Power Pages: Configure Entra External ID

When building a Power Pages website where you will have external stakeholders signing in, it is highly recommended to use an external authentication provider and not the out-of-the-box forms based login and password.

There are different external providers available, provided by Microsoft (Azure AD B2C) and other 3rd party providers (like OKTA).

Currently in preview, Microsoft has enabled Entra External ID as a provider for Power Pages.

Entra External ID (part of the broader Microsoft Entra suite) introduces a modernized and more integrated approach compared to the older Azure AD B2C.

I found the documentation missing a few key steps, especially around the configuration of the Entra External ID side, as well has how to migrate existing Entra External ID users to Power Pages contact. So mostly for my future self, but sharing with others, here are the steps to configure the Entra External ID.

The 2025 release plan states that the team will be releasing a wizard experience to easily configure the Entra External ID provider, so these steps may soon be obsolete. However, if you need to go in and configure something different or extra, or even just to understand the process, these steps may still help.

Here is the video version of this blog post:

Create an external tenant

The first step would be to create the external tenant. There are a lot of steps and navigation, so I have included a lot of screen shots to step through the process.

First navigate to the Microsoft Entra admin center found at this URL: https://entra.microsoft.com/#home Note that you will need to sign in as an Entra administrator for your tenant.

From the home screen, select Manage tenants.

In the Manage tenants page, choose + Create to create a new tenant.

You will be prompted to select either the Workforce or External. Power Pages allows for external users, so we will select External.

Select whether you will use a subscription or a trial. I used my existing Azure subscription.

Give the tenant and name and a unique domain name. Select a Country/region ideally in the same region as your Power Pages website. Select Next: Add a subscription.

Select the subscription and select or create a new resource group. Also specify the resource group location. Then select Next: Review and Create

After a few minutes, the tenant should be created. You can select the link to navigate to the new tenant.

With the new tenant created, we can now configure the Power Pages authentication provider.

Configure Power Pages identity provider for Entra External ID

In the Power Pages design studio, select the Security workspace and select Identity providers.

Choose to configure the Microsoft Entra External ID (preview)

You specify a provider name or leave the default. Select Next.

Copy the Reply URL that is generated.

Return to the Microsoft Entra admin center. In the Entra External ID tenant, select + Add and App registration.

Provide a user friendly name for the app registration and choose supported account types based on your requirements.

Enter in the Redirect URI that you copied from the Power Pages external identity configuration. Select Register.

The App registration will be created.

Select the Authentication tab and check the Access tokens and ID tokens values. Select Save.

Select API permissions tab and choose the Grant admin consent option.

Under the External Identities section, select User flows. Select + New user flow.

NOTE: If user flows are disabled, under External Identities, select External collaboration settings and ensure to Enable guest self-service sign up via user flows is set to YES.

Give the user flow a name, and choose either Email with password or one-time passcode. You can also specify user attributes to collect during sign-up and pass these back to the Power Pages site. Select Create.

Once the user flow is created, select Applications and then select +Add application.

Choose the application registration that was created earlier in the process and choose Select.

The application will appear on the list, select the newly created App registration.

Copy the Application (client) ID, we will need this to configure in Power Pages. Select Endpoints

In the Endpoints, copy the Authority URL, and the OpenID Connect metadata document.

Return to the Power Pages configuration, and paste in Client ID, Authority, and Metadata address values. These will create site settings specific to the external identity configuration. Select Next.

Select Confirm.

Finish off the process and select Close.

In the Power Pages design studio, navigate to the Set up workspace, and in the Site details section, select Open the admin center.

This will open the Power Platform admin center to the Power Pages site configuration. Choose Site Actions -> Restart site in order for the Entra external ID to appear.

Launch the Power Pages site. Select the Sign in button. You should see the Microsoft Entra External ID available.

You will need to create a new Entra External ID account (or use an existing one if you have used this tenant for other applications).

The first time you will be shown the profile page. Fill in the details and choose update.

The Entra external ID provider is setup. There will be a new contact in the Power Pages Management app where you can assign custom web roles and other admin activities.

Mapping existing Entra External ID users to new or existing Power Pages contacts

I wrote a post on how to migrate existing users in Azure AD B2C and OKTA in Power Pages by creating External Identity records and mapping the usernames.

However, using the default setup for Entra External ID, you will notice that the user name is set to a random string of characters that have no correlation to the user setup in the Entra External ID tenant:

I checked with the team an Microsoft and got the explanation that the user string came from a sub claim when Authentication handshake happens between PowerPages and Entra External Id, and with Entra External ID, that string from sub claim becomes the user name. Translation: stuff happens in the background.

To get around this, it was suggested to add the following site setting that would instead begin to use the Entra External ID as the user name.

Authentication/OpenIdConnect/<PROVIDER_NAME>/ObjectIdentifierAsNameIdentifierClaimEnabled

This way you can follow the same steps as Azure AD B2C and OKTA to import/link existing users into Power Pages.

I tried this out and had to restart the site, but afterwards any new users had their Entra External ID object id as the username:

Summary

Setting up the Entra External ID provider is a lot of steps, but once configured, provides an elegant way for external users to be able to sign in and use your Power Pages website and will provide additional security options.

Nick Doelman is a Microsoft MVP, podcaster, trainer, public speaker, and competitive Powerlifter. Follow Nick on X at @readyxrm or LinkedIN, and now; Bluesky. Listen or watch the the Power Platform Boost podcast with Nick and co-host Ulrikke Akerbæk every second week for news and updates from the Power Platform community.

Original Post https://readyxrm.blog/2025/02/26/power-pages-configure-entra-external-id/