External Identity in Azure AD and B2X user flows

External identities are a new feature in Azure AD. As per that link:

“External Identities is a set of capabilities that enables organizations to secure and manage any external user, including customers and partners. Building on B2B collaboration, External Identities gives you more ways to interact and connect with users outside your organization.”

In the classic case for guest provisioning in Azure AD, you send the person you want to onboard an invite.

External identities achieve the same result but allow the user to self-register. This allows you to capture extra information that you may require about that user.

In Azure AD, under “User settings”, click the external users link.

Enable “Guest self-service sign up”.

Then select “External Identities” in Azure AD.

Then select “Create a user flow”.

I’ve already created one:

Notice that the application name is not “B2B” or “B2C”, it’s “B2X”. More on that later.

Here you can select the identity provider. I’ve used Azure AD but you could add social ones.

I’ve also added some extra user attributes that I want the user to enter:

You can configure page layouts and the languages allowed as well.

Under “Applications”:

I have configured two applications. When the user navigates to either one of these, they will have the option to self-register.

I used the “AppModelv2-WebApp-OpenIDConnect-DotNet” sample from the Microsoft Identity Platform and this is configured in “App registrations” as “UG Demo”.

Running this:

Clicking “Sign in”:

Click “Create one!” to sign-up.

Enter user in another tenant and then the password.

Now the user can enter the attributes we selected in “User attributes” above. Notice that Azure AD has pre-populated the attributes it knows about i.e. given name (UG) and surname (Demos).

The user then fills in the other details.

and the user then gets to the application.

When a user gets added via the invite you see:

But when they self-register:

If you’ve ever used Azure AD B2C, you’ll see the similarity of the above screens with the B2C sign up / sign in screens.

That’s why when you see these in a B2B flow, Microsoft has decided to call this B2X i.e. a combination of B2B and B2C.

Exactly how far this “merging” will go, we’ll have to wait and see!

The pricing for this feature is here.

All good!




“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Recommended from Medium

Python Comprehension

python comprehension

7 Reasons To Choose Ionic Framework for Mobile App Development

UNICEF Innovation Fund Graduate: qAIRa, guardians of the air

Human GPU Exercises.

From Zero To Superhero — Load Test Your App Within A Few Hours

Learning a New Programming Language In a Week

Brief explanation of AWS Lambda

Land to Empire updates and fixes. Week 6, 2022

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rory Braybrook

Rory Braybrook

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

More from Medium

Fixing one of the Azure AD B2C samples that blocks a disabled federated user.

Image showing “No entry”.

Getting rid of credentials in Azure — Part 1

Adding CORS headers in API Management via Policy

File Collaboration and MS Identity Platform