Super useful and insightful video. We are looking to use Azure as a CIAM. One requirement is to allow existing internal users from our existing AD account to have access to the 'Customer' tenant application. It looks like these users will have to be invited into the Customer tenant, using the B2B flow if im not mistaken? It would be nice to have more control over that but it seems currently there is less configurability around the "Active Directory Identity Provider".
Thank you for watching! Yes, currently federations with external identity providers are limited. In the future the ideal scenario will be where as you mentioned there will be OIDC configuration section so we can integrate more external identity providers. This is on the horizon.
Thank you for this. It is definitely one of the best information sources for this product that I've found. My company has been using Azure AD B2C for all of our CIAM needs but it's looking like External ID is the way to go. Could you explain how we'd go about migrating from one to the other as information on this topic is quite limited? I understand that External ID is a new product and migrating away from B2C is not required at this time. That said, we have all agreed that it would be better for us to migrate sooner rather than later. Any information on this topic would be greatly appreciated.
Thank you for watching and kind words. When it comes to your question about new product and migration. Microsoft Entra External ID is the future when it comes to CIAM solution provided by Microsoft. However, current product is in the preview (at the moment of writing this comment). For simple authentication and branding scenarios it can be a good fit but please remember that it is still not so mature like Azure AD B2C. Having said that I would strongly recommend assessing your current requirements for the login/registration scenarios and then check if these will be possible to be implemented with the new platform (Entra External ID). Recently I faced issues when testing my tenant where suddenly I could not sign in (you can read more here: learn.microsoft.com/answers/questions/1353634/aadsts500208-the-domain-is-not-a-valid-login-domai). I would wait with migration decision at least to the moment when the product is GA, not in the preview. One more point - migration paths are not yet defined between Azure AD B2C and Entra External ID - the team at Microsoft is working on this topic but there is no official information provided yet.
Strategies for user migration are still undefined. We need a seamless way of migrating users but custom extensions are, in its current state, not enough because the password is not sent in the request. I looks like native authentication would work but that feature is still private.
Hi ! Great insight, thanks for the video ! I am currently trying to set up a rather complex setup and can't find out how : signup a user using its own Microsoft pro account ( Entra External ID ), then from the app making graph calls on his orignial Tenant, after getting his acceptance for autorisations. It seems Entra External tokens are not useable to make graph calls, and I did not succceed (yet ?) into swapping the Entra Token into Azure AD one that would fit for Graph Requests. Any idea on a good architecture to perform such ? I would also be very interested in getting in touch with an expert that could help on this ;-)
Hi, thank you for kind words! When it comes to your question. Access tokens issued by Microsoft Entra External ID cannot be used to access Microsoft Graph API. When you say "make Graph call to the user's original tenant" - I assume you talk about the scenario where user used corporate account to access your application secured with Microsoft Entra External ID and you would like to somehow access user's original tenant to get some authorization? I would definitely need more details here.
Thank you! You can hide it using CSS styles: learn.microsoft.com/en-us/azure/active-directory/fundamentals/reference-company-branding-css-template You should set visibility for the hyperlink to hidden. You can download CSS template from there (or from the page above): download.microsoft.com/download/7/2/7/727f287a-125d-4368-a673-a785907ac5ab/custom-styles-template-013023.css Here you can read more about branding customization: learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-customize-branding-customers#to-customize-the-sign-in-page-background-and-layout To test hiding, you can open the console in the browser and type: document.getElementById("backToLogin").style.visibility = "hidden";
You say "you don't have to worry about CustomPolicies...". Well, there are two things to consider: Even if CustomPolicies are hard to build, it's a neccessary feature since user flows do not nearly provide all the features that one might need. Also, external id still provides different userFlows for signIn, profile, etc. So, how do you call them in your auth request?
Yes, these are good points you mention. First of all - custom policies are removed in the new solution due to bad feedback from developers and people who tried it. I also agree that even if experience was not very good, custom policies are essential to build more complex auth flows. In the new platform there are Azure AD Event Listeners used - it means that you will be able to attach custom logic to different parts of the user journey, like "onAttributeCollection", "afterConditionalAccessCheck" etc. This is new architecture. Soon there will be more details available for public preview. I am doing my best to create next video where I will dive into the details. External ID Team is aware that there is a strong need for advanced flows like we can build now with Azure AD B2C custom policies. When it comes to flows and calling them - sing in and password reset are already there. In the app config you do not have to provide the name of the flow. For the profile edit - it is still under consideration and more details will be known soon. Please also remember that there will be also native auth API available so you will be able to natively integrate your app with the platform without any redirections (it means that you will be able to display profile edit page directly in your app without using pages from External ID). Again - more details will be available soon. I am under NDA so cannot provide too much details now but I can promise that once I have green light to share more details I will do it immediately. Please let me know once you have any questions. PS: Thank you for watching!
@@TechMindFactory Thanks for the info. I hope they will combine the best of both worlds: AAD: e.g. obo-flow, securityGroups, full graph api B2C: well, we had to implement a whole bunch of advanced features, e.g. homeRealmDiscovery, custom logging, testautomation capabilities, impersonation, custom refresh token and access token journeys, different flows for different apps (e.g. restrict some apps to distinct federated idps), etc, etc
@@michaelpropster8076 Thank you to for a great feedback! Yes, the points you mentioned above were already discussed (many times, believe me) with the Product Group. OBO flow will be available (this is the strong feedback from many people as we need it on the backend side integration). When it comes to Graph API - new platform has strong fundaments on API-first approach. You can already read more about Management APIs: learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-management-apis-overview One more thing - because new platform is fully based on the Azure AD there will be no exceptions for some queries in the Graph API - as we have it now with Azure AD B2C, for instance to query user's mobile phone used for MFA. There will be more in the future - custom domains will be available too! I will share more info when I can. Let's be in touch.
Thank you for watching. It is still under development, however it is one of the key features in the backlog for this new product. The experience will be similar to the current one in the Azure AD B2C, where we can type the username, and basing on the domain, user is redirected to specific tenant. There will be also restrictions for HRD for specific domains. Once I have more details, I will definitely share this information.
What does the road map look like for more advanced authentication mechanisms like FIDO2 based MFA or passkeys etc? Also will this finally support back channel logout of clients too? Also if we wanted to do a true global deployment to support a user base across multiple continents is this something now natively supported?
I do not have exact information about the road map but I can confirm that FIDO2 is considered and discussed. I do not have any info about passkeys yet. Same for the back channel logout. When it comes to global deployment - service will be global but still you have to select datacenter for users profiles during the configuration: learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/quickstart-tenant-setup#create-a-new-tenant-with-customer-configurations From the global availability perspective you will probably need to support tenants in multiple locations - the mechanism underneath is the same like in standard AD. I will try to get more details about it and get back to you.
Thank you for watching. The difference is in the configuration approach. There will be no custom policies anymore. User flows will be defined either in the portal or using REST API. When it comes to extensions for instance - these will be also configured in the different way (currently in the Azure AD B2C you use technical profiles when you use custom policies), here you can read about new approach: learn.microsoft.com/en-us/azure/active-directory/develop/custom-extension-overview?context=%2Fazure%2Factive-directory%2Fexternal-identities%2Fcustomers%2Fcontext%2Fcustomers-context The important thing is that new MS Entra External ID aims to provide the same level of features as AD B2C does, however the way you will configure them will be much easier and more aligned with DevOps philosophy (storing configuration in GIT, ability to configure tenant using APIs). I hope this clarifies a bit.
@@TechMindFactory Thank you. That makes more sense. So some configuration that used to be configured with IdentityExperience XML can now be written in C# by using external API's? Would it be possible to detect which tenant the user is coming from, in case the user decides to use his work account? If so, is it possible to tell Microsoft to use MFA for certain tenants? That is one scenario we would like to develop for our internally developed product, but so far, we could not see how..
@@btastic2 The scenario you are talking about combines HRD (Home Realm Discovery, where we discover that user is using account from another tenant) with Conditional Access. HRD is not yet fully supported in the new platform. Please also note that in the typical scenario where user decides to use work account, user is redirected to home tenant for authentication. The decision whether to apply MFA or not is on the home tenant side. Now you could of course require MFA also on your tenant side (something similar to what Azure AD B2C has for social accounts, where you can apply MFA also for the Facebook or Google accounts). Such scenario is not supported yet but I know that HRD functionality is on the priority list owned by the Product Group. For now you cannot configure granular options for HRD.
The funny think about MS products roadmap and release stages is that they never learn. I can't add Azure AD as Idp in any flow. no matter what. Followed all docs, researched, tried logical stuff, non logical stuff too (pretty much MS line) and nothing. But I cant request support. unless is for billing or subscription management. Well, its in preview. if doesnt work I should just shut up and wait. why would they provide any customer support for a product in preview, right?
I understand your frustration as I also faced some issues recently. I am not sure if you know but here is the place where you can describe your issue: learn.microsoft.com/en-us/answers/tags/438/entra-external-id Microsoft engineers are reviewing it and you can get help. Here is one of my recent issues reported (as you can see I got response from the MS Engineer): learn.microsoft.com/en-us/answers/questions/1353634/aadsts500208-the-domain-is-not-a-valid-login-domai I encourage you to try.
Thank you for bringing some light to my headaches with Microsoft entra 💓
Thank you!
Thanks for sharing the link and putting together these videos.
Thank you for watching!
Thank You for this video!
Thank you for watching!
Super useful and insightful video. We are looking to use Azure as a CIAM. One requirement is to allow existing internal users from our existing AD account to have access to the 'Customer' tenant application.
It looks like these users will have to be invited into the Customer tenant, using the B2B flow if im not mistaken? It would be nice to have more control over that but it seems currently there is less configurability around the "Active Directory Identity Provider".
Thank you for watching!
Yes, currently federations with external identity providers are limited.
In the future the ideal scenario will be where as you mentioned there will be OIDC configuration section so we can integrate more external identity providers. This is on the horizon.
Thank you for this. It is definitely one of the best information sources for this product that I've found. My company has been using Azure AD B2C for all of our CIAM needs but it's looking like External ID is the way to go. Could you explain how we'd go about migrating from one to the other as information on this topic is quite limited? I understand that External ID is a new product and migrating away from B2C is not required at this time. That said, we have all agreed that it would be better for us to migrate sooner rather than later.
Any information on this topic would be greatly appreciated.
Thank you for watching and kind words.
When it comes to your question about new product and migration.
Microsoft Entra External ID is the future when it comes to CIAM solution provided by Microsoft. However, current product is in the preview (at the moment of writing this comment). For simple authentication and branding scenarios it can be a good fit but please remember that it is still not so mature like Azure AD B2C.
Having said that I would strongly recommend assessing your current requirements for the login/registration scenarios and then check if these will be possible to be implemented with the new platform (Entra External ID).
Recently I faced issues when testing my tenant where suddenly I could not sign in (you can read more here: learn.microsoft.com/answers/questions/1353634/aadsts500208-the-domain-is-not-a-valid-login-domai).
I would wait with migration decision at least to the moment when the product is GA, not in the preview. One more point - migration paths are not yet defined between Azure AD B2C and Entra External ID - the team at Microsoft is working on this topic but there is no official information provided yet.
Strategies for user migration are still undefined. We need a seamless way of migrating users but custom extensions are, in its current state, not enough because the password is not sent in the request. I looks like native authentication would work but that feature is still private.
Hi ! Great insight, thanks for the video ! I am currently trying to set up a rather complex setup and can't find out how : signup a user using its own Microsoft pro account ( Entra External ID ), then from the app making graph calls on his orignial Tenant, after getting his acceptance for autorisations. It seems Entra External tokens are not useable to make graph calls, and I did not succceed (yet ?) into swapping the Entra Token into Azure AD one that would fit for Graph Requests. Any idea on a good architecture to perform such ? I would also be very interested in getting in touch with an expert that could help on this ;-)
Hi, thank you for kind words!
When it comes to your question. Access tokens issued by Microsoft Entra External ID cannot be used to access Microsoft Graph API. When you say "make Graph call to the user's original tenant" - I assume you talk about the scenario where user used corporate account to access your application secured with Microsoft Entra External ID and you would like to somehow access user's original tenant to get some authorization? I would definitely need more details here.
Hi, in your Blazor web assembly app, how to you connect the login button to this Entra external ID ? Many thanks for the video, really usefull!
Thanks for the video tutorial. One question how to remove "Have an account? Sign In instead" from Sing-Up-Sing-In userflow?
Thank you! You can hide it using CSS styles:
learn.microsoft.com/en-us/azure/active-directory/fundamentals/reference-company-branding-css-template
You should set visibility for the hyperlink to hidden.
You can download CSS template from there (or from the page above):
download.microsoft.com/download/7/2/7/727f287a-125d-4368-a673-a785907ac5ab/custom-styles-template-013023.css
Here you can read more about branding customization:
learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-customize-branding-customers#to-customize-the-sign-in-page-background-and-layout
To test hiding, you can open the console in the browser and type:
document.getElementById("backToLogin").style.visibility = "hidden";
@@TechMindFactory Thanks mate.
You say "you don't have to worry about CustomPolicies...". Well, there are two things to consider: Even if CustomPolicies are hard to build, it's a neccessary feature since user flows do not nearly provide all the features that one might need. Also, external id still provides different userFlows for signIn, profile, etc. So, how do you call them in your auth request?
Yes, these are good points you mention. First of all - custom policies are removed in the new solution due to bad feedback from developers and people who tried it. I also agree that even if experience was not very good, custom policies are essential to build more complex auth flows. In the new platform there are Azure AD Event Listeners used - it means that you will be able to attach custom logic to different parts of the user journey, like "onAttributeCollection", "afterConditionalAccessCheck" etc. This is new architecture. Soon there will be more details available for public preview. I am doing my best to create next video where I will dive into the details. External ID Team is aware that there is a strong need for advanced flows like we can build now with Azure AD B2C custom policies.
When it comes to flows and calling them - sing in and password reset are already there. In the app config you do not have to provide the name of the flow. For the profile edit - it is still under consideration and more details will be known soon. Please also remember that there will be also native auth API available so you will be able to natively integrate your app with the platform without any redirections (it means that you will be able to display profile edit page directly in your app without using pages from External ID). Again - more details will be available soon. I am under NDA so cannot provide too much details now but I can promise that once I have green light to share more details I will do it immediately.
Please let me know once you have any questions.
PS: Thank you for watching!
@@TechMindFactory Thanks for the info. I hope they will combine the best of both worlds:
AAD: e.g. obo-flow, securityGroups, full graph api
B2C: well, we had to implement a whole bunch of advanced features, e.g. homeRealmDiscovery, custom logging, testautomation capabilities, impersonation, custom refresh token and access token journeys, different flows for different apps (e.g. restrict some apps to distinct federated idps), etc, etc
@@michaelpropster8076 Thank you to for a great feedback! Yes, the points you mentioned above were already discussed (many times, believe me) with the Product Group. OBO flow will be available (this is the strong feedback from many people as we need it on the backend side integration).
When it comes to Graph API - new platform has strong fundaments on API-first approach. You can already read more about Management APIs:
learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-management-apis-overview
One more thing - because new platform is fully based on the Azure AD there will be no exceptions for some queries in the Graph API - as we have it now with Azure AD B2C, for instance to query user's mobile phone used for MFA.
There will be more in the future - custom domains will be available too! I will share more info when I can. Let's be in touch.
@@TechMindFactory Thanks a lot. Can't wait hear more news from you!
Thank you for the information. How will the home realm discovery be supported on the Entra platform?
Thank you for watching. It is still under development, however it is one of the key features in the backlog for this new product. The experience will be similar to the current one in the Azure AD B2C, where we can type the username, and basing on the domain, user is redirected to specific tenant. There will be also restrictions for HRD for specific domains. Once I have more details, I will definitely share this information.
What does the road map look like for more advanced authentication mechanisms like FIDO2 based MFA or passkeys etc? Also will this finally support back channel logout of clients too? Also if we wanted to do a true global deployment to support a user base across multiple continents is this something now natively supported?
I do not have exact information about the road map but I can confirm that FIDO2 is considered and discussed. I do not have any info about passkeys yet.
Same for the back channel logout.
When it comes to global deployment - service will be global but still you have to select datacenter for users profiles during the configuration:
learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/quickstart-tenant-setup#create-a-new-tenant-with-customer-configurations
From the global availability perspective you will probably need to support tenants in multiple locations - the mechanism underneath is the same like in standard AD. I will try to get more details about it and get back to you.
6:45 Looking at this slide, it looks the same as the feature set that Azure B2C already provides. What is the difference? I don't see it
Thank you for watching. The difference is in the configuration approach. There will be no custom policies anymore. User flows will be defined either in the portal or using REST API. When it comes to extensions for instance - these will be also configured in the different way (currently in the Azure AD B2C you use technical profiles when you use custom policies), here you can read about new approach:
learn.microsoft.com/en-us/azure/active-directory/develop/custom-extension-overview?context=%2Fazure%2Factive-directory%2Fexternal-identities%2Fcustomers%2Fcontext%2Fcustomers-context
The important thing is that new MS Entra External ID aims to provide the same level of features as AD B2C does, however the way you will configure them will be much easier and more aligned with DevOps philosophy (storing configuration in GIT, ability to configure tenant using APIs).
I hope this clarifies a bit.
@@TechMindFactory Thank you. That makes more sense. So some configuration that used to be configured with IdentityExperience XML can now be written in C# by using external API's? Would it be possible to detect which tenant the user is coming from, in case the user decides to use his work account? If so, is it possible to tell Microsoft to use MFA for certain tenants? That is one scenario we would like to develop for our internally developed product, but so far, we could not see how..
@@btastic2 The scenario you are talking about combines HRD (Home Realm Discovery, where we discover that user is using account from another tenant) with Conditional Access. HRD is not yet fully supported in the new platform. Please also note that in the typical scenario where user decides to use work account, user is redirected to home tenant for authentication. The decision whether to apply MFA or not is on the home tenant side. Now you could of course require MFA also on your tenant side (something similar to what Azure AD B2C has for social accounts, where you can apply MFA also for the Facebook or Google accounts). Such scenario is not supported yet but I know that HRD functionality is on the priority list owned by the Product Group. For now you cannot configure granular options for HRD.
@@TechMindFactory Thank you so much for your thorough explanation! Helps a lot!
@@btastic2 Great to know, always happy to help, good luck!
Is there any customization to login with userid instead of email?
No, this is not supported currently.
customer tenant called now External
The funny think about MS products roadmap and release stages is that they never learn. I can't add Azure AD as Idp in any flow. no matter what. Followed all docs, researched, tried logical stuff, non logical stuff too (pretty much MS line) and nothing. But I cant request support. unless is for billing or subscription management. Well, its in preview. if doesnt work I should just shut up and wait. why would they provide any customer support for a product in preview, right?
I understand your frustration as I also faced some issues recently. I am not sure if you know but here is the place where you can describe your issue:
learn.microsoft.com/en-us/answers/tags/438/entra-external-id
Microsoft engineers are reviewing it and you can get help. Here is one of my recent issues reported (as you can see I got response from the MS Engineer):
learn.microsoft.com/en-us/answers/questions/1353634/aadsts500208-the-domain-is-not-a-valid-login-domai
I encourage you to try.
Thanks very much@@TechMindFactory will give it a go. cheers