Supported features in workforce and external tenants

There are two ways to configure a Microsoft Entra tenant, depending on how the organization intends to use the tenant and the resources they want to manage:

• A workforce tenant configuration is for your employees, internal business apps, and other organizational resources. B2B collaboration is used in a workforce tenant to collaborate with external business partners and guests.
• An external tenant configuration is used exclusively for External ID scenarios where you want to publish apps to consumers or business customers.

This article gives a detailed comparison of the features and capabilities available in workforce and external tenants.

הערה

During preview, features or capabilities that require a premium license are unavailable in external tenants.

General feature comparison

The following table compares the general features and capabilities available in workforce and external tenants.

Feature	Workforce tenant	External tenant
External identities scenario	Allow business partners and other external users to collaborate with your workforce. Guests can securely access your business applications through invitations or self-service sign-up.	Use External ID to secure your applications. Consumers and business customers can securely access your consumer apps through self-service sign-up. Invitations are also supported.
Local accounts	Local accounts are supported for internal members of your organization only.	Local accounts are supported for: - External users (consumers, business customers) who use self-service sign-up. - Accounts created by admins.
Groups	Groups can be used to manage administrative and user accounts.	Groups can be used to manage administrative accounts. Support for Microsoft Entra groups and application roles is being phased into customer tenants. For the latest updates, see Groups and application roles support.
Roles and administrators	Roles and administrators are fully supported for administrative and user accounts.	Roles aren't supported with customer accounts. Customer accounts don't have access to tenant resources.
ID Protection	Provides ongoing risk detection for your Microsoft Entra tenant. It allows organizations to discover, investigate, and remediate identity-based risks.	A subset of the Microsoft Entra ID Protection risk detections is available. Learn more.
ID Governance	Enables organizations to govern identity and access lifecycles, and secure privileged access. Learn more.	Not available
Self-service password reset	Allow users to reset their password using up to two authentication methods (see the next row for available methods).	Allow users to reset their password using email with one time passcode. Learn more.
Language customization	Customize the sign-in experience based on browser language when users authenticate into your corporate intranet or web-based applications.	Use languages to modify the strings displayed to your customers as part of the sign-in and sign-up process. Learn more.
Custom attributes	Use directory extension attributes to store more data in the Microsoft Entra directory for user objects, groups, tenant details, and service principals.	Use directory extension attributes to store more data in the customer directory for user objects. Create custom user attributes and add them to your sign-up user flow. Learn more.
Pricing	Monthly active users (MAU) pricing for B2B collaboration external guests (UserType=Guest).	Monthly active users (MAU) pricing for all users in the external tenant regardless of role or UserType.

Look and feel customization

The following table compares the features available for look and feel customization in workforce and external tenants.

Feature	Workforce tenant	External tenant
Company branding	You can add company branding that applies to all these experiences to create a consistent sign-in experience for your users.	Same as workforce. Learn more
Language customization	Customize the sign-in experience by browser language.	Same as workforce. Learn more
Custom domain names	You can use custom domains for administrative accounts only.	The custom URL domain feature for external tenants lets you brand app sign-in endpoints with your own domain name.
Native authentication for mobile apps	Not available	Microsoft Entra’s native authentication allows you to have full control over the design of your mobile application sign-in experiences.

Adding your own business logic

Custom authentication extensions allow you to customize the Microsoft Entra authentication experience by integrating with external systems. A custom authentication extension is essentially an event listener that, when activated, makes an HTTP call to a REST API endpoint where you define your own business logic. The following table compares the custom authentication extensions events available in workforce and external tenants.

Event	Workforce tenant	External tenant
TokenIssuanceStart	Add claims from external systems.	Add claims from external systems.
OnAttributeCollectionStart	Not available	Occurs at the beginning of the sign-up's attribute collection step, before the attribute collection page renders. You can add actions such as prefilling values and displaying a blocking error. Learn more
OnAttributeCollectionSubmit	Not available	Occurs during the sign-up flow, after the user enters and submits attributes. You can add actions such as validating or modifying the user's entries. Learn more
OnOtpSend	Not available	Configure a custom email provider for one time passcode send events. Learn more

Identity providers and authentication methods

The following table compares the identity providers and methods available for primary authentication and multifactor authentication (MFA) in workforce and external tenants.

Feature	Workforce tenant	External tenant
Identity providers for external users (primary authentication)	For self-service sign-up guests - Microsoft Entra accounts - Microsoft accounts - Email one-time passcode - Google federation - Facebook federation For invited guests - Microsoft Entra accounts - Microsoft accounts - Email one-time passcode - Google federation - SAML/WS-Fed federation	For self-service sign-up users (consumers, business customers) - Email with password - Email one-time passcode - Google federation (preview) - Facebook federation (preview) - Apple federation (preview) - OIDC federation (preview) - SAML/WS-Fed federation (preview) For invited guests (preview) Guests invited with a directory role (for example, admins): - Microsoft Entra accounts - Microsoft accounts - Email one-time passcode - SAML/WS-Fed federation (preview)
Authentication methods for MFA	For internal users (employees and admins) - Authentication and verification methods For guests (invited or self-service sign-up) - Authentication methods for guest MFA	For self-service sign-up users (consumers, business customers) or invited users (preview) - Email one-time passcode - SMS-based authentication

Application registration

The following table compares the features available for Application registration in each type of tenant.

Feature	Workforce tenant	External tenant
Protocol	SAML relying parties, OpenID Connect, and OAuth2	SAML relying parties, OpenID Connect, and OAuth2
Supported account types	The following account types: Accounts in this organizational directory only (Single tenant) Accounts in any organizational directory (Any Microsoft Entra tenant - Multitenant) Accounts in any organizational directory (Any Microsoft Entra tenant - Multitenant) and personal Microsoft accounts (such as Skype, Xbox) Personal Microsoft accounts only	Always use Accounts in this organizational directory only (Single tenant).
Platform	The following platforms: Public client/native (mobile & desktop) Web Single page application (SPA)	The following platforms: Public client (mobile & desktop) Native authentication mobile Web Single page application (SPA)
Authentication > Redirect URIs	The URIs Microsoft Entra ID accepts as destinations when returning authentication responses (tokens) after successfully authenticating or signing out users.	Same as workforce.
Authentication > Front-channel logout URL	This URL is where Microsoft Entra ID sends a request to have the application clear the user's session data. The Front-channel logout URL is required for single sign-out to work correctly.	Same as workforce.
Authentication > Implicit grant and hybrid flows	Request a token directly from the authorization endpoint.	Same as workforce.
Certificates & secrets	Certificate Client secrets Federated credentials	Same as workforce.
API permissions	Add, remove, and replace permissions to an application. After permissions are added to your application, users or admins need to grant consent to the new permissions. Learn more about updating an app's requested permissions in Microsoft Entra ID.	The following are the allowed permissions: Microsoft Graph offline_access, openid, and User.Read and your My APIs delegated permissions. Only an admin can consent on behalf of the organization.
Expose an API	Define custom scopes to restrict access to data and functionality protected by the API. An application that requires access to parts of this API can request that a user or admin consent to one or more of these scopes.	Define custom scopes to restrict access to data and functionality protected by the API. An application that requires access to parts of this API can request that admin consent to one or more of these scopes.
App roles	App roles are custom roles to assign permissions to users or apps. The application defines and publishes the app roles and interprets them as permissions during authorization.	Same as workforce. Learn more about using role-based access control for applications in an external tenant.
Owners	Application owners can view and edit the application registration. Additionally, any user (who might not be listed) with administrative privileges to manage any application (for example, Cloud Application Administrator) can view and edit the application registration.	Same as workforce.
Roles and administrators	Administrative roles are used for granting access for privileged actions in Microsoft Entra ID.	Only the Cloud Application Administrator role can be used for apps in external tenants. This role grants the ability to create and manage all aspects of application registrations and enterprise applications.
Assigning users and groups to an app	When user assignment is required, only those users you assign to the application (either through direct user assignment or based on group membership) are able to sign in. For more information, see manage users and groups assignment to an application	Not available

OpenID Connect and OAuth2 flows

The following table compares the features available for OAuth 2.0 and OpenID Connect authorization flows in each type of tenant.

Feature	Workforce tenant	External tenant
OpenID Connect	Yes	Yes
Authorization code	Yes	Yes
Authorization code with Code Exchange (PKCE)	Yes	Yes
Client credentials	Yes	v2.0 applications (preview)
Device authorization	Yes	Preview
On-Behalf-Of flow	Yes	Yes
Implicit grant	Yes	Yes
Resource Owner Password Credentials	Yes	No, for mobile applications, use native authentication.

Authority URL in OpenID Connect and OAuth2 flows

The authority URL is a URL that indicates a directory that MSAL can request tokens from. For apps in external tenants, always use the following format: <tenant-name>.ciamlogin.com

The following JSON shows an example of a .NET application appsettings.json file with an authority URL:

JSON

{
    "AzureAd": {
        "Authority": "https://<Enter_the_Tenant_Subdomain_Here>.ciamlogin.com/",
        "ClientId": "<Enter_the_Application_Id_Here>"
    }
}

Conditional Access

The following table compares the features available for Conditional Access in each type of tenant.

Feature	Workforce tenant	External tenant
Assignments	Users, groups, and workload identities	Include all users, and exclude users and groups. For more information, see Add multifactor authentication (MFA) to an app.
Target resources	Cloud apps User actions Global Secure Access Authentication context	All resources, selected apps, or filter applications. Authentication context
Conditions	Sign-in risk User risk Device platforms Locations Client apps Filter for devices	Sign-in risk User risk Device platforms Locations
Grant	Grant or block access to resources	Block access Require multifactor authentication Require password reset
Session	Session controls	Not available

Account management

The following table compares the features available for user management in each type of tenant. As noted in the table, certain account types are created through invitation or self-service sign-up. A user admin in the tenant can also create accounts via the admin center.

Feature	Workforce tenant	External tenant
Types of accounts	Internal members, for example employees and admins. External users who are invited or use self-service sign-up.	Internal users in your tenant, for example admins. External consumers and business customers who use self-service sign-up or who are created by admins. External users who are invited (preview).
Manage user profile info	Programmatically and by using the Microsoft Entra admin center.	Same as workforce.
Reset a user's password	Administrators can reset a user's password if the password is forgotten, if the user gets locked out of a device, or if the user never received a password.	Same as workforce.
Restore or remove a recently deleted user	After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties.	Same as workforce.
Disable accounts	Prevent the new user from being able to sign in.	Same as workforce.

Password protection

The following table compares the features available for password protection in each type of tenant.

Feature	Workforce tenant	External tenant
Smart lockout	Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in	Same as workforce.
Custom banned passwords	The Microsoft Entra custom banned password list lets you add specific strings to evaluate and block.	Not available.

Token customization

The following table compares the features available for token customization in each type of tenant.

Feature	Workforce tenant	External tenant
Claims mapping	Customize claims issued in the JSON web token (JWT) for enterprise applications.	Same as workforce. Optional claims must be configured through Attributes & Claims.
Claims transformation	Apply a transformation to a user attribute issued in the JSON web token (JWT) for enterprise applications.	Same as workforce.
Custom claims provider	Custom authentication extension that calls an external REST API, to fetch claims from external systems.	Same as workforce. Learn more
Security groups	Configure groups optional claims.	Configure groups optional claims are limited to the group object ID.
Token lifetimes	You can specify the lifetime of security tokens issued by the Microsoft Entra ID.	Same as workforce.

Microsoft Graph APIs

All features that are supported in external tenants are also supported for automation through Microsoft Graph APIs. Some features that are in preview in external tenants might be generally available through Microsoft Graph. For more information, see Manage Microsoft Entra identity and network access by using Microsoft Graph.

Next steps

• Planning for CIAM