Microsoft Entra External ID - The Identity Perimeter Moved
In this article
Summary
In 2024, third-party involvement in data breaches doubled, from 15% to 30%, according to Verizon's 2025 Data Breach Investigations Report. In the same year, 22% of all breaches began with stolen credentials. Eighty-eight percent of attacks against basic web applications used them.
Read those num bers carefully. The people most likely to get your organization breached today don't work for you. They are your partners, your vendors, and your customers, and they are authenticating against systems you probably didn't design with them in mind.
That single shift, from secure the employees to secure everyone who touches your data, is rewriting how enterprises think about identity. Microsoft Entra External ID is the company's bet on what comes next.
Fragmentation Is No Longer Defensible
For two decades, identity strategy ran on a clean dividing line. Employees inside. Partners and customers outside. Different teams, different tools. That model is breaking.
Modern enterprises run hybrid workforces, multi-tenant SaaS platforms, partner ecosystems, and customer portals, often on the same infrastructure. The result is a fragmented CIAM stack: Active Directory B2B handles vendors, Auth0 or a homegrown system handles customers, an IAM team tries to enforce consistent policy across both. Each component has its own threat model, its own login UI, its own compliance posture. Each is a potential point of failure.
Microsoft's wager with External ID is that maintaining separate identity stacks for employees, partners, and customers is no longer architecturally defensible. The pitch is simple: one platform, two tenant patterns, one security engine underneath. The remainder of this brief documents how that works.
The Two-Tenant Model
Microsoft Entra External ID resolves the workforce-versus-customer split through a deliberate architectural choice. Two tenant patterns sit on the same underlying Entra ID engine but operate as distinct security domains, different user types, different authentication defaults, different customization surfaces.
| Aspect | Workforce tenant | External tenant |
|---|---|---|
| Architecture | Extends the existing employee Entra ID tenant | Dedicated separate tenant; new model |
| Primary use | B2B partner and vendor access to internal apps | Customer-facing applications (CIAM) |
| User identity | Guest invitations (cross-tenant federation with partner Entra orgs) | Local accounts plus social / federated identity providers |
| Authentication | OIDC, OAuth 2.0, SAML 2.0, WS-Fed | OIDC, OAuth 2.0 with PKCE, SAML 2.0 |
| Customization | Sign-in page branding | Full HTML/CSS, custom domains, custom auth extensions |
| Replaces | (no predecessor, coexists with the workforce tenant) | Azure AD B2C, end of life May 1, 2030 |
Shared engine: Conditional Access · ID Protection · Microsoft Graph · unified audit logs | ||
Table 1 - Describes the difference between both tenants under different aspects
Two implications matter for architects. First, the shared engine means policy is portable: a Conditional Access rule that requires phishing-resistant MFA for high-risk employees works the same way for high-risk external users in either tenant pattern. Second, the dividing line is no longer organizational but architectural, the workforce tenant collaborates with partner organizations as peer Entra tenants, while the external tenant treats every user as a directly-managed identity, regardless of where they came from.
The Flow of Authentication
Microsoft Entra External ID speaks the modern identity protocols natively. OpenID Connect handles user authentication. OAuth 2.0 governs delegated authorization. SAML 2.0 remains supported for legacy enterprise apps. The relying-party developer experience is the same as any OIDC-compliant platform, discover endpoints from the well-known configuration, redirect the user, validate the returned token.
| Flow | Use case | Notes |
|---|---|---|
| Authorization Code + PKCE | SPAs, native, and mobile apps | Modern default, no client secret required; refresh tokens issued alongside access tokens |
| Client Credentials | Service-to-service workload identity | App authenticates as itself with a certificate or client secret; no user in the loop |
| On-Behalf-Of (OBO) | Middle-tier APIs calling downstream APIs | Preserves the user identity through a service chain; same OAuth 2.0 token exchange spec |
| Federation (OIDC / SAML) | External IdPs as sign-in alternative | Google, Apple, Facebook, partner enterprises, custom OIDC providers, configured per user flow |
Table 2 - Describes the flow of different types of authentication
Tokens are issued as JWTs by default (or SAML assertions where the relying party requires them). Claims are configurable per application: the developer specifies what claims they need, External ID returns them, and Microsoft Graph attribute extensions add tenant-specific custom data. For high-assurance scenarios, Conditional Access can require an authentication strength, phishing-resistant MFA, certificate-based authentication, or a specific verified credential, as a grant condition.
Customization and Extensibility
Workforce identity assumes Microsoft's defaults are acceptable. Customer identity does not. Microsoft Entra External ID provides four extensibility surfaces that let a customer-facing application present a fully branded experience and apply business-specific logic during the sign-in and sign-up flows.
Branding and UI customization
Logo, color palette, fonts, and full HTML/CSS templates for sign-in and sign-up pages. Customizations are scoped per user flow, so a consumer app and a partner portal can present different brands from the same external tenant.
Custom URL domains
Authentication endpoints can run on a tenant-owned domain, login.contoso.com instead of contoso.ciamlogin.com. Trust anchor is the customer's TLS certificate; the cosmetic and trust benefit is significant for consumer-facing apps where the auth domain is part of the brand experience.
Custom authentication extensions
REST API callouts at two extension points during a user flow. TokenIssuanceStart fires just before a token is issued, used to enrich the token with claims fetched from an external system, such as a loyalty API or an entitlement service. AttributeCollectionStart fires during sign-up, used to apply business-specific validation or augment the collected attributes. Both extensions are authenticated calls to a developer-controlled HTTPS endpoint, with payload and response schemas documented in Microsoft Graph.
Identity provider federation
External tenants can federate with Google, Apple, Facebook, or any custom OIDC-compliant identity provider. SAML 2.0 federation supports enterprise IdPs. User flows present federated options alongside or instead of local accounts, with per-flow configuration.
The Integration Surface
Microsoft Entra External ID is a node in the broader Entra platform, not an island. Seven integration touchpoints determine how it operates alongside the rest of the identity stack.
| Integration | How it connects |
|---|---|
| Microsoft Graph | User, group, and application management across both tenant types; same /users, /groups, /applications endpoints as workforce identity. |
| Conditional Access | Same policy engine; risk-based controls now apply to external users in either tenant pattern. Authentication strength controls work identically. |
| ID Protection | Risk detection for external users, newly generally available for external tenants. Sign-in risk and user risk feed Conditional Access the same way. |
| Custom auth extensions | REST callouts at TokenIssuanceStart and AttributeCollectionStart, the primary mechanism for business-logic integration during user flows. |
| Cross-tenant access settings | Workforce tenant only: governs B2B trust with partner Entra organizations at the directory level. Inbound and outbound rules per partner. |
| Custom domains | Branded authentication endpoints on a tenant-owned domain; supported in both tenant patterns with the customer's TLS certificate as the trust anchor. |
| Microsoft Sentinel | SIEM ingestion via the Entra data connector, sign-in logs and audit logs from both tenant types become correlatable events. |
Table 3 - Describes how External ID integrates with the Identity stack of Microsoft Entra
Real-World Examples
B2B Collaboration
A manufacturer onboards three logistics partners. Instead of provisioning new accounts, each partner's employees sign in using their existing corporate credentials. They land in a shared Teams workspace and a custom shipping dashboard. The manufacturer's IT team applies the same Conditional Access policies, MFA, device compliance, location rules, that govern full-time employees. When a partnership ends, access is revoked centrally. No password sprawl. No orphaned accounts.
Consumer CIAM
A retail brand launches a loyalty app. Customers sign up with Google or email; the sign-in page carries the retailer's branding, not Microsoft's. Registration captures a rewards number and a zip code. All of it lives in a dedicated external tenant, walled off from employee systems.
The development team uses the Microsoft Authentication Library (MSAL), the same library used for internal apps:
That code portability is the architectural payoff. Workforce auth and customer auth become the same problem, solved with the same library, governed by the same policy engine.
Upcoming Shifts
The Azure AD B2C clock is ticking
Microsoft's previous CIAM product stopped accepting new customers on 1 May 2025. Support runs until May 2030. Every existing B2C customer is on a migration timer, long, but real.
What changes in the move
The user store moves to a new tenant model. The Identity Experience Framework (IEF), the XML-based custom policy engine that made Azure AD B2C extraordinarily flexible, does not exist in External ID. Custom policies migrate to the simpler "user flows plus custom extensions" model. Federation configuration, branding, and application registrations migrate. The exact mapping depends on how customized the B2C deployment was: a vanilla B2C tenant with stock user flows ports more readily than one running heavily customized IEF policies.
The practical risk
Five years is not a long timeline for a CIAM platform migration in a regulated industry. The teams that have been running heavily customized IEF policies face the largest delta and the highest re-architecture cost. Microsoft provides migration tooling and a phased coexistence path, but custom policies require manual redesign in the new extensions model. Teams that defer planning into 2028 or 2029 will be working under deadline pressure.
Moving Forward
Microsoft Entra External ID is not a single decision, it is several decisions about tenant model, identity providers, customization depth, and migration sequencing. The right starting move depends on where you are today.
| If your starting point is… | The first move is |
|---|---|
| Sprawling B2B partner access with weak governance | Workforce tenant + cross-tenant access settings |
| Customer-facing app on Azure AD B2C today | External tenant migration plan; pilot before 2028 |
| New consumer or customer-facing application | External tenant from the start |
| Risk-based controls needed for external users | Conditional Access + ID Protection for the relevant tenant |
| Token enrichment from your own business systems | Custom authentication extensions |
Table 4 -Describes a decision framework to help get started
What Good Looks Like
The technical capabilities of Microsoft Entra External ID are the visible half. The operational shift is the half that determines whether the consolidation actually consolidates.
For two decades, the IAM team has been responsible for one population, employees. The application teams and partner managers handle external identity informally, usually badly. Microsoft Entra External ID moves all of that under the same operational owner: the same Conditional Access policies, the same ID Protection signals, the same Microsoft Graph audit surface, the same SOC. That is the consolidation. It is also a meaningful change in scope for whoever now owns identity end to end.
Programs that succeed treat the tenant model decision and the operating-model decision as one. Programs that don't end up with External ID deployed on paper and the old fragmentation still running in production.
Conclusion
Workforce identity was the perimeter for two decades. It isn't anymore. Partner, vendor, and customer identities now outnumber employee identities in most enterprises, and they are the dominant attack surface in the breach data. Microsoft Entra External ID is one credible answer; Okta CIC, Auth0, Ping CIAM, and ForgeRock have similar platforms, and the right choice depends on existing platform commitments. Two stacks for one identity problem is no longer architecturally defensible, and the Azure AD B2C deadline in 2030 means the architecture decision is on the table now whether the program is ready or not.