Online retail use case
Microsoft Entra ID for customers offers solutions that let you quickly add
intuitive, user-friendly sign-up and sign-up experiences for your customer apps. The
Woodgrove Groceries demo environment illustrates several of the most common
authentication experiences that can be configured for your customer-facing apps. This
example illustrates the most common use case, including the following features:
More applications
Sign-up or sign-in with email and password
Create a new Woodgrove account
- Select the start the use case button at the bottom of this page.
- From the sign-in page select No account? Create one.
- Enter your email address, which will be verified and becomes your login ID.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
- After the email was verified, enter a password, and re-enter the password,
and enter your account details.
- Select next to complete the registration.
Sign-in with your email and password
- Select the start the use case button at the bottom of this page.
- On the sign-in page, enter your email, and select next.
- Enter your password and select sign in.
Forgot your password?
- On the sign-in page, enter your email, and select next.
- Select the Forgot password? link.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
- After the email was verified, enter a password, and re-enter the password and
select next to update your password.
Company branding
You can create a custom look and feel for users signing in to your apps.
With these settings, you can add your own background images, colors, company logos, and text to
customize the sign-in experiences across your apps.
So that the sign-in page blends seamlessly into woodgrove applications’ look and feel.
For more information, learn how
to customize the neutral branding in your customer tenant .
- Select the start the use case button at the bottom of this page.
- On the sign-in page take a look on the header, the header logo, the banner logo, the title,
buttons, and the background image which are all customized.
- The sign-in text appears with some guidance for the users
- The footer contains links to the term of use and privacy policies. Both the links and the text
can be customized
- Every text on the screen can be localized.
Self-service password reset
Self-service password reset (SSPR) gives users the ability to change or reset their
password, with no administrator or help desk involvement. If a user's account is locked
or they forget their password, they can follow prompts to unblock themselves and get
back to work. For more information, learn
how to enable self-service password reset.
Before you start, make sure you've created an account
with Woodgrove Groceries using the Sign-up or sign-in with email
and password flow.
- Select the start the use case button at the bottom of this page.
- On the sign-in page, enter your email, and select next.
- Select the Forgot password? link.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
- After your email was verified, enter a password, and re-enter the password and
select next to update your password.
Sign-in with social accounts
Users can sign in with their existing social accounts, without having to create a
new account. For more information, learn how to add Google
and Facebook
identity providers.
- Select the start the use case button at the bottom of this page.
- From the sign-in page, select Google. Then you will be redirected to Google
sign-in page.
- If asked, consent to grant the permissions that Microsoft Entra external ID is requesting.
- Upon first sign-in, complete the registration by entering your account details.
- Select next to create the Woodgrove account.
Sign-up with email one-time passcode
Email with one-time passcode is an option in your local account identity provider
settings.
With this option, the customer signs in with a temporary passcode instead of a stored
password
each time they sign in.
Create a new Woodgrove account
- Select the start the use case button at the bottom of this page.
- From the sign-in page select No account? Create one.
- Enter your email address, which will be verified and becomes your login ID.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
- After the email was verified, enter your account details.
- Select next to complete the registration.
Sign-in with your email
- Select the start the use case button at the bottom of this page.
- On the sign-in page, enter your email, and select next.
- Open your mailbox and copy the verification code sent to you. Then, on the sign-in
page enter the verification code and select next.
Sign-in with multi-factor authentication (email)
Multifactor authentication (MFA) adds a layer of security to your customer-facing
applications.
With MFA, customers are prompted for a one-time passcode in addition to their username
and password when they sign up or sign in to your app.
This demo shows to enforce MFA for your customers to the sign-up and sign-in using email
and password.
After you successfully authenticated, complete the MFA step.
Add claims to security tokens from a REST API
When users authenticate to your application with Microsoft Entra ID for customers, a security
token is return to your application. The security token contains claims that are
statements about the user, such as name, unique identifier, or application roles.
Beyond the default set of claims that are contained in the security token you can add custom claims
from external systems using a REST API you develop.
For more information, learn
how to configure a custom claim provider token issuance event.
- Select the start the use case button at the bottom of this page.
- Sign-up or sign-in with your email, or a social account.
- From the Woodgrove header, select your name, which will take you to the security
token page.
- The security token page contains the claims that return by Microsoft Entra ID for customers.
Locate the loyaltyNumber, loyaltySince, and loyaltyTier
claims and check their value. This claims were return by a custom authentication
extension REST API with some random values.
Prepopulate sign-up attributes
The custom authentication extension supports the on attribute collection start event. This
event occurs at the beginning of the attribute collection step, before the attribute collection page
renders.
You can add actions such as prefilling values and displaying a blocking error.
For more information, learn how to create
a custom authentication extensions for attribute collection start and submit events .
This demo shows how to Prepopulate some of the values, including pre selecting the country attribute
with spain and generating and set the value of the promo code attribute.
To start the demo:
- Select the start the use case button at the bottom of this page.
- Sign-up with your email, or a social account. For more information, sign-up or sign-in with email
and password. If you already have an account,
delete it.
- After you validate your email, or sign-in first time with your social account, you will be taken
to the sign-up page.
-
On the sign-up page notice that the Spain country was selected for you. Also at the
bottom of
the page you can see that the promo code was generated and entered for you. Both values
were provided by a custom authentication extension.
Validate sign-up attributes
The custom authentication extension supports the on attribute collection submit event. This
event allows you to
perform validation on attributes collected from the user during sign-up. For more information, learn
how to create
a custom authentication extensions for attribute collection start and submit events .
This demo validates the
city name against a list of cities and countries compiled in the Woodgrove custom authentication
extension REST API.
- Select the start the use case button at the bottom of this page.
- Sign-up with your email, or a social account. For more information, sign-up or sign-in with email
and password. If you already have an account,
delete it.
- After you validate your email, or sign-in with your social account, complete the
registration by providing your details.
For the country, leave the Spain selected, and then for the city Berlin (Berlin is
not a city in Spain).
- Select next to create a Woodgrove online identity. And you should get an
error message that Woodgrove doesn’t operate in this city. Because Berlin is a city in Germany,
not in Spain.
- Corrects the city name. For example, enter Madrid and try to complete the
registration again. This time you should be able to complete the registration.
Block a user from continuing the sign-up process
The custom authentication extension supports the on attribute collection start and
submit events. These events allow you to
block the user from continuing the sign-up process.
For example, you could use an identity verification service or external identity data source to
verify the user's email address. For more information, learn how to create
a custom authentication extensions for attribute collection start and submit events.
This demo validates uses the on attribute collection submit even to check the value
of the city attribute and block the process.
- Select the start the use case button at the bottom of this page.
- Sign-up with your email, or a social account. For more information, sign-up or sign-in with email
and password. If you already have an account,
delete it.
- After you validate your email, or sign-in with your social account, complete the
registration by providing your details.
- For the city attribute, enter block.
- Select next to try to create a Woodgrove online identity. At this time the sign-up
process will be canceled all together.
This is because the custom authentication extension checks the city value. If it contains
block, it returns the show block page action.
Role-based and access control
Role-based access control is a popular mechanism to enforce authorization in
applications. It helps you manage who has access to your application and what they can
do in the application.
An application developer defines
the roles for the application. Then these roles can be assigned to
users. In this demo, you assign yourself to application roles which is automatically approved. For
more information, learn how to use
role-based access control for applications.
To start the demo:
- Select the start the use case button at the bottom of this page.
- Sign-up or sign-in with your email, or a social account.
- From the Woodgrove header, select the profile, which will take you to the edit
profile page.
- In profile page add yourself
the Products.Contributor and Orders.Manager roles.
- To reflect the changes in the security token return to the Woodgrove application, sign-in again
with the same account. You will not ask to enter your credentials, since you already signed-in
using the SSO feature.
- Back to the application, since you have the Orders.Manager role the Orders button appears
in
the header.
- And since you also have the Products.Contributor role,
the Manage products button appears in the header.
Note, you can select your name from the header, it shows the content of the access token
issued by Microsoft Entra ID for customers that was returned to the application.
It should contain the role claims you assigned.
This demo application checks the claim’s value and gives access to manage products
and online orders.
Group-based and access control
Group-based access control is a popular mechanism to enforce authorization in
applications. It helps you manage who has access to your application and what they can
do in the application. You can also alter the UI based on the user's membership.
For more information, learn how to use
role-based access control for applications.
In this demo, you add yourself to the Commercial Accounts security group and you will get
discounts for some of the products.
To start the demo:
- Select the start the use case button at the bottom of this page.
- Sign-up or sign-in with your email, or a social account.
- From the Woodgrove header, select the profile, which will take you to the edit
profile page.
- In profile page you can update your profile data, but you can also add yourself to
the Commercial Accounts security group. By doing so, you will get discounts
off some of the products. Select the Commercial Accounts security group and
update your account.
- To reflect the changes in the security token return to the Woodgrove application, sign-in again
with the same account. You will not ask to enter your credentials, since you already signed-in
using the SSO feature.
- Now that you are a member of the Commercial Accounts security group, some of the
items have a discount.
Note, if you select your name from the header, it shows the content of the access token
issued by Microsoft Entra ID for customers that was returned to the application.
It should contain the groups claims.
This demo application checks the claim’s value and gives you the discounts.
Collect user attributes during sign-up
User attributes are values collected from the user during self-service sign-up.
In the user flow settings, you can select from a set of built-in user attributes you
want to collect from customers. You can also create custom
user attributes and add them to your sign-up user flow. For more information, learn
how to collect user attributes during sign-up.
On the sign-up page the user enters the information, and it's stored with their
profile in your directory.
This demo shows the use of built-in attribute and custom attribute called special
diet. To start the demo:
- Select the start the use case button at the bottom of this page.
- Sign-up with your email, or a social account. For more information, sign-up or sign-in with email
and password. If you already have an account,
delete it.
- After you validate your email, or sign-in with your social account, complete the
registration by providing your details.
The special diet is a custom attribute you can provide. For the demo enter,
Egg allergy This attribute will be included in the security token that return
to the Woodgrove application.
- Select next to create a Woodgrove online identity.
- After you successfully sign-in, in the home page, the Eggs product will show an
allergy warning.
Single sign-on (SSO)
Single sign-on (SSO) adds security and convenience when users sign-in across multiple applications
in Microsoft Entra ID.
With single sign-on, users sign-in once with a single account and get access to multiple
applications.
When the user initially signs-in to an application, Microsoft Entra ID initiates a single sign-on
session.
Upon subsequent authentication requests, Microsoft Entra ID validates the session, and issues a
security token without prompting the user to sign in again.
Follow these steps to check out the SSO feature:
- Start by signing-in to this application. You may need use the InPrivate
mode in Microsoft Edge.
- Select the start the use case button at the bottom of this page.
- After you sign-in, come back to this dialog page and follow the instructions.
Force sign-in
Single sign-on (SSO) adds security and convenience when users sign-in across multiple applications
in Microsoft Entra ID.
With single sign-on, users sign-in once with a single account and get access to multiple
applications.
When the user initially signs-in to an application, Microsoft Entra ID initiates a single sign-on
session.
Upon subsequent authentication requests, Microsoft Entra ID validates the session, and issues a
security token without prompting the user to sign in again.
You can force the user to enter their credentials on a sign-in request, negating single-sign on
session.
To do so, select the start the use case button at the bottom of this page.
Input constrained devices (Kiosk)
Input-constrained devices are devices that their screen or monitor is limited to
text-only and they don't have a web browser. For example, smart TV, IoT device, robot,
gaming console, printers. Or applications with limited user interface, such as a command
line application.
These devices are connected to the internet, but due to the input constrains, the
authentication should be done on another device. The input constrained device gets a
device code from Microsoft Entra ID for customers and asks the user to visit a webpage in a browser
on a second
(rich device), such as smartphone, tablets, or PCs.
In this use case, from the Kiosk page select sign-in. Use the second device, such as
smartphone and scan the QR code. On the sign-in page enters the device code, and
completes the sign-in. Once you signed in, the Kiosk (input-constrained device) is able
to get security tokens and authenticate you. Your name should be presented on the
top-right corner of the page.
Finance
The Woodgrove Bank demo
application illustrates the sign-up and sign-in authentication experiences for financial scenarios.
It also demonstrates the SAML protocol federation with Microsoft Entra External ID for customers.
Edit your account
Profile editing policy lets you manage you profile attributes, like display name, surname, given
name, city, and others. After you update your profile, sign-out and
sign-in again.
Delete your account
If you would like to delete your account and personal information, visit the delete my
account page. You won't be able to reactivate your account. In a couple of minutes you
will be able to sign-up again with the same credentials.
Application user activity insights
The user insights provides data analytics into user activity and engagement for your registered
applications within your customer tenant.
Use Microsoft Graph and the Entra Admin Center to view, query and analyze user activity data.
