Share via

.net web application with internal and external users using Entra External ID

Cory Strickland 0 Reputation points
2025-02-14T00:54:57.62+00:00

I'm trying to build a single application that will be used by my organization's users as well as customers. I've been exploring Entra External ID as a method for customers to sign in/register, but it looks like I can't use cross tenant synchronization rules to bring my workforce users in so they can use the same sign in flow.

Am I using the wrong product for this app scenario or would Azure AD B2C be bettter? Is there a way to configure the app to have one login screen for employees and forward to Entra External's ciam portal for customers?

Developer technologies | ASP.NET | ASP.NET Core
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,411 Reputation points Microsoft Employee Moderator
    2025-02-26T08:32:35.6333333+00:00

    Hi Cory Strickland ,

    Thanks for reaching out and apologies for delay response.

    Let me clarify the differences between Entra External ID and Azure AD B2C:

    • Azure AD B2C is Microsoft's legacy solution for customer identity and access management (CIAM).
    • Microsoft Entra External ID is a solution that supports both consumer authentication and B2B collaboration, making it suitable for a wide range of applications.

    Since you want to create a single application for both internal users (Microsoft Entra accounts) and external customers, Microsoft Entra External ID would be the recommended approach. It enables you to build sign-in experiences for both consumer- and business-facing applications.

    By default, Microsoft Entra ID and Microsoft accounts are the primary identity providers. This means that when you share your app or resources with external users, Entra ID serves as the default authentication provider. If an external user already has a Microsoft Entra account or a Microsoft account, they can sign in seamlessly without requiring additional configuration on your end.

    Reference - https://learn.microsoft.com/en-us/entra/external-id/identity-providers

    https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview

    Hope this will help.

    Please let me know if you have further questions.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you

    0 comments
  2. Danny Nguyen (WICLOUD CORPORATION) 1,030 Reputation points Microsoft External Staff
    2025-08-21T05:01:36.0766667+00:00

    Hi,

    Thanks for raising this question — I can see how the scenario can be a little confusing given the overlap between Entra External ID and Azure AD B2C. Let me break this down:

    Understanding the products

    • Azure AD B2C was Microsoft’s legacy Customer Identity and Access Management (CIAM) platform. It’s still supported, but Microsoft has announced that Microsoft Entra External ID for customers is the strategic replacement going forward.
    • Microsoft Entra External ID (customers + partners) now provides the ability to support both B2B collaboration and consumer (CIAM) scenarios, which means it can handle your customers while also integrating with your organization’s Entra ID tenant for employees.

    Your scenario: One application for both employees & customers

    You’re correct that cross-tenant synchronization isn’t what you need here. Instead, you can achieve this through a unified authentication experience:

    1. Employees (workforce users):
      • They can continue authenticating via your organization’s home Entra ID tenant.
      • You don’t need to bring them into the CIAM tenant — instead, configure your app to accept tokens from your home tenant directly.
    2. Customers (external users):
      • These are best handled in an Entra External ID (CIAM) tenant, where you configure social or local account providers.
      • You then federate your application with this CIAM tenant so customers can sign in.
    3. Single entry point (one login screen):
      • This is done by implementing an application gateway pattern using something like App registrations + custom policies or by using a central login page that routes users to the right authority (home tenant vs CIAM tenant).
      • For employees → direct them to your Entra tenant.
      • For customers → forward them to the CIAM tenant login.

    Microsoft has some architectural guidance here:

    Recommendation

    Since you want a single application for both workforce and customers, the best approach today is:

    • Use Microsoft Entra External ID (for customers) for external sign-ins.
    • Keep workforce users in your existing Entra tenant.
    • Design the app login flow so that both identity sources are supported — either via tenant federation or by implementing a custom landing page that routes users accordingly.

    This way, you don’t need to sync workforce users into the CIAM tenant, and your customers still get the right onboarding and identity management experience.

    Hope this helps

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.