0

In Azure AD B2C we had the following setup:

  • We configured Entra ID as an identity provider using a multi-tenant app.

  • This allowed any Entra ID user (from any tenant) to log in.

  • After login, we had a technical profile that called an Azure Function. The function would check if the user’s tenant ID was in a list of allowed tenants, and either continue or block the sign-in.

This gave us a nice pattern: users didn’t need an invitation or pre-registration. They just logged in with their Entra ID account, and we handled tenant allow/deny logic ourselves.

Now we are migrating to Azure External ID (customers). What I see is:

  • Users must either be invited first or go through sign-up to create a customer account.

  • There doesn’t seem to be a way to reproduce the “just-in-time” federation flow we had in B2C with Entra ID as IdP.

  • I thought about bypassing this by adding Entra ID as a custom OIDC provider pointing to https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration, but it looks like External ID doesn’t allow Microsoft Entra as a custom OIDC IdP (issuer URI validation blocks it).

Question: Is there any way in Azure External ID (customers) to reproduce the old B2C pattern where any Entra ID user can sign in without invitation or self-service sign-up, and I implement my own logic to restrict tenants (e.g., via API call/claims validation)? Or is this simply not supported in External ID?

Improve this question

1 Answer 1

Reset to default
2

Unfortunately, at this point there is no possibility for such customization level like you had with Azure AD B2C. I can confirm that currently there is no possibility to add workforce Microsoft Entra ID as federated provider using OIDC in Microsoft Entra External ID. When I contacted Microsoft team I was told that this feature should land until the end of this year - but no hard promises. For now you could probably configure federation with SAML but I haven't tested it.

There is also no possibility at this moment to block sign in operation like in case of Azure AD B2C. Microsoft Entra External ID provides "custom authentication extensions" and the one of them is "Token issuance start" but it does not provide the option to block the authentication operation.

Having said all of this, we have to wait for more features to be added to Microsoft Entra External ID to make it more flexible for custom scenarios.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.