Add Facebook as an identity provider for External Identities

Tip

This article describes adding Facebook as an identity provider for B2B collaboration. If your tenant is configured for customer identity and access management, see Add Facebook as an identity provider for customers.

You can add Facebook to your self-service sign-up user flows so that users can sign in to your applications using their own Facebook accounts. To allow users to sign in using Facebook, you'll first need to enable self-service sign-up for your tenant. After you add Facebook as an identity provider, set up a user flow for the application and select Facebook as one of the sign-in options.

After you've added Facebook as one of your application's sign-in options, on the Sign in page, a user can simply enter the email they use to sign in to Facebook, or they can select Sign-in options and choose Sign in with Facebook. In either case, they'll be redirected to the Facebook sign in page for authentication.

Note

Users can only use their Facebook accounts to sign up through apps using self-service sign-up and user flows. Users cannot be invited and redeem their invitation using a Facebook account.

Create an app in the Facebook developers console

To use a Facebook account as an identity provider, you need to create an application in the Facebook developers console. If you don't already have a Facebook account, you can sign up at https://www.facebook.com/.

Note

Use the following URLs in the steps 9 and 16 below.

• For Site URL enter the address of your application, such as https://contoso.com.
• For Valid OAuth redirect URIs, enter https://login.microsoftonline.com/te/<tenant-id>/oauth2/authresp. To find your tenant ID, sign in to the Microsoft Entra admin center. Under Identity, select Overview and copy the Tenant ID.

1. Sign in to Facebook for developers with your Facebook account credentials.
2. If you haven't already done so, you need to register as a Facebook developer. To do this, select Get Started on the upper-right corner of the page, accept Facebook's policies, and complete the registration steps.
3. Select My Apps and then Create App.
4. Select an app type and then Details
5. Add an app name and a valid App contact email.
6. Select Create app. This may require you to accept Facebook platform policies and complete an online security check.
7. Select Settings > Basic.
8. Choose a Category, for example Business and pages. This value is required by Facebook, but not used for Microsoft Entra External ID.
9. At the bottom of the page, select Add Platform, and then select Website.
10. In Site URL, enter the appropriate URL (noted above).
11. In Privacy Policy URL at the top of the page, enter the URL for the page where you maintain privacy information for your application, for example http://www.contoso.com.
12. Select Save changes.
13. At the top of the page, copy the value of App ID.
14. At the top of the page, select Show and copy the value of App secret. You use both of them to configure Facebook as an identity provider in your tenant. App secret is an important security credential.
15. In the left menu select Add Product next to Products, and then select Set up under Facebook Login.
16. Under Facebook Login in the left, select Settings.
17. In Valid OAuth redirect URIs, enter the appropriate URL (noted above).
18. Select Save changes at the bottom of the page.
19. To make your Facebook application available to Microsoft Entra External ID, select the App Mode selector at the top of the page and turn it Live to make the Application public.

Configure a Facebook account as an identity provider

Now you'll set the Facebook client ID and client secret, either by entering it in the Microsoft Entra admin center or by using PowerShell. You can test your Facebook configuration by signing up via a user flow on an app enabled for self-service sign-up.

To configure Facebook federation in the Microsoft Entra admin center

Tip

Steps in this article may vary slightly based on the portal you start from.

1. Sign in to the Microsoft Entra admin center as at least a External Identity Provider administrator.

2. Browse to Identity > External Identities > All identity providers, then select Facebook.

3. For the Client ID, enter the App ID of the Facebook application that you created earlier.

4. For the Client secret, enter the App secret that you recorded.

   

5. Select Save.

To configure Facebook federation by using PowerShell

1. Install the latest version of the Azure AD PowerShell for Graph module (AzureADPreview).

2. Run the following command: Connect-AzureAD.

3. At the sign-in prompt, sign in with the managed Global Administrator account.

4. Run the following command:

   New-AzureADMSIdentityProvider -Type Facebook -Name Facebook -ClientId [Client ID] -ClientSecret [Client secret]

   Note

   Use the client ID and client secret from the app you created above in the Facebook developer console. For more information, see the New-AzureADMSIdentityProvider article.

How do I remove Facebook federation?

You can delete your Facebook federation setup. If you do so, any users who have signed up through user flows with their Facebook accounts will no longer be able to sign in.

To delete Facebook federation in the Microsoft Entra admin center:

1. Sign in to the Microsoft Entra admin center as at least a External Identity Provider administrator.
2. Browse to Identity > External Identities > All identity providers.
3. Select the Facebook line, and then select Delete.
4. Select Yes to confirm deletion.

To delete Facebook federation by using PowerShell:

1. Install the latest version of the Azure AD PowerShell for Graph module (AzureADPreview).

2. Run Connect-AzureAD.

3. In the sign-in prompt, sign in with the managed Global Administrator account.

4. Enter the following command:

   Remove-AzureADMSIdentityProvider -Id Facebook-OAUTH

   Note

   For more information, see Remove-AzureADMSIdentityProvider.

Next steps

• Add self-service sign-up to an app
• SAML/WS-Fed IdP federation
• Google federation