Entra External ID

Back to all topics
, ,
  • 2 or 3 Days
  • Private Group Training
01

Course Overview

Entra External ID represents Microsoft’s next generation Consumer and Identity Management (CIAM) solution that provides external entities with secure access to applications and resources. It supersedes Azure AD B2C by providing a unified platform for CIAM and B2B collaboration. This two-day course covers the fundamentals of Entra External ID that developers and administrators need to know to get started using the latest Microsoft CIAM technology.

02

Key Learning Areas

Attendees will learn the best practices and  patterns for architecting identity management solutions with Entra External ID.

  • Core Authentication Concepts
  • What is Entra External ID?
  • The difference between workforce and external tenants
  • How to create and provision an Entra External ID tenant
  • How to use the get started guide to create a Quickstart application, user flow and client application.
  • How to create a sign up/sign in user flow from scratch
  • How to add attributes to the sign-up flow and id token
  • Available local account sign in options
    • Email with password
    • Email one-time passcode
  • How to allow users to authenticate with social accounts and external identity providers
  • How to configure and use conditional access for Multi-Factor Authentication (MFA)
  • Available MFA options
    • Email with one-time passcode
    • SMS
  • How to extend user flows with custom authentication extensions
  • How to create REST endpoints that can be invoked from Entra External ID user flows
  • How to use Graph API to programmatically access Entra External ID user attributes
  • When and how to use native authentication
03

Course Outline

Entra External ID Introduction
This module covers the fundamentals of how to get started with Entra External ID. It discusses the important aspects of an external tenant, covering how it differs from a workforce tenant, how it is billed to an Azure subscription, how it is created, and how to use the Quickstart guide to create and test a sign up/sign in user flow.

  • Core Authentication Concepts
  • What is Entra External ID?
  • External tenant
    • Workforce tenant
    • Pricing
    • Creation
    • App registration
  • Quickstart user flow
    • Creation
    • Adding an application
    • Testing
    • Downloading and running a sample client application

User flows
This section provides coverage of the details of the artifacts created by the Quickstart guide introduced in the previous module. It discusses how the App Registration settings are configured, and how user flows can be viewed, associated with an application, and ultimately run. It concludes by showing how to add user attributes to the sign-up flow and Json Web Token (JWT), and how to enable self-service password reset (SSPR).

  • Quickstart artifacts
    • App registrations
      • Authentication
      • Redirect URLs
      • Web and SPA settings
    • User flows
      • Viewing
      • Associating with an application
      • Running
      • Adding user attributes
      • Sign up flow
      • JWT
      • Enabling Self-Service Password Reset (SSPR)

Identity Providers and Multi-Factor Authentication (MFA)
Entra External ID provides a number of different options for authenticating users. This module covers the full range of currently available local account, social account and custom identity provider alternatives provided by Entra External ID. It also covers the details of how to configure conditional access settings to enable MFA as part of the sign-in process.

  • Identity providers
    • Built-in
      • Local accounts
        • Email with password
        • Email one-time passcode
      • Social accounts
        • Google
        • Facebook
        • Apple
      • Custom
        • OIDC
        • SAML/WS-Fed
      • Conditional Access/MFA
        • Email one-time passcode
        • SMS-based authentication

Custom Authentication Extensions
Entra External ID user flows can be extended with custom business logic by providing a REST endpoint that is invoked when one of the built-in authentication events fires. This module discusses the four currently available events that fire: (1) at the beginning of attribute collection, (2) when the attributes have been entered and submitted, (3) when a one-time passcode is sent, and (4) right before the token is issued to the application. It concludes by demonstrating how to create REST endpoints that respond to these events.

  • Built-in authentication events
    • AttributeCollectionStart
    • AttributeCollectionSubmit
    • EmailOtpSend
    • TokenIssuanceStart
  • Creating a REST endpoint for authentication events
    • Azure Function App
      • HTTP trigger function
    • Customizing OTP email messages

Graph API
The Graph API allows developers to programmatically manage Entra External ID resources and represents an essential tool for building a real-world Entra External ID application. Since many Entra External ID user attributes cannot be viewed and modified in the Azure portal, one of the most common use cases for the Graph API is to manage extension attributes defined in custom policies. This module demonstrates how to register and write a .NET application that uses the Graph API to perform CRUD operations on the resources in the Entra External ID directory.

  • What is the Graph API?
  • Registering a Graph API management application
  • Writing .NET code to use the graph API to perform operations on Entra External ID resource
    • Read
    • Select
    • Page
    • Index
    • Filter
    • Delete
    • Create
    • Update
  • Using the Graph API to manage user attributes

Native authentication
User flows delegate to the browser and redirect back to the application when the user has been authenticated. It represents the simplest and most secure option but offers limited support for UI customization. In contrast, with native authentication, the app maintains full control allowing for much greater flexibility and a much richer sign-up and sign-in user experience. This module discusses when to use native authentication, the risks of using it, how to enable it, and how to use the native authentication SDKs and APIs to customize the user sign-up and sign-in experience.

  • Native authentication
  • When to use
  • Available features
  • How to enable
  • Risks of enabling
  • How to use the SDKs and APIs
04

Who Benefits

  • Azure administrators and architects responsible for identity and access management.
  • Developers building applications that integrate with Entra External ID for customer or partner authentication.
  • Security engineers configuring conditional access, MFA, and identity provider integrations.
  • IT professionals managing external user directories and sign-up/sign-in experiences.
  • Technical consultants implementing authentication flows and custom extensions in client solutions.
  • DevOps or cloud engineers supporting Azure-based identity solutions at scale.
05

Prerequisites

  • General knowledge of security fundamentals (i.e., authentication and authorization).
  • Prior experience with other CIAM technologies (e.g., Azure AD B2C) is helpful but not required.
Want this course for your team?

Atmosera can provide this course virtually or on-site. Please reach out to discuss your requirements.

Request a Quote