Power Platform Community Forum Thread Details

[Help] Synchronous Web Role Assignment in Power Pages Based on Identity Provider (Entra SSO vs B2C)

Hi all,

I need a synchronous way to assign web roles in Power Pages at sign-in based on identity provider:

Microsoft Entra (SSO) → Employee web role
Microsoft Entra B2C → External web role

This is required to immediately show/hide content and enforce Table Permissions / Web Page Access Control Rules. I cannot use asynchronous options (e.g., Power Automate) because they force a log out/in before roles take effect, which is unacceptable UX.

What I've tried:

Liquid checks to detect provider
- (Good for UI only, not security and also not sustainable since the check would need to be done on every page new & old)
Background jobs/flows
- (Too slow; roles apply only after re-login)
Default role assignment at registration
- (Doesn't handle provider-based logic)

Questions:

Is there a supported way to assign/resolve web roles synchronously at authentication based on the identity provider?
Can Power Pages map claims (e.g., identityprovider, iss, or a custom B2C claim like external=true) to web roles so they’re active immediately?
Are there authentication event hooks or custom handlers that run synchronously to set roles before the first page renders?

Pseudocode - Desired Behavior:

OnAuthenticationSuccess(user):
    idp = claims['http://schemas.microsoft.com/identity/claims/identityprovider']
    if idp == 'entra-id':
        principal.AddRole('Employee')
    else if idp == 'entra-b2c':
        principal.AddRole('External')
    // role should be active in the current session immediately

If you’ve achieved this, could you share:

Exact configuration (claim types, site settings, mapping steps)
Whether it worked synchronously without re-login
Any gotchas (caching, timing, first-request behavior)

Thanks Power Pages Community!

Categories:

Customize & extend

Design & build

Hi @ZK-11041953-0

Just to clarify something in general, having the person log in / out is pretty standard across any auth/auth scenario because Roles and Permissions do not always take effect without logging in or out but it's not a Power Automate thing, especially as Claims versus Roles, being different things, don't map today.

The other issue is there are not many ways to "block" setting aside why you want to block (which I do understand).

Essentially nothing we give you will guarantee immediately assignment (meaning no logging in or out), whether you call Azure Functions, or Plugins I am unaware of any way to force a guarantee immediately affect.

Maybe one of the others has a way, I am just not aware of one.

Quick Links