Microsoft Entra External ID’s (Preview)

Or Azure AD for customers, yes Azure AD for customers. That’s the name of the game. Microsoft released this excellent feature at Build yesterday and I wanted to elaborate it a bit more.

Why to use it?

Azure AD makes it simple for organizations and enterprises to integrate CIAM capabilities like self-service registration, customized sign-in experiences, and customer account management to their public-facing apps. Because these CIAM capabilities are embedded into Azure AD, you also gain platform benefits like as improved security, compliance, and scalability.

Sounds familiar to all you B2C admins? Well this will make your life easier and the documentation is extensive, please see it on Learn.

What you will get with the free trial?

FeaturesAzure AD for customers Trial (without credit card)Azure Active Directory account includes Partners (needs credit card)
Self-service account experiences (Sign-up, sign-in, and password recovery.)✔️✔️
MFA (With email OTP.)✔️✔️
Custom token augmentation (From external sources.)✔️✔️
Social identity providers✔️✔️
Identity Protection (Conditional access for adaptive risk-based policies.)✔️
Default, least-access privileges for CIAM end-users.✔️✔️
Rich authorization (Including group and role management.)✔️✔️
Customizable (Sign-in/sign-up experiences – background, logo, strings.)✔️✔️
Group and User management.✔️✔️
Cloud-agnostic solution with multi-language auth SDK support.✔️✔️

Identity protection is the only that you cannot try out for free as it needs Azure AD P2 license to work.

Customer and Workforce

Microsoft Entra now allows you to provision and manage two sorts of tenants.

  • A workforce tenant incorporates your workers as well as your organization’s internal apps and resources. If you’ve dealt with Azure AD, you’re already familiar with this sort of tenancy. You might already have a workforce tenant for your firm.
  • A customer tenant represents your client-facing app, resources, and customer account directory. A customer tenant is unique from your workforce tenant.

See from Learn on the differences.

How to try it out?

Open and once there, you can choose your Region and name of the tenant, it will suggest one for you but you can change if needed.

And wait for about 3-5mins until it’s done.

And once done, you can choose the default method for users to sign-in with.

Customers can choose from the social identity providers alternatives you’ve made accessible on the sign-up page when you allow social identity providers. Create an application at the identity provider and setup credentials to set up social identity providers in your client tenant. You will be given a client or app ID as well as a client or app secret, which you will then add to your customer tenant.

You can customize the experience with your own logo, background color and alignment of the login screen.

Notice that time you start to customize the Tenant, you will see the new name in the address bar

And done!

And the final product! How cool is that!

Creating an account

Choose Create one.

And type in your email address.

And you will get a prompt for OTP

Type it in and hit next.

Then you have to give additional information

Using Google as IdP

This is also possible, just login to your tenant directly with Google account and with Google authentication services.

And configured Identity providers (IdP) are also here

You add Google with the following. Once all done, you can hit “Save and Continue”

Then go to Credentials and Create credentials

Choose OAuth Client ID

And give the following URIs, please note that you need you Tenant ID in the first one and Tenant Prefix in the second.

When you are displayed the ID the Secret, copy them accordingly.

And we have Google as an IdP

See more from Microsoft Learn,

User flows

You can find the created users flows from

Under the flow you can see the settings we specified during the initial setup

Under Identity providers you can change the IdP that is to be used.

And Microsoft attached as an application with the wizard so you can easily try it out.

Testing the User flow

If you want to try it out, you can use this URL

Creating the users with Google, now we notice a new sign-in.

Enter your credentials and login.

And you will be presented with additional information prompt

Seems familiar, right?


For management you can use Azure REST API

And Branding, User flow and extension management you can do with the Microsoft Graph API.


Beautiful, this a major improvement for already huge feature pack of Azure AD. And Azure AD for Customers isn’t rebranded B2C, see the FAQ for similar questions and answers.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *