APIs
The following Microsoft Graph API operations are supported for managing identity providers and authentication methods in Microsoft Entra External ID:
To identify what identity providers and authentication methods are supported, you call the List availableProviderTypes API.
To identify the identity providers and authentication methods that are already configured and enabled in the tenant, you call the List identityProviders API.
To enable a supported identity provider or authentication method, you call the Create identityProvider API.
Discover how Microsoft Entra External ID can provide secure, seamless sign-in experiences for your consumers and business customers. Explore tenant creation, app registration, flow customization, and account security.
Compare features and capabilities of a workforce vs. an external tenant configuration. Determine which tenant type applies to your external identities scenario.
Learn how Microsoft Entra External ID provides to manage your external identities scenarios, including guest user access and customer identity and access management (CIAM) for apps.
Microsoft Entra External ID is a customer identity access management (CIAM) solution that lets you create secure, customized sign-in experiences for your external-facing apps and services.
Discover the steps for setting up a customer identity and access management (CIAM) solution in an external tenant, including creating a tenant, registering apps, and setting up user flows for sign-in.
Microsoft Entra External ID allows you to collaborate with or publish apps to people outside your organization. Compare solutions for External ID, including Microsoft Entra B2B collaboration, Microsoft Entra B2B collaboration, and Azure AD B2C.
Learn how to set up OpenID Connect as an external identity provider in Microsoft Entra External ID, enabling users to sign in using their existing accounts.
Learn about security and governance in Microsoft Entra External ID. Use features like multifactor authentication (MFA), Conditional Access, and ID Protection to secure your applications and mitigate risks.