Azure: Services & Architecture
by Sergey Okinchuk
Entra IDKey Vault
Entra External ID
Service 33

Entra External ID

Identity

Microsoft Entra External ID is the customer-identity service — sign-up, sign-in, and federation for the external users of your applications, the successor to both Azure AD B2C (customer identity) and Azure AD B2B (external collaboration). It gives consumers and business partners their own identities, with social logins, custom-branded flows, and self-service, kept entirely separate from your workforce directory.

The point of a dedicated customer-identity service is that boundary. Customer accounts have different lifecycles, scale, and trust from employees, and mixing millions of consumer identities into the corporate tenant blurs the security model. External ID keeps customer identity where it belongs — outside the perimeter that governs your staff.

Customer Identity

External ID manages the identities of people outside your organization — the users of a consumer app, a partner portal, or a B2B SaaS product. They self-register, manage their own profiles and passwords, and authenticate through flows you control. This is customer identity and access management (CIAM), a distinct discipline from workforce identity.

Sign-Up and Sign-In Flows

You define the user journeys — what a sign-up collects, how sign-in works, what consent is shown — and brand them to look like your application rather than a Microsoft page. The flows are configurable without writing authentication code, so the application delegates the hard, security-sensitive parts of identity to the platform.

Identity Providers

External ID federates with social and external identity providers — Google, Facebook, Apple, and others — and with partner organizations' directories, so customers sign in with an account they already have. Supporting the identity providers your users prefer reduces sign-up friction while still centralizing the resulting identity in your tenant.

Separation from Workforce

External ID uses a separate tenant (or the external-tenant configuration) from your workforce Entra ID, so customer accounts never appear alongside employees and the two have independent policy, scale, and administration. This separation is the security advantage: a problem in the customer directory cannot reach the workforce one, and each is governed appropriately.

Entra External ID vs Microsoft Entra ID

Entra External ID — Customer and partner identity — self-service sign-up, social logins, custom branding, in a separate tenant. For the external users of your apps.

Microsoft Entra ID — Workforce identity — employees and internal apps, with Conditional Access and PIM. For the people inside your organization.

Common Mistakes
  • Putting customer identities in the workforce tenant instead of External ID, mixing two populations with different trust and lifecycles.
  • Building custom authentication code instead of using External ID's configurable flows, taking on the security burden of identity yourself.
  • Ignoring the social and external identity providers customers already use, adding sign-up friction that costs conversions.
  • Leaving sign-up flows unbranded so users land on a generic page that looks unrelated to the application.
  • Failing to apply MFA and risk controls to customer accounts, treating consumer identity as lower-stakes than it is.
  • Treating External ID as identical to the retired B2C without checking the current capabilities and migration path.
Best Practices
  • Use Entra External ID for customer and partner identity, keeping it in a separate tenant from the workforce directory.
  • Configure sign-up and sign-in flows rather than writing authentication code.
  • Offer the social and external identity providers your users already have to cut sign-up friction.
  • Brand the flows so they look like the application, not a generic provider page.
  • Apply MFA and risk-based controls to customer accounts, not just employee ones.
  • Plan migrations from Azure AD B2C against the current External ID capabilities.
Comparable servicesAWS CognitoGCP Identity Platform

Knowledge Check

Why use Entra External ID instead of the workforce Entra ID tenant for customers?

  • It keeps customer identities in a separate tenant with independent policy, scale, and administration from employees
  • It is the only Azure tenant type anywhere that supports enabling multi-factor authentication for its enrolled users
  • Workforce Entra ID cannot host more than a few thousand customer accounts before hitting a hard ceiling
  • It is strictly required in order to register and publish internal line-of-business applications for employee use

What is the advantage of federating with social identity providers in a customer app?

  • Customers sign in with accounts they already have, cutting sign-up friction
  • It removes the need for any MFA or risk-based controls on customer accounts entirely
  • It permanently moves the federated customer identities into the workforce employee tenant
  • It disables all custom company branding on the hosted sign-in pages

What is Entra External ID the successor to?

  • Azure AD B2C
  • Azure Active Directory Domain Services
  • Active Directory Federation Services
  • Microsoft Entra Permissions Management

You got correct