What is Microsoft Entra External ID? The Basics

Brace yourselves for a game-changer. As the digital world constantly evolves, so does the technology that manages our digital identities. Enter Microsoft Entra External ID, the latest innovation from Microsoft's technological treasure trove. This next-generation Customer Identity and Access Management (CIAM) platform is becoming the talk of the town, and if you're feeling left out, worry not, we've got you covered.

In the latest Microsoft Build event, Microsoft offered a sneak peek into the new Microsoft Entra External ID solution. Whether your IAM system is designed to accommodate customers, partners, or citizens, this promising system takes a leap forward in unifying secure user experiences for all external identities under one comprehensive platform. So, buckle up, and let's delve deeper into what this exciting new platform has to offer.

Understanding identity management

The shift toward a digitally powered world has amplified the need for robust, reliable, and secure identity management systems. This becomes even more critical when it comes to managing external identities - such as those of customers, partners, and the broader public.

In an era where data breaches and identity theft are common, organizations need to ensure that their systems can reliably authenticate and authorize individuals. The need for a secure yet seamless user experience cannot be understated. 

Whether a user is:

• Signing up for a service,
• Accessing resources,
• Interacting with different digital platforms, the identity management system is the silent force that facilitates this access, all while ensuring that the right individuals have access to the appropriate resources.

Customer Identity and Access Management (CIAM) systems, like Microsoft's Entra External ID, are particularly important in managing external identities. They need to be able to:

• Scale to accommodate large volumes of identities
• Be flexible enough to cater to diverse use cases
• Be secure enough to protect sensitive user data. 

Moreover, in a world that is increasingly privacy-focused, these systems must also respect and protect user privacy rights.

In essence, the evolution and refinement of identity management systems are vital to ensuring the security, privacy, and overall user experience of the digital services we all use daily. Microsoft Entra External ID represents a leap forward in this domain, aiming to offer a streamlined, secure, and integrated platform for managing all external identities.

What is Microsoft Entra External ID?

Microsoft Entra External ID is a new platform that enables developers to create secure and engaging experiences for external users, such as customers, partners, or citizens. It is part of the Microsoft Entra family of identity and access products, along with Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID.

Microsoft Entra External ID allows external users to sign in to your applications using their own identities, whether they are corporate, government, or social identities. You can manage access to your applications with Azure AD or Azure AD B2C, depending on your needs and scenarios. For example, you can use Azure AD B2C to publish consumer-facing apps, or use Azure AD to collaborate with external users on Office 365 apps or other enterprise apps.

Microsoft Entra External ID is designed to be developer-centric and easy to use. It provides a unified platform that supports various protocols, such as OpenID Connect, OAuth 2.0, SAML 2.0, and SCIM. It also offers a rich set of features, such as custom policies, user flows, identity providers, user attributes, consent management, and more.

Microsoft Entra External ID is currently in public preview, and you can try it out for free. You can learn more about it from the official documentation or watch the Microsoft Build 2023 session introducing the platform and its capabilities.

What are the capabilities of Microsoft Entra External ID?

For customers

Microsoft Entra External ID, also recognized as Azure Active Directory (Azure AD) for customers, marks a new chapter in Microsoft's provision of customer identity and access management (CIAM) solutions. This development is a boon for organizations and businesses aiming to offer their public-facing applications to a broad consumer base. 

Azure AD simplifies the incorporation of key CIAM features, such as self-service registration, tailored sign-in experiences, and comprehensive customer account management. An added advantage is that these capabilities are natively integrated into Azure AD. This means that users will gain from the platform's superior features, which include enhanced security measures, strict compliance protocols, and the ability to scale efficiently and effectively.

Protect customer and partner identities

In addition to providing comprehensive access management, Microsoft Entra External ID bolsters the protection of all identities through robust authentication mechanisms. It employs stringent conditional access policies and multifactor authentication (MFA) techniques to avert risky access attempts and ensure the security of user credentials. 

• Create a conditional access policy
• Enable email one-time passcode as an MFA method
• Test the sign-in

Azure AD Identity Protection offers continuous risk monitoring for your customer tenant, enabling organizations to identify, scrutinize, and address identity-based risks. It features risk reports that serve as valuable tools for probing into identity risks within customer tenants. Throughout this piece, we will guide you on how to delve into and alleviate these potential risks.

• Get identity protection reports
• Investigate risky users
• Get risky users' report

Control access rights for external users

The platform empowers organizations to accurately define access levels, manage identity lifecycles, and implement effective access controls for customers and partners. This powerful CIAM solution ensures individuals can seamlessly perform their roles without security being compromised. 

Azure Active Directory (Azure AD) for customers offers a flexible, scalable solution for incorporating customer identity and access management (CIAM) into your application. Since it's based on the Azure AD platform, it offers the advantage of uniformity in application integration, tenant management, and operations across your employee and customer use cases. As you devise your configuration, it's critical to comprehend the elements of a customer tenant and the array of Azure AD features at your disposal for various customer situations.

Design self-service sign-up flows

You can design a straightforward registration and login experience for your customers by incorporating a user flow into your application. This user flow outlines the progression of registration steps your customers undergo and the authentication methods available to them (like email and password, single-use codes, or social accounts via Google or Facebook). 

Additionally, you have the option to gather customer data during the registration process by choosing from a range of predefined user attributes or introducing your own custom attributes.

There are various user flow settings available that enable you to manage the customer's application registration process, which include:

• Selection of authentication methods and social identity providers (like Google or Facebook).
• Determining the information to be collected from the customer during sign-up, such as their first name, zip code, or country/region of residence.
• Tailoring company branding and language preferences to create a customized user experience.

For partners

Secure B2B collaboration

Azure Active Directory (Azure AD) B2B collaboration is a functionality incorporated within External Identities, enabling the invitation of guest users for cooperation with your organization. B2B collaboration allows your business applications and services to be securely accessible to external users, all while retaining control over your corporate data. This ensures safe and secure interaction with external partners of any size, regardless of whether they possess Azure AD or an IT department.

Utilize preferred identities

Azure AD B2B allows partners to employ their own identity management systems, thus eliminating any external administrative burden for your organization. Guest users access your applications and services using their own work, academic, or social identities.

• The partner utilizes their unique identities and credentials, irrespective of whether they possess an Azure AD account.
• Your organization is free from the responsibility of managing external accounts or passwords.
• There is no necessity to synchronize accounts or handle account lifecycle management.

Provide self-service sign-up flows

In instances where an application is being shared with external users, it might not always be clear beforehand who will require access to the application. Rather than directly sending invitations to specific individuals, a feasible alternative is to permit external users to register for particular applications autonomously by activating a self-service sign-up user flow. 

This enables the creation of a bespoke sign-up experience tailored to the needs of your users. For instance, you can offer sign-up options via Azure AD or social identity providers and gather user-specific information during the registration process.

How do self-service sign-up flows work on Microsoft Entra External ID?

A self-service sign-up user flow constructs a registration experience for your external users via the application you aim to share. This user flow can be linked with one or multiple applications. The process involves several steps:

1. Enable self-service sign-up for your tenant.
2. Federate with the desired identity providers for external user sign-ins.
3. Create and personalize the sign-up user flow.
4. Assign your applications to the user flow.

You can also control the sign-up process by configuring user flow settings:

• Define the types of accounts used for sign-in, such as social accounts like Facebook or Azure AD accounts.
• Determine the information to be gathered during sign-up, such as the user's first name, postal code, or country/region of residence.

Upon setting up the user flow, users can access your application. This could be via the web, mobile, desktop, or a single-page application (SPA).

• The application sends an authorization request to the endpoint provided by the user flow, which then guides and controls the user's experience.
• After the user completes the sign-up process, Azure AD generates a token and redirects the user back to your application.
• Upon completion of sign-up, a guest account is created for the user in the directory.

One crucial point to note is that the same user flow can be utilized across multiple applications.

Is Microsoft Entra External ID currently available?

Microsoft Entra External ID is paving the way as a groundbreaking customer identity and access management (CIAM) solution. This system centralizes the management of all external identities - customers, citizens, patients, partners, suppliers, and contractors alike - within a single, cohesive platform.

The preview showcases a platform tailored for developers, designed to support various customer scenarios seamlessly within the Azure AD experience. Leveraging familiar development tools such as the Microsoft Authentication Library (MSAL) and established governance and authorization mechanisms, the unified platform simplifies and strengthens the development of customer applications. Try the preview.

Microsoft encourages developers to provide feedback to the product team to inform the development of this customer solution, which is set to reach general availability in early 2024.

In the meantime, Microsoft's current partner solution, B2B Collaboration, remains fully available through Azure AD. B2B Collaboration can be accessed via the Microsoft Entra admin portal within the Workforce tenet. Developers are invited to explore and trial the preview.

What about customers using Azure Active Directory B2C service?

Azure AD B2C is Microsoft's current generation of customer identity and access management products. It will continue to be a fully backed customer solution, and Microsoft ensures its ongoing support. Presently, there are no mandates for customers to transition to other solutions, and there are no intentions to phase out the existing B2C product. Microsoft is dedicated to maintaining its investments in the Azure AD B2C product to guarantee its sustainability and evolution.

What are External Identities in Azure Active Directory?

Azure AD External Identities encapsulates the diverse methods that enable secure interactions with users beyond your organizational boundaries. This capacity is beneficial whether you intend to team up with partners, distributors, suppliers, or vendors, allowing the sharing of resources and the delineation of access levels for your internal users to these external entities. Developers crafting consumer-oriented applications can use this feature to adeptly manage their customers' identity experiences.

External Identities grant external users the opportunity to "carry their own identities." Regardless of whether users have a corporate or government-backed digital identity or an unregulated social identity like Google or Facebook, they can utilize their unique credentials for sign-in. The external user’s identity provider oversees their identity, while access to your applications is managed via Azure AD or Azure AD B2C, ensuring the safeguarding of your resources.

Here are the key features encompassed by External Identities:

• B2B Collaboration - Facilitates interaction with external users by allowing them to use their chosen identity for signing into your Microsoft applications or any other enterprise applications (SaaS apps, custom-developed apps, etc.). These B2B collaboration users are represented in your directory, typically as guest users.

• B2B Direct Connect - Forms a reciprocal, bi-directional trust with another Azure AD organization for smooth collaboration. B2B Direct Connect presently supports Teams shared channels, permitting external users to access your resources directly from their home Teams environments. While these users aren't represented in your directory, they are visible within the Teams shared channel and can be tracked in Teams admin center reports.

• Azure AD B2C - Empowers the publication of contemporary SaaS apps or custom-built apps (excluding Microsoft apps) to consumers and customers, with Azure AD B2C handling identity and access management.

• Azure AD Multi-tenant Organization - Enables collaboration with multiple tenants within a single Azure AD organization through cross-tenant synchronization.