Thank you!

Thank you for watching!

Thank you for watching! Yes, currently federations with external identity providers are limited. In the future the ideal scenario will be where as you mentioned there will be OIDC configuration section so we can integrate more external identity providers. This is on the horizon.

Thank you for watching!

Thank you for watching and kind words. When it comes to your question about new product and migration. Microsoft Entra External ID is the future when it comes to CIAM solution provided by Microsoft. However, current product is in the preview (at the moment of writing this comment). For simple authentication and branding scenarios it can be a good fit but please remember that it is still not so mature like Azure AD B2C. Having said that I would strongly recommend assessing your current requirements for the login/registration scenarios and then check if these will be possible to be implemented with the new platform (Entra External ID). Recently I faced issues when testing my tenant where suddenly I could not sign in (you can read more here: learn.microsoft.com/answers/questions/1353634/aadsts500208-the-domain-is-not-a-valid-login-domai). I would wait with migration decision at least to the moment when the product is GA, not in the preview. One more point - migration paths are not yet defined between Azure AD B2C and Entra External ID - the team at Microsoft is working on this topic but there is no official information provided yet.

Strategies for user migration are still undefined. We need a seamless way of migrating users but custom extensions are, in its current state, not enough because the password is not sent in the request. I looks like native authentication would work but that feature is still private.

Thank you for watching. The difference is in the configuration approach. There will be no custom policies anymore. User flows will be defined either in the portal or using REST API. When it comes to extensions for instance - these will be also configured in the different way (currently in the Azure AD B2C you use technical profiles when you use custom policies), here you can read about new approach: learn.microsoft.com/en-us/azure/active-directory/develop/custom-extension-overview?context=%2Fazure%2Factive-directory%2Fexternal-identities%2Fcustomers%2Fcontext%2Fcustomers-context The important thing is that new MS Entra External ID aims to provide the same level of features as AD B2C does, however the way you will configure them will be much easier and more aligned with DevOps philosophy (storing configuration in GIT, ability to configure tenant using APIs). I hope this clarifies a bit.

@@TechMindFactory Thank you. That makes more sense. So some configuration that used to be configured with IdentityExperience XML can now be written in C# by using external API's? Would it be possible to detect which tenant the user is coming from, in case the user decides to use his work account? If so, is it possible to tell Microsoft to use MFA for certain tenants? That is one scenario we would like to develop for our internally developed product, but so far, we could not see how..

@@btastic2 The scenario you are talking about combines HRD (Home Realm Discovery, where we discover that user is using account from another tenant) with Conditional Access. HRD is not yet fully supported in the new platform. Please also note that in the typical scenario where user decides to use work account, user is redirected to home tenant for authentication. The decision whether to apply MFA or not is on the home tenant side. Now you could of course require MFA also on your tenant side (something similar to what Azure AD B2C has for social accounts, where you can apply MFA also for the Facebook or Google accounts). Such scenario is not supported yet but I know that HRD functionality is on the priority list owned by the Product Group. For now you cannot configure granular options for HRD.

@@TechMindFactory Thank you so much for your thorough explanation! Helps a lot!

@@btastic2 Great to know, always happy to help, good luck!

Hi, thank you for kind words! When it comes to your question. Access tokens issued by Microsoft Entra External ID cannot be used to access Microsoft Graph API. When you say "make Graph call to the user's original tenant" - I assume you talk about the scenario where user used corporate account to access your application secured with Microsoft Entra External ID and you would like to somehow access user's original tenant to get some authorization? I would definitely need more details here.

Thank you! You can hide it using CSS styles: learn.microsoft.com/en-us/azure/active-directory/fundamentals/reference-company-branding-css-template You should set visibility for the hyperlink to hidden. You can download CSS template from there (or from the page above): download.microsoft.com/download/7/2/7/727f287a-125d-4368-a673-a785907ac5ab/custom-styles-template-013023.css Here you can read more about branding customization: learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-customize-branding-customers#to-customize-the-sign-in-page-background-and-layout To test hiding, you can open the console in the browser and type: document.getElementById("backToLogin").style.visibility = "hidden";

@@TechMindFactory Thanks mate.

Thank you for watching. It is still under development, however it is one of the key features in the backlog for this new product. The experience will be similar to the current one in the Azure AD B2C, where we can type the username, and basing on the domain, user is redirected to specific tenant. There will be also restrictions for HRD for specific domains. Once I have more details, I will definitely share this information.

No, this is not supported currently.

Yes, these are good points you mention. First of all - custom policies are removed in the new solution due to bad feedback from developers and people who tried it. I also agree that even if experience was not very good, custom policies are essential to build more complex auth flows. In the new platform there are Azure AD Event Listeners used - it means that you will be able to attach custom logic to different parts of the user journey, like "onAttributeCollection", "afterConditionalAccessCheck" etc. This is new architecture. Soon there will be more details available for public preview. I am doing my best to create next video where I will dive into the details. External ID Team is aware that there is a strong need for advanced flows like we can build now with Azure AD B2C custom policies. When it comes to flows and calling them - sing in and password reset are already there. In the app config you do not have to provide the name of the flow. For the profile edit - it is still under consideration and more details will be known soon. Please also remember that there will be also native auth API available so you will be able to natively integrate your app with the platform without any redirections (it means that you will be able to display profile edit page directly in your app without using pages from External ID). Again - more details will be available soon. I am under NDA so cannot provide too much details now but I can promise that once I have green light to share more details I will do it immediately. Please let me know once you have any questions. PS: Thank you for watching!

@@TechMindFactory Thanks for the info. I hope they will combine the best of both worlds: AAD: e.g. obo-flow, securityGroups, full graph api B2C: well, we had to implement a whole bunch of advanced features, e.g. homeRealmDiscovery, custom logging, testautomation capabilities, impersonation, custom refresh token and access token journeys, different flows for different apps (e.g. restrict some apps to distinct federated idps), etc, etc

@@michaelpropster8076 Thank you to for a great feedback! Yes, the points you mentioned above were already discussed (many times, believe me) with the Product Group. OBO flow will be available (this is the strong feedback from many people as we need it on the backend side integration). When it comes to Graph API - new platform has strong fundaments on API-first approach. You can already read more about Management APIs: learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-management-apis-overview One more thing - because new platform is fully based on the Azure AD there will be no exceptions for some queries in the Graph API - as we have it now with Azure AD B2C, for instance to query user's mobile phone used for MFA. There will be more in the future - custom domains will be available too! I will share more info when I can. Let's be in touch.

@@TechMindFactory Thanks a lot. Can't wait hear more news from you!

I do not have exact information about the road map but I can confirm that FIDO2 is considered and discussed. I do not have any info about passkeys yet. Same for the back channel logout. When it comes to global deployment - service will be global but still you have to select datacenter for users profiles during the configuration: learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/quickstart-tenant-setup#create-a-new-tenant-with-customer-configurations From the global availability perspective you will probably need to support tenants in multiple locations - the mechanism underneath is the same like in standard AD. I will try to get more details about it and get back to you.

I understand your frustration as I also faced some issues recently. I am not sure if you know but here is the place where you can describe your issue: learn.microsoft.com/en-us/answers/tags/438/entra-external-id Microsoft engineers are reviewing it and you can get help. Here is one of my recent issues reported (as you can see I got response from the MS Engineer): learn.microsoft.com/en-us/answers/questions/1353634/aadsts500208-the-domain-is-not-a-valid-login-domai I encourage you to try.

Thanks very much@@TechMindFactory will give it a go. cheers