Using native authentication in Entra External ID aka bring your own login screen and login with email and password😃

Generated by Copilot

Back in the day when ADFS came out, the first question I was asked was, “Can I customise and use my own login screen?” — sorry, no.

And then, when Azure AD came out, the first question I was asked was, “Can I customise and use my own login screen?” — sorry, no.

And then, when Azure AD B2C came out, the first question I was asked was, “Can I customise and use my own login screen?” — sorry, no.

And then, when Entra External ID came out, the first question I was asked was, “Can I customise and use my own login screen?” — yes, you can!

The overview is here.

There is a table in the overview that contrasts the Microsoft supplied login screen vs. bring your own including:

Native authentication is particularly suited to native mobile apps. where you can now provide the whole journey inside the app. with full customisation.

To that end, an SDK is provided for IOS and Android.

But there is no reason you can’t do this in a web. app since it is simply an API.

I’m ignoring the UI here but you can design anything you like as long as the user is asked to enter an email and password.

I’ve used Postman to generate the flow and have concentrated on the sign in API with email and password. Other flows to follow.

Note: The endpoints in the documentation are currently wrong i.e. not:

{tenant_subdomain}.onmicrosoft.com/oauth2/v2.0/initiate

but rather:

{tenant_subdomain}.ciamlogin.com/{tenant_subdomain}.onmicrosoft.com/oauth2/v2.0/initiate

In terms of the app. registration, use the “Mobile and desktop applications” platform and ensure these settings are on:

Step 1

where the URL is:

https://tenant.ciamlogin.com/tenant.onmicrosoft.com/oauth2/v2.0/initiate

and the form parameters are:

client_id=11...11
&challenge_type=password redirect
&username=nativeauth@company.co.nz

where the username is the name of the person who is logging in.

The response will be:

{
    "continuation_token": "AQA...iAA"
}

Step 2

where the URL is:

https://tenant.ciamlogin.com/tenant.onmicrosoft.com/oauth2/v2.0/challenge

and the form parameters are:

client_id=11...11
&challenge_type=password redirect 
&continuation_token=AQA...iAA

where the continuation token is what was returned in step 1.

The response will be:

{
    "continuation_token": "AQA...gAA",
    "challenge_type": "password"
}

Step 3

where the URL is:

https://tenant.ciamlogin.com/tenant.onmicrosoft.com/oauth2/v2.0/token

and the form parameters are:

continuation_token=AQA...gAA
&client_id=11...11 
&grant_type=password 
&password=user password
&scope=openid offline_access

where the continuation token is what was returned in step 2.

The response will be:

{
    "token_type": "Bearer",
    "scope": "openid profile email 00000003-0000-0000-c000-000000000000/User.Read",
    "expires_in": 4349,
    "ext_expires_in": 4349,
    "access_token": "eyJ...zag",
    "refresh_token": "0.A...qSg",
    "id_token": "eyJ...LsA"
}

Looking at the id_token we see:

{
  "aud": "c74...218",
  "iss": "https://7f...bb.ciamlogin.com/7f...bb/v2.0",
  "iat": 1712090678,
  "nbf": 1712090678,
  "exp": 1712094578,
  "rh": "0.A...AMQ.",
  "sub": "-FX...OI",
  "tid": "7fb...3bb",
  "uti": "8m6...JAA",
  "ver": "2.0"
}

This feature is going to make a lot of people very happy!!!

All good!