Some gotchas with configuring Entra External ID

Rory Braybrook
The new control plane
4 min readSep 12, 2024
Image of “gotcha”
The Gotcha Group, LLC, Public domain, via Wikimedia Commons

Entra External ID is the “successor” to Azure AD B2C, and there are many similarities, but there are slight differences in how things are done that may catch you out.

Hopefully, this post will save you some time 😃

The portal URL is entra.microsoft.com, not portal.azure.com.

Image showing app. registration

Let’s register an application. We can save time by not using a client-side app. so configure the URL for jwt.io.

Image showing user flow with email / password and sign-up attributes display name, given name, surname

Now let’s create a user flow. We’ll use “email with password” to log in.

Note that you can only configure the attributes you want to collect at sign-up, not the ones you want in the JWT.

Image showing create new external user

Now, let’s create a new external user.

Image showing edit user / add first and last name

Now, let’s edit the properties.

Note that first and last names are not populated, so let’s fill in those fields.

Back to user flows and “Run user flow”.

Image showing error “Please link an application”

We have to link an application to the user flow.

Many applications can use the same user flow, but many user flows cannot use the same application.

Link the application.

The fact that the application is linked to the user flow (policy) means that the URL no longer has to contain the policy name.

Rerun the user flow.

After logging in:

Image showing “Need admin. approval”
in:

You need admin approval.

Back to the application.

Image showing “API permissions” / “Grant admin consent”

Grant admin consent.

Rerun the user flow.

{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}

We get this JWT???

Back to enterprise applications and SSO:

Image showing enterprise application / SSO / attrinutes and cliams

Edit the attributes.

Image showing addoing display name, given name, last name

You have to do them one at a time.

Rerun the user flow.

We get the same three incorrect attributes in the JWT.

Back to application registrations.

Image showing authentication / tick ID token

In Authentication, select “ID tokens”.

This is specifically required for jwt.io.

Rerun the user flow.

And we get:

error_description=AADSTS50146 This application is required to be configured
with an application-specific signing key. It is either not configured with
one or the key has expired or is not yet valid.

The fix for this bizarre error message is to edit the manifest in the app. registration.

Image showing “acceptMappedClaims”: true

Set “acceptMappedClaims”: true.

Rerun the user flow.

The JWT now looks like:

{
...
"sub": "qVT...g68",
"tid": "7fb...3bb",
"uti": "gnp...BAA",
"ver": "2.0",
"Display name": "Medium Post",
"Given name": "Medium",
"Surname": "Post"
}

Bingo!

One other gotcha is that you have to use conditional access to set up MFA.

Currently, the only available MFA methods are OTP and SMS.

If you use “email with password” in “email accounts” in the user flow, you can use either method.

If, however, you use “email one-time password”, you can only use SMS.

The docs. are here.

Also note that “Reset password” sends a code to the email address, unlike B2C, where the app had to handle the message.

Image of send code in order to reset the password

All good!

--

--

The new control plane
The new control plane

Published in The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook
Rory Braybrook

Written by Rory Braybrook

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

No responses yet