What is Entra External ID?
Microsoft Entra External ID is Microsoft's managed identity service for everyone who is not an employee of your organization - the consumers using your app, the business customers buying your SaaS, the partner staff who need temporary access to your internal tools. It is one product that covers both halves of "external identity" on the modern Entra platform.
It speaks the protocols your stack already knows - OpenID Connect and OAuth 2.0 - so integrating with it looks like integrating with any other identity provider. Behind the contract, Microsoft runs the directory, the hosted sign-up pages, the threat protection, the MFA, and the Conditional Access engine.
Microsoft Entra External ID combines powerful solutions for working with people outside your organization.- Microsoft Learn
It is the successor to Azure AD B2C for new customer-facing apps - and at the same time, the umbrella the older B2B guest-collaboration features now live under. Two audiences, one product.
The problem it solves
"External users" used to mean two unrelated things at Microsoft, with two unrelated products. Customers signing into your consumer app went through Azure AD B2C - a separate service, separate directory, separate portal. Partners and guests collaborating with your employees went through Azure AD B2B - a feature of your workforce tenant. Different teams, different docs, different integration patterns, all to solve the same underlying problem: "let people who do not work here sign in."
External ID rolls both into a single product on the modern Entra platform. You get the same protocols, the same Conditional Access engine, the same Microsoft Graph automation surface, and the same admin experience across both scenarios. The split is no longer in which product you use; it is in how you configure the tenant you create.
External vs workforce tenants
A tenant is a dedicated instance of Microsoft Entra ID - a directory of users plus the configuration around them. External ID introduces a second flavor of tenant alongside the workforce tenant you may already have, and the choice between them is the single most important decision in the product.
External tenant
For your customers and consumers. The CIAM half of External ID.
- Separate directory of customer accounts
- Custom-branded sign-up and sign-in pages
- Self-service registration flows
- Email + password, OTP, Google, Facebook
- App registrations for your consumer apps
Workforce tenant
For your employees plus B2B guests. The collaboration half.
- Same directory as your Microsoft 365 employees
- Guests invited or self-signed-up as users
- Microsoft branding by default, customizable
- Guests authenticate with their home org
- SSO into Microsoft 365 + SaaS + custom apps
Two tenants in the same Entra organization are common: a workforce tenant for your staff (where partners come in as guests), and one or more external tenants for the consumer-facing apps you publish. They are separate directories, and a person can exist in both as different accounts.
Inside an external tenant
The external tenant is where the CIAM story lives - the part that replaces what teams used to build on Azure AD B2C. The pieces you spend most of your time on:
- App registrations. One per application or API that uses the tenant, holding the client ID, redirect URIs, and the scopes the app can request.
- User flows. Configurable sign-up and sign-in journeys - which identity providers to allow, which user attributes to collect, what the pages look like.
- Identity providers. The built-in email + password and one-time passcode options, plus federation to Google, Facebook, and other social providers.
- Branding and page layouts. Background images, colors, logos, and text - configured per tenant or per application.
- User attributes. Built-in attributes (display name, email, etc.) plus custom attributes you define to capture business-specific data at sign-up.
- Conditional Access and MFA. Policies that gate sign-in on risk, with email OTP or SMS as the second factor.
The external tenant is its own directory - separate from your workforce tenant and from any other external tenant. SSO works across apps registered in that tenant; it does not extend to Microsoft 365 or to your employees' apps, which is exactly the isolation a consumer-facing scenario calls for.
B2B collaboration in workforce tenants
The other half of External ID is B2B collaboration - the way you let people from other organizations access apps in your workforce tenant. There are no new credentials for the guest; they authenticate with their home identity provider, and your tenant decides what they are allowed to see.
The common shapes:
- Invitation flow. An admin (or any user with permission) sends an email invite. The guest redeems it with a Microsoft Entra account, a personal Microsoft account, or - if you allow it - a social account like Google. A guest user object lands in your directory.
- Self-service sign-up. Configure a user flow that lets guests sign themselves up for an app, customizing the journey and collecting attributes as they go.
- Entitlement management. For when access requests need workflow - approvals, time-boxed assignments, periodic reviews. Guests request access; policy decides who gets in and for how long.
- Cross-tenant access settings. Inbound and outbound rules that say which other Entra organizations you trust, and how MFA / device-compliance claims pass between them.
Once a guest is in your directory, you manage them like any other user - groups, app assignments, Conditional Access, the lot. The difference is the credential: they keep using their home account, and your tenant trusts their home org's authentication.
What you get for free
The reason a managed identity service is worth choosing is not any one feature - it is the pile of things you do not have to build. Out of the box, every External ID tenant gives you:
OIDC and OAuth
Standards-based endpoints for authorization and tokens. Same protocols, same SDKs, and same Microsoft Graph automation surface as the rest of Entra.
Per-tenant or per-app
Custom logos, colors, backgrounds, and text on sign-up and sign-in pages. External tenants start neutral - no Microsoft branding bleeding through.
Built in
Email OTP and SMS as second factors for external tenants, gated by Conditional Access policy you set as an administrator. No separate IdP to wire up.
The Entra engine
The same risk-based access engine that protects your workforce, applied to consumers and guests - block, challenge, or require device compliance.
Automation everywhere
Almost every External ID feature has a Microsoft Graph API behind it. User management, invitations, cross-tenant policies, user flows - all scriptable.
Sign-in insights
Built-in analytics on user activity and engagement in external tenants - sign-up funnels, conversion, which providers users actually pick.
None of these are checkboxes you have to flip - they come standard. The work of running a customer-facing or partner-facing identity surface is already in the box.
How it differs from Azure AD B2C
Built on the modern Entra platform - and the successor to Azure AD B2C for new builds.
If you have read the Azure AD B2C article, the elevator pitch is: same problem space, modern platform. The same teams at Microsoft built both, and the lineage shows. The differences that matter at a 101 level:
If you are an existing B2C customer, you do not need to migrate today - B2C is supported through at least 2030. If you are starting a new application, External ID is where the documentation, the SDKs, and the product roadmap live.
When to reach for it
External ID earns its place when the people signing in are not on your payroll:
- Consumer or B2B SaaS app. You are building something users sign up for - mobile, web, or both - and you want hosted pages, MFA, and standard OIDC tokens without operating an identity stack.
- SSO across multiple consumer apps. Several apps you own, one external tenant, one sign-in surface, one directory of customers behind all of them.
- Federation with other companies. You want partner staff (with their own Entra tenant, or Okta, or any OIDC IdP) to access internal apps as B2B guests without you holding their credentials.
- Time-boxed partner access. Request-and-approve workflows, periodic reviews, automatic expiration - everything entitlement management was built for.
- Migrating off Azure AD B2C. New tenants, new application registrations, and ongoing development happen on External ID; existing B2C tenants keep running on the published support timeline.
External ID is not the right shape when the audience is your own employees - that is what plain Microsoft Entra ID (in a workforce tenant) is for. For everyone else who needs to sign in to something you own, External ID is the modern answer.
CIAM + B2B
Consumer sign-up and partner collaboration under one product, on one platform, with one admin experience and one set of APIs.
On the Entra platform
Same Conditional Access engine, same Microsoft Graph, same protocols, same SDKs as the rest of Microsoft Entra ID.
External or workforce
External tenant for customer-facing apps. Workforce tenant with B2B for partner guests. Pick by audience, not by product.
To Azure AD B2C
The path for new customer-facing apps. B2C remains supported through at least 2030 for existing tenants.
References
- Microsoft Entra External ID overviewlearn.microsoft.com/entra/external-id/external-identities-overview
- External ID in external tenants (CIAM)learn.microsoft.com/entra/external-id/customers/overview-customers-ciam
- What is Microsoft Entra B2B collaboration?learn.microsoft.com/entra/external-id/what-is-b2b
- Workforce and external tenant configurationslearn.microsoft.com/entra/external-id/tenant-configurations
- MFA in external tenantslearn.microsoft.com/entra/external-id/customers/concept-multifactor-authentication-customers
- What is Azure Active Directory B2C?stacknova · cloud · azure-ad-b2c