Table of Contents
Introduction
Microsoft Entra External ID represents a strategic evolution in how external identities—whether customers, partners, or collaborators—are handled within the Microsoft ecosystem. Based on the architecture guidance provided by Microsoft this blog post aims to provide a comprehensive and technically detailed overview of Entra External ID, how it compares to legacy systems like Azure AD B2C, and what you need to consider when deploying it.
Key Architecture Concepts and Planning Recommendations
1. Deployment Planning
Organizations should plan their Entra External ID environments just as carefully as internal identity infrastructures. The recommendation is to create separate tenants for different environments (Production, Development, Test, QA) to maintain clear boundaries between stages.
| Environment | Tenant Name | Billing Subscription |
|---|---|---|
| Production | contoso-ext-prod | Azure Subscription A |
| Development | contoso-ext-dev | Azure Subscription B |
| Test | contoso-ext-test | Azure Subscription B |
| Quality Assurance | contoso-ext-qa | Azure Subscription C |
2. Perimeter Security and Custom Domains
Using custom domains (e.g., login.contoso.com) is recommended to abstract the Entra ID domain. This also enables you to place perimeter security services like Web Application Firewalls (WAFs) in front of the authentication flow.
Security Enhancements Include:
- Protection from DDoS and bot attacks
- Rate limiting for API requests
- Real-time logging and threat intelligence
3. Protecting Sign-Up Experiences from IRSF Fraud
International Revenue Share Fraud (IRSF) is a real risk in sign-up flows involving phone verification. Microsoft recommends:
- Using email or TOTP over SMS
- CAPTCHA or invisible CAPTCHA
- Rate limiting OTP requests
4. Account Takeover Mitigation
To reduce the risk of account takeovers:
- Enforce MFA on sensitive actions
- Prevent password reuse
- Monitor user sign-in risk via Conditional Access
5. Monitoring and Alerting
Microsoft Entra External ID integrates with Azure Monitor for rich insights:
Recommended Monitors:
- Availability: Health endpoints
- Functionality: Synthetic transactions
- Performance: Baseline metrics
- Usage: MAU trends, authentication failures
Technical controls table
| Category | Measure | Purpose |
|---|---|---|
| Environment Planning | Tenant Segmentation: Establish separate tenants for production, development, testing, and quality assurance environments. | Ensures configuration changes can be validated without impacting production, and allows for isolated billing and management. |
| Security Measures | Custom Domains with WAF: Implement custom domains (e.g., login.contoso.com) and place Web Application Firewalls (WAFs) in front of authentication flows. | Protects against DDoS attacks, bot traffic, and other threats by adding a security layer to authentication endpoints. |
| CAPTCHA and Rate Limiting: Use CAPTCHA during sign-up and implement rate limiting for OTP requests. | Mitigates automated attacks and reduces the risk of fraudulent sign-ups, such as International Revenue Share Fraud (IRSF). | |
| Multi-Factor Authentication (MFA): Enforce MFA for sensitive operations and sign-ins. | Adds an additional layer of security to prevent unauthorized access and account takeovers. | |
| Monitoring & Auditing | Azure Monitor Integration: Configure Azure Monitor to collect and analyze logs from Entra External ID. | Enables real-time monitoring, alerting, and analysis of authentication activities and system health. |
| Log Export: Export sign-in and audit logs to external storage for long-term retention and compliance. | Facilitates compliance with regulatory requirements and supports forensic investigations. | |
| Performance Management | Throttling Awareness: Understand and plan for service throttling limits, especially when performing bulk operations via Microsoft Graph API. | Prevents service disruptions by ensuring operations stay within defined limits, maintaining system stability. |
| Compliance | Data Governance: Define and document compliance requirements related to data storage, log retention, encryption, and attribute management. | Ensures that the deployment adheres to industry regulations and organizational policies, maintaining data integrity and privacy. |
| Authentication Protocols | Protocol Support: Utilize supported authentication protocols such as OAuth 2.0, OpenID Connect (OIDC), and SAML 2.0 for integrating applications. | Provides flexibility in integrating various applications and services with Entra External ID, catering to diverse authentication needs. |
| User Experience | Native Authentication: Implement native authentication flows within mobile and desktop applications using Microsoft Authentication Libraries (MSAL). | Enhances user experience by allowing seamless sign-in within applications without redirecting to external browsers. |
| Provisioning | SCIM Provisioning: Use the System for Cross-domain Identity Management (SCIM) protocol for automating user provisioning and deprovisioning. | Streamlines identity lifecycle management, ensuring that user accounts are accurately and efficiently maintained across systems. |
Entra External ID and Azure AD B2C: A Comparison
While Microsoft is not deprecating Azure AD B2C immediately, it is positioning Entra External ID as the future. According to CloudPartner.fi, B2C remains a separate SKU but new capabilities are directed at Entra External ID. The platforms differ in several ways:
| Feature/Capability | Microsoft Entra External ID | Azure AD B2C |
|---|---|---|
| Target Audience | External users (B2C/B2B) | B2C customers only |
| Social Identity Integration | Yes | Yes |
| Conditional Access | Yes | Limited |
| Custom Branding | Moderate | Extensive |
| Native Mobile Auth Experience | Yes | No |
| Graph API Integration | Yes | Yes |
| WAF and Security Integration | Supported | Manual effort |
| Monitoring and Logging | Azure Monitor | Limited |
| Licensing Model | MAU-based | MAU-based |
| Long-Term Support | Actively Developed | Supported until ~2030 |
Getting Started with Microsoft Entra External ID
Step 1: Create a Tenant
- Sign into Microsoft Entra admin center.
- Navigate to Identity > Overview > Manage tenants.
- Click Create, choose External, and follow the setup process.
Step 2: Customize the Sign-In Experience
- Choose between email/password, one-time passcodes, or federated IdPs
- Add your logo and branding
- Configure Google, Apple, Facebook, or custom OIDC providers
Step 3: Test and Monitor
- Run sample apps to test sign-in flows
- Monitor traffic and authentication success/failure
Migrating from Azure AD B2C
User Data Migration
Use the Microsoft Graph API to import essential user attributes (username, email, phone). Avoid migrating sensitive PII or financial data.
Best Practice:
- Migrate only essential data
- Consider using staging environments for validation
Password Strategy
If passwords cannot be migrated:
- Assign temporary passwords with mandatory resets
- Encourage users to reset their password during first login
- Consider email notifications or staged rollouts
Roadmap and Lifecycle Notes
- May 1, 2025: End of sale for Azure AD External Identities P1/P2
- 2030+: Azure AD B2C will be supported at least until this date
- Now: Microsoft Entra External ID is GA and recommended for new solutions
Conclusion
Microsoft Entra External ID brings security, scalability, and manageability to the forefront of customer and partner identity management. By integrating the insights from Microsoft’s architectural guidelines and the practical recommendations from CloudPartner.fi, organizations can confidently deploy and migrate their external identity solutions.
If you’re building or modernizing your external identity management, now is the time to prioritize Microsoft Entra External ID.
Resources:
