web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Is it possible to have...
Power Pages
Unanswered

Is it possible to have external users SSO authenticate using their own AAD credentials?

(0) ShareShare
ReportReport
Posted on by pmarnason 43

We want to have clients authenticate using their own AAD credentials, so they don't have to remember yet another password just to use our product.

 

I came across this article which seems to indicate it is indeed possible, while searching on this forum hints at the opposite.

 

So is it possible?

 

EDIT: To make this first post seem less vague, here is some more information:

 

  • This is regarding AAD B2C, since that is recommended over using simply AAD
  • I am using Recommended user flows, since the Standard ones are deprecated in August
  • The B2C tenant as well as the portal environment are completely fresh (created in January)

Finally, I don't HAVE to use B2C nor Recommended user flows. I am only doing so because the documentations keep recommending to do that.

The single only business need we have, is that any user with a Microsoft school or work account should be able to register without entering any credentials, and with as few clicks as possible. So far any user we haven't invited to our B2C tenant beforehand will get an AADSTS50020 error upon using the user flow.

Categories:
Power Apps portals
I have the same question (0)
  • ragavanrajan Profile Picture
    ragavanrajan 7,044 Most Valuable Professional on at

    Hi @pmarnason , 

     

     Yes it is possible through Azure B2B if you want to allow them to use their own credentials.  I am adding the official docs for you to check how to enable Azure Active directory login. Keep in mind that once you have enabled this option the external users will set in the main "Azure Active Directory tenant" 

     

    https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/use-simplified-authentication-configuration

    Adding our community champion @OliverRodrigues  recent good video for your reference: 

    https://www.youtube.com/watch?v=SngdBdEVGBc&ab_channel=PowerCommunity 

     

    and another one from EngineeredCode to understand more: 

     

    https://www.youtube.com/watch?v=_Gf142b9Aq4&t=54s&ab_channel=EngineeredCode 

     

     

    PS: The recommended approach is to enable Azure B2C but you can try the above method also. 

     

    Hope it helps. 

    ------------

    If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

  • pmarnason Profile Picture
    pmarnason 43 on at

    Thank you for the links, but I went with the B2C instead.

     

    I set up Azure B2C and managed to add an SSO button to the login flow on my portal.

     

    Unfortunately, the registration of a user is a very lengthy process:

    1. Invite guest user to B2C tenant
    2. User opens invite link on their email
    3. User is redirected to myapplications.microsoft.com after accepting registration (I am certain this redirect url could/should be changed)
    4. User logs in to portal through SSO button
    5. User has to enter email to get a verification code sent, and after entering the code the user is allowed to register

    After this, the SSO button functions as expected.

     

    Preferably, we would not have to invite guest users at all, but rather allow anyone to register without any action on our part. It would be even better if it simply happened as the user presses the SSO button, as if they were an invited and registered guest user and portal contact already to begin with.

     

    If this is not possible, is there at least a way to avoid the verification code on portal sign up?

     

     

    Thank you again for your help.

  • ragavanrajan Profile Picture
    ragavanrajan 7,044 Most Valuable Professional on at

    Hi @pmarnason ,

     

     You can automate the "Guest user invitation part" if you have sufficient privileges to Azure. 

    Please see the blog from Arpit  https://arpitmscrmhunt.blogspot.com/2020/05/add-guest-users-in-azure-active.html. 

     

    Regarding the verification code it is security thing: 

     

    "A user can choose to remember the browser that successfully passed the verification, so that the security code won't be required the next time the user signs in from the same browser." 

     

    You can turn off the security code verification if needed by going in to site settings: 

    Authentication/Registration/TwoFactorEnabled  - If you dont see one you can create it. 

     

    Set the value to "false". In portal studio > Do the sync configuration and browse website to make the changes reflected. 

     


    Hope it helps. 

    ------------

    If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

     

  • pmarnason Profile Picture
    pmarnason 43 on at

    Thank you, I guess I could let users invite themselves through a link or something then.

     

    Is there a way to completely avoid the registering process, so to a new registrant it would simply appear as they are logging in without having to be invited in the first place? I want the steps/clicks involved to be as few as possible.

  • ragavanrajan Profile Picture
    ragavanrajan 7,044 Most Valuable Professional on at

    Hi @pmarnason

     

        I am little bit confused, Are you trying local registration  or Azure B2C logon. If it is local registration then can you please raise it as a separate topic. May be I am wrong in understanding your full issue, I will handover to our peer community champions to help here.   FYI: @OliverRodrigues  & @OOlashyn 

  • pmarnason Profile Picture
    pmarnason 43 on at

    I do not blame you one bit, as I have been confusing myself a lot too trying to solve this one.

     

    In regards to local registration vs Azure B2C logon, I wished to follow best practices and so I believe I have successfully implemented B2C now.

     

    The issue lies in how I phrased my original question, I should have asked: Is it possible to have external users register themselves by simply authenticating through Azure B2C using their own credentials.

    And as such completely skipping the whole invite process.

     

    As an example of the user flow we want to accomplish, I refer to how signing up to reddit.com works. 

    Screenshot 2021-01-26 110619.png

    When I click "continue with Google" on the sign up prompt, I am sent to Google OAuth and after selecting my account, my user is immediately created on Reddit. We want the same user experience for our end users, except with the external provider allowing them to use their own Azure credentials.

     

    Exactly how this is accomplished with local registration or B2C, or something else entirely, really does not matter. 

  • OOlashyn Profile Picture
    OOlashyn 3,496 Most Valuable Professional on at

    Hi @pmarnason ,

    You can configure your Azure B2C and portal to support registration process without invites etc. In the configuration process of Azure B2C (https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-azure-ad-b2c-provider-manual) at step 6 you should configure Registration Claims mapping  and Login Claims mapping with proper fields(email, firstname and lastname) and toggle Contact mapping with email to make sure that if contact already exists in the system it will map it properly by the email. Keep in mind that in your user flow in Azure B2C you need to configure additional claims (like firstname and lastname from external provider) because be default system only provide email claim. If for some reason you cannot configure Portal part in new UI you can do it with site settings. For that you can check my article about Open ID Connect configuration (https://www.dancingwithcrm.com/claims-mapping-for-openidconnect-for-portal/) - it is applicable for Azure B2C with proper Site Settings name.

  • pmarnason Profile Picture
    pmarnason 43 on at

    I configured Registration Claims mapping and Login Claims mapping, toggled Contact mapping with email and also followed the instructions from your article.

     

    Unfortunately, I am still at a complete loss.

     

    First and foremost, users (both from our org and external) still get error AADSTS50020 when trying to register without having been invited beforehand in B2C:

    Test user from our organization is unable to register without an invitationTest user from our organization is unable to register without an invitation

     

    If I do invite the user in B2C, it still appears as if I set up claims mapping wrong somehow, as you can see in this screenshot:

    Screenshot 2021-01-26 212527.png

    You might also note the form is asking for a verification code, despite Authentication/Registration/TwoFactorEnabled being set to false.

     

    I will try to gather all necessary configurations here:

    Spoiler (Highlight to read)
    Screenshot 2021-01-26 213147.png
    Screenshot 2021-01-26 213426.png
    Screenshot 2021-01-26 213815.png
    Screenshot 2021-01-26 213900.png
    Screenshot 2021-01-26 213914.png
    Screenshot 2021-01-26 214011.png
    Screenshot 2021-01-26 214137.png

     

    Thank you in advance.

  • OOlashyn Profile Picture
    OOlashyn 3,496 Most Valuable Professional on at

    Hi @pmarnason,

    Sorry for the long reply. Well everything looks correct. I will try to try to set up similar configuration and see if it will work. Meanwhile maybe you will think about workaround like allowing user to register on portal and automatically create them in your azure via power automate flow (like in this article - https://powerapps.microsoft.com/en-us/blog/on-boarding-user-external-user-to-tenant-through-powerapps-portal/).

  • pmarnason Profile Picture
    pmarnason 43 on at

    Thank you for your persistence. I really hope we can solve this one.

     

    Also a big thank you for this link, I was well aware of something like this being a good second best choice, but I had yet to find such a 1:1 applicable article to my particular issue.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Jerry-IN Profile Picture

Jerry-IN 71

#2
Fubar Profile Picture

Fubar 62 Super User 2025 Season 2

#3
sannavajjala87 Profile Picture

sannavajjala87 31

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans