Online retail use case
Microsoft Entra ID for customers offers solutions that let you quickly add
intuitive, user-friendly sign-up and sign-up experiences for your customer apps. The
Woodgrove Groceries demo environment illustrates several of the most common
authentication experiences that can be configured for your customer-facing apps. This
example illustrates the most common use case, including the following features:
More applications
Sign-up or sign-in with email address and password
Create a new Woodgrove account
- Select the start the use case button at the bottom of this page.
- From the sign-in page select No account? Create one.
- Enter your email address, which will be verified and becomes your login ID.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
- After the email was verified, enter a password, and re-enter the password,
and enter your account details.
- Select next to complete the registration.
Sign-in with your email and password
- Select the start the use case button at the bottom of this page.
- On the sign-in page, enter your email, and select next.
- Enter your password and select sign in.
Forgot your password?
- On the sign-in page, enter your email, and select next.
- Select the Forgot password? link.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
- After the email was verified, enter a password, and re-enter the password and
select next to update your password.
Self-service password reset
Self-service password reset (SSPR) gives users the ability to change or reset their
password, with no administrator or help desk involvement. If a user's account is locked
or they forget their password, they can follow prompts to unblock themselves and get
back to work.
Before you start, make sure you've run one of the sign-up use cases to create an account
with Woodgrove Groceries.
- On the sign-in page, enter your email, and select next.
- Select the Forgot password? link.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
- After the email was verified, enter a password, and re-enter the password and
select next to update your password.
Sign-in with social account
Users can sign in with their existing social accounts, without having to create a
new account.
- Select the start the use case button at the bottom of this page.
- From the sign-in page, select one of the identity
providers, such as Google or Facebook. Then you will be redirected to the selected
provider's to sign-in.
- Upon first sign-in, enter your account details. Then, select next to complete
the registration.
Sign-up with email one-time passcode
Email with one-time passcode is an option in your local account identity provider
settings.
With this option, the customer signs in with a temporary passcode instead of a stored
password
each time they sign in.
Create a new Woodgrove account
- Select the start the use case button at the bottom of this page.
- From the sign-in page select No account? Create one.
- Enter your email address, which will be verified and becomes your login ID.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
- After the email was verified, enter your account details.
- Select next to complete the registration.
Sign-in with your email
- Select the start the use case button at the bottom of this page.
- On the sign-in page, enter your email, and select next.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
Sign-in with multi-factor authentication (email)
Multifactor authentication (MFA) adds a layer of security to your customer-facing
applications.
With MFA, customers are prompted for a one-time passcode in addition to their username
and password when they sign up or sign in to your app.
This demo shows to enforce MFA for your customers to the sign-up and sign-in using email
and password.
After you successfully authenticated, complete the MFA step.
Token augmentation custom auth extension
When users authenticate to your application with Microsoft Entra ID for customers, a security
token is return to your application. The security token contains claims that are
statements about the user, such as name, unique identifier, or application roles.
Beyond the default set of claims that are contained in the security token you can define
your own custom claims from external systems using a REST API you develop.
- Select the start the use case button at the bottom of this page.
- Sign-up or sign-in with your email, or a social account.
- From the Woodgrove header, select your name, which will take you to the security
token page.
- The security token page contains the claims that return by Microsoft Entra ID for customers.
Locate the loyaltyNumber
claim and check its value. This claim was return by a custom authentication
extension REST API with a random value.
Post attribute collection custom auth extension
Custom authentication extensions (OnAttributeCollectionSubmit event) allow you to
perform validation on attributes collected from the user during sign-up, along with
showing the user a blocked or validation error page if needed.
Show validation error response
This input validation is done using a custom authentication extension that validates the
city name, against a list of cities and countries we compiled.
- Select the start the use case button at the bottom of this page.
- Sign-up with your email, or a social account. Important: this flow
requires that you register a new account. If you already have an account, you should
first a delete it.
- After you validate your email, or sign-in with your social account, complete the
registration by providing your details.
For the country, select Australia, and then for the city type an incorrect on
(Berlin in Germany).
- Select next to create a Woodgrove online identity. And you should get an
error message that Woodgrove doesn’t operate in this city.
- Corrects the city name. For example, enter Sydney and try to complete the
registration again. This time you should be able to complete the registration.
Show block page response
This demo uses the same custom authentication extensions as described above.
If you enter a city name
block and select
next, instead of returning an error
message for the city,
the user is denied and shouldn't be allowed to request approval again.
Role-based and access control
Role-based access control is a popular mechanism to enforce authorization in
applications. It helps you manage who has access to your application and what they can
do in the application.
When an organization uses role-based access control, an application developer defines
the roles in the application. An administrator can then assign these roles to different
users, which controls
who has access to the application and what they can do with it.
Microsoft Entra ID for customers issues an access token for an authenticated user,
which includes the names of the roles they have assigned to the application. Developers
have the flexibility to decide how role assignments are to be used within the
application. For example, show or hide some of the elements on the screen, or block
access to certain functionalities based on the user’s role or security groups.
Usually, an administrator needs to approve your request. But for this demo, your request
is automatically approved. To start the demo:
- Select the start the use case button at the bottom of this page.
- Sign-up or sign-in with your email, or a social account.
- From the Woodgrove header, select the profile, which will take you to the edit
profile page.
- In profile page you can update your profile data, but you can also assign yourself
the Products.Contributor and Orders.Manager roles. The
Orders.Managergrant role grants you access to manage the customer’s online orders.
And the Products.Contributor role grants you access to manage the Woodgrove
products. Select both roles and save the changes.
- To reflect the changes in the security token return to the Woodgrove application,
sign-out and sign-in again with the same account.
- Now that you have the Orders.Managergrant role the Orders button appears in
the header. You can select the Orders to manage the online orders.
- Since you also have the Products.Contributor role, in the home page, you should find
the Manage products button.
- If you select your name from the header, it shows the content of the access token
issued by Microsoft Entra ID for customers that was returned to the application.
It should contain the role claims you assigned.
This demo application checks the claim’s value and gives access to manage products
and online orders.
Group-base access control
- Select the start the use case button at the bottom of this page.
- Sign-up or sign-in with your email, or a social account.
- From the Woodgrove header, select the profile, which will take you to the edit
profile page.
- In profile page you can update your profile data, but you can also add yourself to
the Commercial Accounts security group. By doing so, you will get discounts
off some of the products. Select the Commercial Accounts security group and
update your account.
- To reflect the changes in the security token return to the Woodgrove application,
sign-out and sign-in again with the same account.
- Now that you are a member of the Commercial Accounts security group, some of the
items have a discount.
- If you select your name from the header, it shows the content of the access token
issued by Microsoft Entra ID for customers that was returned to the application.
It should contain the groups claims.
This demo application checks the claim’s value and gives you the discounts.
Collect user attributes during sign-up
User attributes are values collected from the user during self-service sign-up.
In the user flow settings, you can select from a set of built-in user attributes you
want to collect from customers.
The customer enters the information on the sign-up page, and it's stored with their
profile in your directory.
If you want to collect information beyond the built-in attributes, you can create custom
user attributes and add them to your sign-up user flow.
This demo shows the use of built-in attribute and custom attribute called special
diet. To start the demo:
- Select the start the use case button at the bottom of this page.
- Sign-up with your email, or a social account. Important: this flow
requires that you register a new account. If you already have an account, you should
first delete it.
- After you validate your email, or sign-in with your social account, complete the
registration by providing your details.
The special diet is a custom attribute you can provide. For the demo enter,
Egg allergy This attribute will be included in the security token that return
to the Woodgrove application.
- Select next to create a Woodgrove online identity.
- After you successfully sign-in, in the home page, the Eggs product shows the
allergy warning.
Show block page response
This demo uses the same custom authentication extensions as described above.
If you enter a city name
block and select
next, instead of returning an error
message for the city,
the user is denied and shouldn't be allowed to request approval again.
Input constrained devices (Kiosk)
Input-constrained devices are devices that their screen or monitor is limited to
text-only and they don't have a web browser. For example, smart TV, IoT device, robot,
gaming console, printers. Or applications with limited user interface, such as a command
line application.
These devices are connected to the internet, but due to the input constrains, the
authentication should be done on another device. The input constrained device gets a
device code from Microsoft Entra ID for customers and asks the user to visit a webpage in a browser on a second
(rich device), such as smartphone, tablets, or PCs.
In this use case, from the Kiosk page select sign-in. Use the second device, such as
smartphone and scan the QR code. On the sign-in page enters the device code, and
completes the sign-in. Once you signed in, the Kiosk (input-constrained device) is able
to get security tokens and authenticate you. Your name should be presented on the
top-right corner of the page.
Finance
The Woodgrove Bank demo
application illustrates the sign-up and sign-in authentication experiences for financial scenarios. It also demonstrates the SAML protocol federation with Microsoft Entra External ID for customers.
Edit your account
Profile editing policy lets you manage you profile attributes, like display name, su
r name, given name, city, and others. After you update your profile, sign-out and
sign-in again.
Delete your account
If you would like to delete your account and personal information, visit the delete my
account page. You won't be able to reactivate your account. In a couple of minutes you
will be able to sign-up again with the same credentials.