Entra External ID for customer access
How Microsoft Entra External ID provides customer-grade identity for Power Pages portals and external Dynamics 365 access — sign-up flows, branding, social identity, and the migration from Azure AD B2C.
For customer-facing portals built on Power Pages — or any scenario where external users need to authenticate to access Dynamics 365 resources — the identity provider is Microsoft Entra External ID. Successor to Azure AD B2C, External ID provides customer-grade identity: branded sign-up flows, social identity, MFA, and the scale to handle millions of consumer users without overloading the workforce-focused Microsoft Entra ID directory.
The model.
External ID is a separate tenant from your workforce Entra ID:
- Workforce tenant — employees, contractors, internal users. The standard Microsoft 365 / Entra ID directory.
- External tenant — customers, partners, citizens. Separated for isolation, scale, and customer-grade flows.
Users in the external tenant don't have Microsoft 365 licenses, internal access, or workforce identity overhead. They exist purely as external identities for accessing customer-facing resources.
Identity providers. External ID accepts identity from multiple sources:
- Email / password — locally-managed accounts.
- Microsoft account — using a personal Microsoft account.
- Google, Facebook, Apple, LinkedIn, Twitter — social identity providers.
- Any OpenID Connect / SAML 2.0 provider — for federated identity from a partner organisation.
Customers sign up with whichever identity works for them; the External ID maintains a unified user record.
User flows. A user flow is a configured authentication / registration experience:
- Sign-up and sign-in flow — the most common; users register or sign in.
- Sign-up only — for registration-only scenarios.
- Password reset — self-service password reset.
- Profile editing — let users update their own data.
Each flow has configurable steps — attributes to collect, MFA requirements, consent screens, branding.
Branding. External ID supports per-application branding:
- Custom logo and colours.
- Custom HTML pages for sign-in / sign-up.
- Multi-language support.
- Custom domain (e.g.
auth.contoso.com) instead of the Microsoft-default URL.
Customers see a branded experience that feels like part of your product, not a Microsoft service.
MFA. Configurable per user flow:
- Always required — high-security scenarios.
- Conditional — based on risk signals, location, sensitive operations.
- Optional — user can enable.
MFA methods include SMS, email OTP, authenticator apps.
Custom attributes. Beyond standard attributes (email, name), define custom attributes for capture at sign-up:
- Company name.
- Customer reference number.
- Region / language.
- Communication preferences.
- Custom JSON for complex data.
Stored on the External ID user; flows back to the integrated systems (Power Pages, Dataverse) on authentication.
Custom policies. For advanced scenarios beyond user-flow capability, External ID supports custom policies — XML-based identity orchestration that can include:
- Multi-step verification (email + phone + ID document).
- Integration with external identity verification services.
- Complex conditional logic.
- Custom claims transformation.
Custom policies are powerful but complex; reserve for genuine business needs.
Integration with Power Pages. Power Pages portals can use External ID as their identity provider:
- In the Power Pages site settings, configure External ID as an authentication provider.
- Map the External ID flow to portal sign-in / sign-up paths.
- Map External ID attributes to Power Pages contact records (Dataverse).
- Portal authenticated sessions get Dataverse-side identity automatically.
The pattern: customer signs up through External ID; their record creates / matches a Contact in Dataverse; they get portal access scoped to their data.
Migration from Azure AD B2C.
External ID is the modern successor to Azure AD B2C. Microsoft has signaled long-term migration paths:
- B2C tenants continue running.
- New external-identity scenarios should target External ID.
- Migration tools assist moving B2C user populations to External ID.
For existing B2C-based Power Pages or custom-app deployments, gradual migration over months is the typical path.
Pricing. External ID is billed by monthly active user (MAU) — the number of unique external users authenticating in the month. Tiers offer different feature levels; sized per expected user scale.
Security and compliance.
- GDPR compliance — External ID handles customer PII with appropriate controls.
- Audit logs — sign-in events, profile changes, MFA events.
- Conditional Access — apply policies based on risk signals.
- Identity Protection — Microsoft detects unusual sign-in patterns.
Common pitfalls.
- B2C used where External ID would suit — older docs still reference B2C; for new builds, prefer External ID.
- Branding skipped — users see "Sign in with Microsoft" branding; jarring.
- No MFA on customer access — increases account-takeover risk.
- Attribute structure not thought through — adding attributes after launch is more friction than getting them right upfront.
Operational reality. External ID is the canonical answer for customer-facing identity in the Microsoft cloud. Plan for it deliberately; treat it as production infrastructure; tune branding and flows based on user feedback.
Related guides
- Azure API Management in front of DataverseHow API Management acts as a façade for Dynamics 365 APIs — rate limiting, authentication, transformation, observability, and developer portal — and why it matters at scale.
- B2C authentication with Dynamics 365 — Entra External ID and beyondHow to authenticate external customers and partners against Dynamics 365 — Entra External ID (formerly Azure AD B2C), Power Pages authentication, and the patterns for B2C identity in CRM and ERP.
- Batch operations in the Dataverse Web APIHow to make multiple Dataverse Web API calls in one HTTP round-trip — $batch requests, change sets, and the performance gains at scale.
- FetchXML vs OData in DataverseTwo query languages for Dataverse — what each does, performance and capability differences, and when to choose which.
- GraphQL and Dynamics 365How GraphQL fits with Dynamics 365 — wrapping OData as GraphQL, third-party tooling, where GraphQL helps vs hurts, and the operational considerations.