Online retail use case

Microsoft Entra ID for customers offers solutions that let you quickly add intuitive, user-friendly sign-up and sign-up experiences for your customer apps. The Woodgrove Groceries demo environment illustrates several of the most common authentication experiences that can be configured for your customer-facing apps. This example illustrates the most common use case, including the following features:

• Sign-up or sign-in with email address and password
• Self-service password reset
• Sign-in with Facebook and Google social accounts
• Collect user attributes during sign-up
• Custom claims provider invokes a REST API to return the user's loyalty number
• The sign-in page is fully customized with the Woodgrove brand.

Start the use case

More applications

•   Woodgrove banking
•   Woodgrove restaurants (private access)

Sign-up or sign-in with email address and password

Create a new Woodgrove account

1. Select the start the use case button at the bottom of this page.
2. From the sign-in page select No account? Create one.
3. Enter your email address, which will be verified and becomes your login ID.
4. Open your mailbox and copy the verification code sent to you. Then, on the sign-in page enter the verification code and select next.
5. After the email was verified, enter a password, and re-enter the password, and enter your account details.
6. Select next to complete the registration.

Sign-in with your email and password

1. Select the start the use case button at the bottom of this page.
2. On the sign-in page, enter your email, and select next.
3. Enter your password and select sign in.

Forgot your password?

1. On the sign-in page, enter your email, and select next.
2. Select the Forgot password? link.
3. Open your mailbox and copy the verification code sent to you. Then, on the sign-in page enter the verification code and select next.
4. After the email was verified, enter a password, and re-enter the password and select next to update your password.

Start the use case

Self-service password reset

Self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.
 
Before you start, make sure you've run one of the sign-up use cases to create an account with Woodgrove Groceries.

1. On the sign-in page, enter your email, and select next.
2. Select the Forgot password? link.
3. Open your mailbox and copy the verification code sent to you. Then, on the sign-in page enter the verification code and select next.
4. After the email was verified, enter a password, and re-enter the password and select next to update your password.

Start the use case

Sign-in with social account

Users can sign in with their existing social accounts, without having to create a new account.

1. Select the start the use case button at the bottom of this page.
2. From the sign-in page, select one of the identity providers, such as Google or Facebook. Then you will be redirected to the selected provider's to sign-in.
3. Upon first sign-in, enter your account details. Then, select next to complete the registration.

Start the use case

Sign-up with email one-time passcode

Email with one-time passcode is an option in your local account identity provider settings. With this option, the customer signs in with a temporary passcode instead of a stored password each time they sign in.

Create a new Woodgrove account

1. Select the start the use case button at the bottom of this page.
2. From the sign-in page select No account? Create one.
3. Enter your email address, which will be verified and becomes your login ID.
4. Open your mailbox and copy the verification code sent to you. Then, on the sign-in page enter the verification code and select next.
5. After the email was verified, enter your account details.
6. Select next to complete the registration.

Sign-in with your email

1. Select the start the use case button at the bottom of this page.
2. On the sign-in page, enter your email, and select next.
3. Open your mailbox and copy the verification code sent to you. Then, on the sign-in page enter the verification code and select next.

Start the use case

Sign-in with multi-factor authentication (email)

Multifactor authentication (MFA) adds a layer of security to your customer-facing applications. With MFA, customers are prompted for a one-time passcode in addition to their username and password when they sign up or sign in to your app. This demo shows to enforce MFA for your customers to the sign-up and sign-in using email and password.
 
After you successfully authenticated, complete the MFA step.

Start the use case

Token augmentation custom auth extension

When users authenticate to your application with Microsoft Entra ID for customers, a security token is return to your application. The security token contains claims that are statements about the user, such as name, unique identifier, or application roles.
 
Beyond the default set of claims that are contained in the security token you can define your own custom claims from external systems using a REST API you develop.

1. Select the start the use case button at the bottom of this page.
2. Sign-up or sign-in with your email, or a social account.
3. From the Woodgrove header, select your name, which will take you to the security token page.
4. The security token page contains the claims that return by Microsoft Entra ID for customers. Locate the loyaltyNumber claim and check its value. This claim was return by a custom authentication extension REST API with a random value.

Start the use case

Post attribute collection custom auth extension

Custom authentication extensions (OnAttributeCollectionSubmit event) allow you to perform validation on attributes collected from the user during sign-up, along with showing the user a blocked or validation error page if needed.

Show validation error response

This input validation is done using a custom authentication extension that validates the city name, against a list of cities and countries we compiled.

1. Select the start the use case button at the bottom of this page.
2. Sign-up with your email, or a social account. Important: this flow requires that you register a new account. If you already have an account, you should first a delete it.
3. After you validate your email, or sign-in with your social account, complete the registration by providing your details. For the country, select Australia, and then for the city type an incorrect on (Berlin in Germany).
4. Select next to create a Woodgrove online identity. And you should get an error message that Woodgrove doesn’t operate in this city.
5. Corrects the city name. For example, enter Sydney and try to complete the registration again. This time you should be able to complete the registration.

Show block page response

This demo uses the same custom authentication extensions as described above. If you enter a city name block and select next, instead of returning an error message for the city, the user is denied and shouldn't be allowed to request approval again.

Start the use case

Role-based and access control

Role-based access control is a popular mechanism to enforce authorization in applications. It helps you manage who has access to your application and what they can do in the application. When an organization uses role-based access control, an application developer defines the roles in the application. An administrator can then assign these roles to different users, which controls who has access to the application and what they can do with it.
Microsoft Entra ID for customers issues an access token for an authenticated user, which includes the names of the roles they have assigned to the application. Developers have the flexibility to decide how role assignments are to be used within the application. For example, show or hide some of the elements on the screen, or block access to certain functionalities based on the user’s role or security groups.
Usually, an administrator needs to approve your request. But for this demo, your request is automatically approved. To start the demo:

1. Select the start the use case button at the bottom of this page.
2. Sign-up or sign-in with your email, or a social account.
3. From the Woodgrove header, select the profile, which will take you to the edit profile page.
4. In profile page you can update your profile data, but you can also assign yourself the Products.Contributor and Orders.Manager roles. The Orders.Managergrant role grants you access to manage the customer’s online orders. And the Products.Contributor role grants you access to manage the Woodgrove products. Select both roles and save the changes.
5. To reflect the changes in the security token return to the Woodgrove application, sign-out and sign-in again with the same account.
6. Now that you have the Orders.Managergrant role the Orders button appears in the header. You can select the Orders to manage the online orders.
7. Since you also have the Products.Contributor role, in the home page, you should find the Manage products button.
8. If you select your name from the header, it shows the content of the access token issued by Microsoft Entra ID for customers that was returned to the application. It should contain the role claims you assigned. This demo application checks the claim’s value and gives access to manage products and online orders.

Group-base access control

1. Select the start the use case button at the bottom of this page.
2. Sign-up or sign-in with your email, or a social account.
3. From the Woodgrove header, select the profile, which will take you to the edit profile page.
4. In profile page you can update your profile data, but you can also add yourself to the Commercial Accounts security group. By doing so, you will get discounts off some of the products. Select the Commercial Accounts security group and update your account.
5. To reflect the changes in the security token return to the Woodgrove application, sign-out and sign-in again with the same account.
6. Now that you are a member of the Commercial Accounts security group, some of the items have a discount.
7. If you select your name from the header, it shows the content of the access token issued by Microsoft Entra ID for customers that was returned to the application. It should contain the groups claims. This demo application checks the claim’s value and gives you the discounts.

Start the use case

Collect user attributes during sign-up

User attributes are values collected from the user during self-service sign-up. In the user flow settings, you can select from a set of built-in user attributes you want to collect from customers. The customer enters the information on the sign-up page, and it's stored with their profile in your directory. If you want to collect information beyond the built-in attributes, you can create custom user attributes and add them to your sign-up user flow. This demo shows the use of built-in attribute and custom attribute called special diet. To start the demo:

1. Select the start the use case button at the bottom of this page.
2. Sign-up with your email, or a social account. Important: this flow requires that you register a new account. If you already have an account, you should first delete it.
3. After you validate your email, or sign-in with your social account, complete the registration by providing your details. The special diet is a custom attribute you can provide. For the demo enter, Egg allergy This attribute will be included in the security token that return to the Woodgrove application.
4. Select next to create a Woodgrove online identity.
5. After you successfully sign-in, in the home page, the Eggs product shows the allergy warning.

Show block page response

This demo uses the same custom authentication extensions as described above. If you enter a city name block and select next, instead of returning an error message for the city, the user is denied and shouldn't be allowed to request approval again.

Start the use case

Input constrained devices (Kiosk)

Input-constrained devices are devices that their screen or monitor is limited to text-only and they don't have a web browser. For example, smart TV, IoT device, robot, gaming console, printers. Or applications with limited user interface, such as a command line application.
 
These devices are connected to the internet, but due to the input constrains, the authentication should be done on another device. The input constrained device gets a device code from Microsoft Entra ID for customers and asks the user to visit a webpage in a browser on a second (rich device), such as smartphone, tablets, or PCs.
 
In this use case, from the Kiosk page select sign-in. Use the second device, such as smartphone and scan the QR code. On the sign-in page enters the device code, and completes the sign-in. Once you signed in, the Kiosk (input-constrained device) is able to get security tokens and authenticate you. Your name should be presented on the top-right corner of the page.

Start the use case

Finance

The Woodgrove Bank demo application illustrates the sign-up and sign-in authentication experiences for financial scenarios. It also demonstrates the SAML protocol federation with Microsoft Entra External ID for customers.

Start the use case

Edit your account

Profile editing policy lets you manage you profile attributes, like display name, su r name, given name, city, and others. After you update your profile, sign-out and sign-in again.

Edit your account

Delete your account

If you would like to delete your account and personal information, visit the delete my account page. You won't be able to reactivate your account. In a couple of minutes you will be able to sign-up again with the same credentials.

Delete your account