Identity providers for external tenants

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

Tip

This article applies to External ID in external tenants. For information about workforce tenants, see Identity providers for External ID in workforce tenants.

With Microsoft Entra External ID, you can create secure, customized sign-in experiences for your consumer- and business customer-facing apps. In an external tenant, there are several ways for users to sign up for your app. They can create an account using their email and either a password or a one-time passcode. Or, if you enable sign-in with Facebook, Google or a custom OIDC identity provider, they can sign in with their own account.

This article describes the identity providers that are available for primary authentication when signing up and signing in to apps in external tenants. You can also enhance security by enforcing a multifactor authentication (MFA) policy that requires a second form of verification each time a user signs in (learn more).

Email and password sign-in

Email sign-up is enabled by default in your local account identity provider settings. With the email option, customers can sign up and sign in with their email address and a password.

  • Sign-up: Customers are prompted for an email address, which is verified at sign-up with a one-time passcode. The customer then enters any other information requested on the sign-up page, for example, display name, given name, and surname. Then they select Continue to create an account.

  • Sign-in: After the customer signs up and creates an account, they can sign in by entering their email address and password.

  • Password reset: If you enable email and password sign-in, a password reset link appears on the password page. If the customer forgets their password, selecting this link sends a one-time passcode to their email address. After verification, the customer can choose a new password.

    Screenshots of the email with password sign-in screens.

When you create a sign-up and sign-in user flow, Email with password is the default option.

Email with one-time passcode sign-in

Email with one-time passcode is an option in your local account identity provider settings. With this option, the customer signs in with a temporary passcode instead of a stored password each time they sign in.

  • Sign-up: Customers can sign up with their email address and request a temporary code, which is sent to their email address. Then they enter this code to continue signing in.

  • Sign-in: After the customer signs up and creates an account, each time they sign in they'll enter their email address and receive a temporary passcode.

    Screenshots of the email with one-time passcode sign-in screens.

You can also configure options for showing, hiding, or customizing the self-service password reset link on the sign-in page (learn more).

When you create a sign-up and sign-in user flow, Email one-time passcode is one of the local account options.

Social identity providers: Facebook and Google

For an optimal sign-in experience, federate with social identity providers whenever possible so you can give your customers a seamless sign-up and sign-in experience. In an external tenant, you can allow a customer to sign up and sign in using their own Facebook or Google account. When a customer signs up for your app using their social account, the social identity provider creates, maintains, and manages identity information while providing authentication services to applications.

When you enable social identity providers, customers can select from the social identity providers options you make available on the sign-up page. To set up social identity providers in your external tenant, you create an application at the identity provider and configure credentials. You obtain a client or app ID and a client or app secret, which you can then add to your external tenant.

Google sign-in (preview)

By setting up federation with Google, you can allow customers to sign in to your applications with their own Gmail accounts. After you add Google as one of your application's sign-in options, on the sign-in page, users can sign in to Microsoft Entra External ID with a Google account.

The following screenshots show the sign-in with Google experience. In the sign-in page, users select Sign-in with Google. At that point, the user is redirected to the Google identity provider to complete the sign-in.

Screenshots of google sign-in screens.

Learn how to add Google as an identity provider.

Facebook sign-in (preview)

By setting up federation with Facebook, you can allow invited users to sign in to your applications with their own Facebook accounts. After you add Facebook as one of your application's sign-in options, on the sign-in page, users can sign-in to Microsoft Entra External ID with a Facebook account.

The following screenshots show the sign-in with Facebook experience. In the sign-in page, users select Sign-in with Facebook. Then the user is redirected to the Facebook identity provider to complete the sign-in.

Screenshots of Facebook sign-in screens.

Learn how to add Facebook as an identity provider.

Custom OIDC identity provider (preview)

You can set up a custom OpenID Connect (OIDC) identity provider to enable customers to sign up and sign in to your applications with their own accounts. When a customer signs up for your app using their custom OIDC identity provider, the identity provider creates, maintains, and manages identity information while providing authentication services to applications.

You can also federate your sign-in and sign-up flows with an Azure AD B2C tenant using the OIDC protocol.

Learn how to set up a custom OIDC identity provider.

Updating sign-in methods

At any time, you can update the sign-in options for an app. For example, you can add social identity providers or change the local account sign-in method.

When you change sign-in methods, the change affects only new users. Existing users continue to sign in using their original method. For example, suppose you start out with the email and password sign-in method, and then change to email with one-time passcode. New users sign in using a one-time passcode, but any users who already signed up with an email and password continue to be prompted for their email and password.

Microsoft Graph APIs

The following Microsoft Graph API operations are supported for managing identity providers and authentication methods in Microsoft Entra External ID:

  • To identify what identity providers and authentication methods are supported, you call the List availableProviderTypes API.
  • To identify the identity providers and authentication methods that are already configured and enabled in the tenant, you call the List identityProviders API.
  • To enable a supported identity provider or authentication method, you call the Create identityProvider API.

Next steps