Microsoft Entra External ID offers solutions that let you quickly add intuitive, user-friendly sign-up and sign-up experiences for your customer apps.
The Woodgrove Groceries live demo illustrates several of the most common authentication experiences that can be configured for your consumer-facing apps.
From the above dropdown list, select a use-case and start the demo.
Watch this video to learn more about the Woodgrove live demo.
The online retail use case is an end-to-end demonstration that illustrates several of the most common authentication experiences that can be configured for your customer-facing apps. To run the use case, follow these steps:
You can create a custom look and feel for users signing in to your apps.
With these settings, you can add your own background images, colors, company logos, and text to
customize the sign-in experiences across your apps.
So that the sign-in page blends seamlessly into woodgrove applications’ look and feel.
For more information, learn how
to customize the neutral branding in your customer tenant.
The custom
URL domain provides a more seamless user experience. From the user's perspective, they
remain
in
your domain during
the sign in process rather than redirecting to the Microsoft Entra external ID default domain
{tenant-name}.ciamlogin.com. Note, this feature is currently in private preview and also
limited
to sign-in with local accounts.
Social accounts such as Google or Facebook are not yet supported.
You can create a personalized sign-in experience for users who sign in using a specific browser language by customizing the branding elements for that browser language. This customization overrides any configurations made to the default branding. For more information, learn how to customize the language of the authentication experience.
Duing the sign-up or sign-in flow, the user's language is dictated by their browser's settings. Application can pass the ui_locales and mkt parameters with a specific language.
Self-service password reset (SSPR) gives users the ability to change or reset their
password, with no administrator or help desk involvement. If a user's account is locked
or they forget their password, they can follow prompts to unblock themselves and get
back to work. For more information, learn
how to enable self-service password reset.
Before you start, make sure you've created an account
with Woodgrove Groceries using the Sign-up or sign-in with email
and password flow.
Users can sign in with their existing social accounts, without having to create a new account. For more information, learn how to add Google and Facebook identity providers.
During a sign-in an application may target a specific user. When targeting a user, an application can specify, in the authorization request, the 'login_hint' query parameter with the user sign-in name. Microsoft Entra external ID automatically populates the sign-in name, while the user only needs to provide the password.
Email with one-time passcode is an option in your local account identity provider settings. With this option, the customer signs in with a temporary passcode instead of a stored password each time they sign in.
Microsoft Entra Conditional Access brings signals together, to make decisions, and enforce security policies. Multifactor authentication (MFA) protects customers identity by prompting them for a second verification method. For more information, learn how to add MFA.
In this demo a Conditional Access policy that's targeted to all users when the sign-in risk level is medium or high, prompts for MFA.
Applications registered in a Microsoft Entra tenant are, by default, available to all users of the tenant who authenticate successfully. You can configure your application to be restricted to a certain set of users or apps.
In this demo only selected users (Woodgrove partners) can sign-in to the Woodgrove partners portal. Other users are not allowed to sign-in.
Note, in this demo you can't assing youself to the Woodgrove partners portal app. If you are intrested in app assignment, check out the Role based access controll demo
Start the use caseMicrosoft Entra Conditional Access brings signals together, to make decisions, and enforce security policies. Multifactor authentication (MFA) protects customers identity by prompting them for a second verification method. For more information, learn how to add MFA.
In this demo a Conditional Access policy that's targeted to all users when the sign-in risk level is medium or high, prompts for MFA.
Use the Microsoft Entra Conditional Access engine's authentication
context to trigger a demand for step-up authentication from within your application.
This demo allows customer to access the app and purchase items. However, upon risky action, for
example
When a Woodgrove customer finishes shopping and proceeds to the checkout.
If the sum of the items in the shopping cart is higher than usual it requires the customer to
sign-in with a strong factor authentication.
Application filters for Conditional Access allow you to tag your application with custom
attributes. These custom attributes are then added to their Conditional Access policies. Filters for
applications are evaluated at token issuance runtime.
In this demo a conditional access block access to all applications tagged as
BlockGuestsUsers.
When users authenticate to your application with Microsoft Entra External ID, a security token is return to your application. The security token contains claims that are statements about the user, such as name, unique identifier, or application roles. Beyond the default set of claims that are contained in the security token you can add more claims.
This demo shows how to add addtinal attributes to the access and ID tokens.
When users authenticate to your application with Microsoft Entra External ID, a security
token is return to your application. The security token contains claims that are
statements about the user, such as name, unique identifier, or application roles.
Beyond the default set of claims that are contained in the security token you can add custom claims
from external systems using a REST API you develop.
For more information, learn
how to configure a custom claim provider token issuance event.
The on-behalf-of (OBO) flow describes the scenario of a web API using an identity other than its own
to call another downstream web API. For the middle-tier web API to make authenticated requests to
the
downstream web API it needs a different audience and another set of scopes (permissions). For more
information,
Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow
This demo shows how the Account web
API makes authenticated requests to a downstream Payment web API.
To call the Payment web API, the Account web API acquires an access
token for the Payment web API (audience or aud claim) and another set of scopes (permissions) that
require by the Payment web API.
The custom authentication extension supports the on attribute collection start event. This event occurs at the beginning of the attribute collection step, before the attribute collection page renders. You can add actions such as prefilling values and displaying a blocking error. This demo shows how to prepopulate some of the values, including pre selecting the country attribute with spain and generating and set the value of the promo code attribute.
To start the demo:The custom authentication extension supports the on attribute collection submit event. This event allows you to perform validation on attributes collected from the user during sign-up. This demo validates the city name against a list of cities and countries compiled in the Woodgrove custom authentication extension REST API.
The custom authentication extension supports the on attribute collection submit event. These event allows you to modify and override attributes provided by the user. This example shows how to modify the display name and the name of the city.
The custom authentication extension supports the on attribute collection submit event. These event allows you to block the user from continuing the sign-up process. For example, you could use an identity verification service or external identity data source to verify the user's email address. This demo validates uses the on attribute collection submit even to check the value of the city attribute and block the process.
Role-based access control is a popular mechanism to enforce authorization in applications. It helps you manage who has access to your application and what they can do in the application. In this demo, you assign yourself to application roles which are automatically approved.
To start the demo:
Group-based
access control
is a popular mechanism to enforce authorization in
applications. It helps you manage who has access to your application and what they can
do in the application. You can also alter the UI based on the user's membership.
In this demo, you add yourself to the Commercial Accounts security group and you will get
a discount for some of the products.
User attributes are values collected from the user during self-service sign-up.
In the user flow settings, you can select from a set of built-in user attributes you
want to collect from customers. You can also create custom
user attributes and add them to your sign-up user flow. For more information, learn
how to collect user attributes during sign-up.
On the sign-up page the user enters the information, and it's stored with their
profile in your directory.
This demo shows the use of built-in attribute and custom attribute called special
diet. To start the demo:
Microsoft Entra external ID allows applications to start the authorization request with sign-up flow (using the 'prompt=create' query parameter). You can also provide an email address (using the 'login_hint' query parameter). If provided, Microsoft Entra external ID automatically populates the sign-up email address, while the user only needs to validate their email address and enter their profile attributes. Make sure there is no such account in the directory.
Terms of use, also known as terms and conditions or terms of service, are rules, specifications, and
requirements for the use of your app.
Microsoft Entra external ID allows you to add a custom attribute (type of Boolean) to the sign-up
page.
Before completing the sign-up, users should read and accept your policies.
For more information, learn how to collect user attributes during sign-up and
configure a single-select checkbox.
This demo shows to add links to terms of use and privacy policies. To start the demo:
Single sign-on (SSO) adds security and convenience when users sign-in across multiple applications in Microsoft Entra ID. With single sign-on, users sign-in once with a single account and get access to multiple applications. When the user initially signs-in to an application, Microsoft Entra ID initiates a single sign-on session. Upon subsequent authentication requests, Microsoft Entra ID validates the session, and issues a security token without prompting the user to sign in again.
For tests only! You can specify the lifetime of an access token, ID token, or SAML token issued by the Microsoft Entra ID. You can set token lifetimes for all apps in your tenant, or for service principals. You cannot set token lifetime policies for refresh tokens and session tokens.
Single sign-on (SSO) adds security and convenience when users sign-in across multiple applications
in Microsoft Entra ID.
With single sign-on, users sign-in once with a single account and get access to multiple
applications.
When the user initially signs-in to an application, Microsoft Entra ID initiates a single sign-on
session.
Upon subsequent authentication requests, Microsoft Entra ID validates the session, and issues a
security token without prompting the user to sign in again.
You can force the user to enter their credentials on a sign-in request, negating single-sign on
session.
To do so, select the start the use case button at the bottom of this page.
Input-constrained devices are devices that their screen or monitor is limited to
text-only and they don't have a web browser. For example, smart TV, IoT device, robot,
gaming console, printers. Or applications with limited user interface, such as a command
line application.
These devices are connected to the internet, but due to the input constrains, the
authentication should be done on another device. The input constrained device gets a
device code from Microsoft Entra External ID and asks the user to visit a webpage in a browser
on a second
(rich device), such as smartphone, tablets, or PCs.
In this use case, from the Kiosk page select sign-in. Use the second device, such as
smartphone and scan the QR code. On the sign-in page enters the device code, and
completes the sign-in. Once you signed in, the Kiosk (input-constrained device) is able
to get security tokens and authenticate you. Your name should be presented on the
top-right corner of the page.
The Woodgrove Bank demo application illustrates the sign-up and sign-in authentication experiences for financial scenarios. It also demonstrates the SAML protocol federation with Microsoft Entra External ID.
Start the use caseProfile editing lets you manage you profile attributes, like display name, surname, given name, city, and others.
If you would like to delete your account and personal information, visit the delete my account page. You won't be able to reactivate your account. In a couple of minutes you will be able to sign-up again with the same credentials.
Delete your accountDisabling an account can be a critical step for businesses in managing their security and operational efficiency. When an account is disabled, it prevents unauthorized access to your application. This demo allows you to disable your account. Keep in mind that you will not be able to sign-in and enabled your account. Therefore, use a temporary email for this use case.
Find information about your last activity, including: when your account was created, last time you sign-in and last time you reset your password.
The user insights provides data analytics into user activity and engagement for your registered
applications within your customer tenant.
Use Microsoft Graph and the Microsoft Entra Admin Center to view, query and analyze user activity
data. For more information, learn Gain
insights into your app users’ activity.
This demo uses Microsoft Graph API to query the usage & insights (daily and monthly) to uncover valuable insights that can aid
strategic decisions and drive business growth.
Microsoft Entra ID emits sign-in logs containing activity information. Each sign-in attempt
contains
details associated with those three main components:
Who: The identity (User) doing the sign-in. How: The client (Application) used for the
access. And What: The target (Resource) accessed by the identity.
You can use the sign-in logs to answer questions such as: How many users signed into a particular
application this week?
How many failed sign-in attempts occurred in the last 24 hours?
Are users signing in from specific browsers or operating systems?
Microsoft Graph PowerShell is a robust
solution for
automating tasks, executing batch
operations, maintaining and ensuring consistency across different stages such as test,
preproduction, and production
environments.
With GitHub workflow you can automate
process that will run one or
more jobs.
Their benefits in accelerating and stabilizing the deployment process to
Microsoft Entra's external ID. It leads to a significant reduction in integration
issues, faster release cycles, enhance change management, and consistency that are crucial for
maintaining data
integrity and smooth and seamless deployment during updates and modifications.