External-ID

No more Custom Policies & Identity Experience Framework With the new Entra External ID and Entra ID, we can use the built-in policies for authentication. Entra External ID technical details and requirements: authentication method must be supported by the tenant; no custom authentication methods via user flow, we can select a password or OTP (one-time password) method. no custom methods like magic link or passwordless (yet!) no ADMIN API to authenticate users; no API connector to use external API for authentication; Compare User with password and OTP ...

Changelog 2025-04-09 - initial version 2025-04-11 - updated with AADInternals OSINT tool Tenant public information Your tenant-id With the page https://www.whatismytenantid.com/, you can find your TenantID How does it work? We can check the Network tab of the browser and find a query to the OpenID Configuration endpoint based on the domain: https://login.microsoftonline.com/{{YOUR-DOMAIN-HERE}}/.well-known/openid-configuration ^ We can also find a tenant location with the tenant_region_scope field. ^ Whatismytenantid doesn’t work? You can get the same from the website https://gettenantpartitionweb.azurewebsites.net/! ...

Identity Provider Story Basic assumptions: in-browser authentication, with OAuth2/OpenID Connect (but also applicable for SAML), for Web, SPA and Mobile applications. Let’s start with a story: The user enters the address ‘https://portal.my-company.com’ to check company news; without an active session in the application (cookie or token), the application will be redirected to the Identity Provider (IdP) - authentication is required. After the identity verification and authorization, an IdP session will be created and the user redirected to the application. ...

What is Token Enrichment? Entra External ID token enrichment is a process where additional claims, attributes, or context are added to authentication tokens (ID Token, Access Token or both) during the authentication flow. This enrichment enhances the security token with supplementary information that can be useful for authorization decisions and user context. Common examples include: Customer ID from your CRM system User ID from an external profile store Authorization context from your application Role information from Fine-Grained Authorization systems like OpenFGA The enrichment happens through a REST API call with a fixed contract defined by the Entra ID team. At the end of this post, you’ll find the complete API contract specification. ...

Make life easier with Entra ID as Code TL;DR It is the end of 2024; daily, we use the following: CI/CD pipelines for infrastructure as code (IaC) deployment to create Services, Applications, Storages, etc, permissions (RBAC) from resources to resources (App Service WebApp1 should read Blob Storage WebApp1Storage), secrets, we hate them, but we found a solution to avoid secrets with Managed Identity and Workload Identity solutions, What is the plan for us? We will use Azure Portal and Entra ID blade to manage our applications, permissions, and secrets. We can create and update our app registrations via the browser. Can we improve our Entra ID and Entra External ID with IaC, as shown in the screenshot (Picture 1) below? ...

Tl;dr I will show you typical CIAM challenges, scenarios, diagrams, and links to the repositories with the implementation of the new Azure Service—Entra External ID for Customers (CIAM). Big Picture Link to bigger picture. Introduction Entra External ID for Customers is a new Azure Tenant type that allows you to create digital identities for your customers. It is a separate tenant type, not connected with your organisation’s tenant. I want to show you typical CIAM challenges with the diagram (big picture). We will go through the diagram step by step, and I will show you possible solutions. ...

History 2024-06-02 - Initial version 2025-03-03 - Updated Summary TL;DR With Azure AD B2C we can authenticate users via a browser-based feature - we run the OpenID Connect flow in the browser, authenticate the user via the Authorization Code flow, and get the token. But what if we want to stay with the mobile application? On the Desktop application? With Entra External ID we can use the native authentication flow. ...

Microsoft Entra ID External Identities vs Azure AD B2C. TL;DR A summary of differences between Entra ID and Azure AD B2C. Entra ID in this article is used to build a product. Differences between Entra ID and Azure AD B2C To share resources from your organization (Entra ID) like PowerBi, OneDrive, and SharePoint - use B2B collaboration. Please remember: in many cases, you must assign the expected licenses - PowerBI*, for example, and you will be able to use PowerBI Portal. ...