Overview of authentication in Power Pages
You may want to limit access to your site's pages and data to specific users. You can configure page permissions to protect specific pages. Power Pages uses Microsoft Dataverse contact records to associate authenticated Power Pages site users.
To get more permissions than unauthenticated users have, users must be assigned to web roles that give them specific permissions on the site. Power Pages allows users to sign in with their choice of an external account based on ASP.NET Identity. Users can also sign in using a local contact membership provider-based account, although we don't recommend it.
Note
Users must have a unique email address. If two or more contact records—including deactivated contact records—have the same email address, the contacts can't authenticate on the website.
Common identity providers
The following table lists common identity providers, the protocol you can use with the provider, and relevant documentation.
Important
Configuration information about common providers for protocols such as OpenID Connect and SAML 2.0 are given as examples. You can use the provider of your choice for the given protocol. Follow similar steps to configure your preferred provider.
| Provider | Protocol | Documentation |
|---|---|---|
| Microsoft Entra ID | OpenID Connect | Configure an OpenID Connect provider with Microsoft Entra ID |
| Microsoft Entra ID | SAML 2.0 | Configure a SAML 2.0 provider with Microsoft Entra ID |
| Microsoft Entra ID | WS-Federation | Configure a WS-Federation provider with Microsoft Entra ID |
| Microsoft Entra External ID | OpenID Connect | Configure an OpenID Connect provider with Microsoft Entra External ID |
| Azure AD B2C | OpenID Connect | Configure the Azure AD B2C provider Configure the Azure AD B2C provider manually |
| Azure Directory Federation Services (AD FS) | SAML 2.0 | Configure a SAML 2.0 provider with AD FS |
| AD FS | WS-Federation | AD FS with WS-Federation |
| Microsoft | OAuth 2.0 | Configure the Microsoft provider |
| OAuth 2.0 | Configure the LinkedIn provider | |
| OAuth 2.0 | Configure the Facebook provider | |
| OAuth 2.0 | Configure the Google provider | |
| OAuth 2.0 | Configure the Twitter provider | |
| Local authentication (not recommended) |
Not applicable | Local authentication |
Migrate your website to a new identity provider
If you're already using an identity provider, you can migrate your website to use a different one.
Open registration
Power Pages administrators have several ways to control account sign-up. Open registration, the least restrictive option, allows a user to register an account by providing a user identity, invitation code, or valid email address, depending on the configuration. Both local and external accounts participate equally in the open registration workflow. Users can choose which type of account they want to register.
Users can select an external identity from a list of identity providers or create a local account with a user name and password. We don't recommend the local account option. If users select an external identity, they must sign in through their chosen identity provider to prove they own the external account. In either case, registration creates a contact record in the Dataverse environment and the user is immediately registered and authenticated on the Power Pages site.
With open registration enabled, users aren't required to provide an invitation code to complete the sign-up process.
See also
Customize the Azure AD B2C user interface
Configure an OAuth 2.0 provider
Configure an OpenID Connect provider
Configure a SAML 2.0 provider
Configure a WS-Federation provider