Identity Providers for External Identities
In this tutorial, we will learn about the identity providers for external identities.
An identity provider is for creating, maintaining, and managing identity information while providing authentication services to applications. However, when sharing your apps and resources with external users, Azure AD is the default identity provider for sharing. This means when you invite external users with an Azure AD or Microsoft account. So, they can automatically sign in without further configuration on your part.
Types of Identity Providers
In addition to Azure AD accounts, External Identities offers a variety of identity providers.
- Firstly, Microsoft accounts (Preview). Guest users can use their own personal Microsoft account (MSA) for redeeming B2B collaboration invitations. However, when setting up a self-service sign-up user flow, you can add Microsoft Account (Preview) as one of the allowed identity providers. No additional configuration is necessary for making this identity provider available for user flows.
- Secondly, Email one-time passcode (Preview). When redeeming an invitation or accessing a shared resource, a guest user can request a temporary code, which is sent to their email address. Then they enter this code to continue signing in. However, the email one-time passcode feature authenticates B2B guest users when they can’t be authenticated through other means. When setting up a self-service sign-up user flow, you can add Email One-Time Passcode (Preview) as one of the allowed identity providers.
- Thirdly, Google. This allows external users for redeeming invitations from you by signing in to your apps with their own Gmail accounts. Further, you can use Google federation in your self-service sign-up user flows.
- Then, Facebook. When building an app, you can configure self-service sign-up and enable Facebook federation so that users can sign up for your app using their own Facebook accounts. However, Facebook can only be used for self-service sign-up user flows and isn’t available as a sign-in option.
- Lastly, SAML/WS-Fed identity provider federation. You can also set up a federation with any external IdP that supports the SAML or WS-Fed protocols. SAML/WS-Fed IdP federation allows external users to redeem invitations from you by signing in to your apps with their existing social or enterprise accounts.
Adding social identity providers
Azure AD is enabled by default for self-service sign-up, so users always have the option of signing up using an Azure AD account. However, you can enable other identity providers, including social identity providers like Google or Facebook. For setting up social identity providers in your Azure AD tenant. Firstly, you’ll create an application at the identity provider and configure credentials. After that, you’ll obtain a client or app ID and a client or app secret. Then, add to your Azure AD tenant.
And, once you’ve added an identity provider to your Azure AD tenant:
- Firstly, when you invite an external user to apps or resources in your organization, the external user can sign in using their own account with that identity provider.
- Secondly, when you enable self-service sign-up for your apps, external users can sign up for your apps using their own accounts with the identity providers you’ve added. They’ll be able to select from the social identity providers options you’ve made available on the sign-up page.
Reference: Microsoft Documentation