Now Reading: Power Pages: Onboarding external identity users
-
01
Power Pages: Onboarding external identity users
Using local authentication in Power Pages is not recommended. There are a number of available alternate or external providers available (such as Azure AD B2C) or you can configured other providers such as OKTA (as I outlined in Power Pages: Set up OKTA as an identity provider)
Note that Azure AD B2C is NOT being renamed to Entra AD B2C, but there is a new provider called Microsoft Entra External ID which will soon be supported by Power Pages.
Are you more of a video person? Check out the video version where I walk through these steps outlined in this post:
Once you’ve configured your external provider, how do you onboard your users to your Power Pages site?
In this post, I will talk about the following methods:
- Allowing users to register on your website
- Inviting existing users (contacts)
- Allowing users to request access
- Create/updating user identity information in Power Pages to provide automatic access!
Registration
If a user already has an account in Azure AD B2C, OKTA, or other identity provider, they have the ability to link that external identity user to a new user in the Power Pages website.
The user would select the sign-in button, on on the registration tab choose the specific identity provider, or if has been set as the default, the identity provider login screen will appear.
If your user already has a user account setup in that identity provider, they can sign-in to continue the registration process.
If your identity provider is configured to allow new user registrations, they can create a new user in that identity provider as part of the process. (Screen shot is showing Azure AD B2C, but other providers like OKTA or similar)
Following a default configuration, you will need to specify your email address to complete the process:
Once this is provided, the user will be created as a contact and a corresponding external identity record will be created for that user. The user will be able to browse the website and automatically have access to any page or resource available to the authenticated user web role.
Some issues with this method is that the user will need to enter their email address and the process seems a bit disjointed. If they already have a contact in the system, they will get an error that the email is already in use.
The other issue is that its unclear to these users if they need to create a new external identity user or if they already have one.
All Power Pages users are created as contacts in Microsoft Dataverse.
Invitation to an existing user
If you already have your users stored as contacts in Dataverse (via a custom Power Apps or Dynamics 365 apps) then you don’t want them registering new users that will cause duplicates.
Power Pages provides an invite function that will generate an invite code that you can send to the contact, either using the provided workflows or but setting up Power Automate to send the invites.
Once the user receives the invite (usually via an embedded link in an email) they can redeem the invitation.
They can then select the external identity provider, or if the identity provider is set as default the login screen will appear. They are given the option to login using an existing identity provider account or potentially they can create a new one. (Screen shot is displaying OKTA login, but Azure AD B2C is a similar process.)
Once redeemed and linked, the user has access to the Power Pages website and any assets available to the authenticated user web role or any other web roles assigned as part of the invitation process. The user doesn’t need to supply an email address as they have already provided the invitation code.
Like registration, it again may be unclear to these users if they need to create a new external identity user or if they already have one.
Getting existing users to request access to website
One pattern that I have used a few times is to create a form where existing users can request access to the new website. My blog post from 2017 describes a method for existing users to request access.
How to Give 6 million Contacts Access to your Portal
The post is a bit dated, if I were to do that today, I would likely use the Power Pages WebAPI, Power Automate or plug-ins (or low-code plug-ins).
Allowing existing external identity users automatic access
The following steps outline the process to automatically create and connect your external identity users as users in your Power Pages site.
This is convenient if your new website users are already using an external identity provider to access other applications in your tenant, or you want to create the users in the external identity service as a greater onboarding process and give them access to Power Pages automatically.
Get user information from the External identity provider
Depending on your configuration, users may be able to create their own user accounts in the external identity provider manually for themselves. Other methods could be using an API or uploading the users directly. That process goes beyond the scope of this post. Let’s assume that you have users setup in the external identity provider already.
Using Azure AD B2C
In your Azure AD B2C portal, navigate to the users and locate the user that you want provide access to the Power Pages website. Copy the user’s Object ID.
Note that you could also download a list of users and use them in a script or automation to update your users in bulk. Choose Download users from the command bar to get a list of users in a CSV format.
Using OKTA
In your OKTA portal, navigate to the users and locate the user that you want to provide access to the Power Pages website. Copy that users user_id
Note that you could also download a list of users and use them in a script or automation to update your users in bulk. OKTA has an User Import / Export extension.
Update Dataverse contacts
You can now import, manually create or update existing Dataverse contacts. I will walk through the process of configuring a single contact to provide access to the Power Pages site, but note this whole process can be automated for your own purposes.
Note that this part of the process is the same for both Azure AD B2C and OKTA providers.
Once the contact is created (you should be able to find lots of info on how to do this), go into the Power Pages management app, locate the contact and choose the Contact – Portal Contact (Enhanced) form.
Select the Web Authentication tab and fill in the following fields (schema names provided if you are using a script or building an import) for the particular contact.
If migrating or updating existing data, you may have to go through a data matching exercise (potentially using something like the email address as the key) to match the external identity user data to existing Dataverse contacts.
| Column name | Schema | Value |
|---|---|---|
| Username | adx_identity_username | auth0|66bd0e8c1934a09a32c68f70 (example) this is the Object ID value from Azure AD B2C or the user_id from OKTA. |
| Login Enabled | adx_identity_logonenabled | Yes |
| Email Confirmed | adx_identity_emailaddress1confirmed | Yes |
| Lockout Enabled | adx_identity_lockoutenabled | Yes |
| Security Stamp | adx_identity_securitystamp | Generated guid value, like 538748be-9f8a-4b40-86e8-01bb93ed7691 (example)* |
*The Security Stamp field is locked on the form but can be generated by guid() expression on a Power Automate flow, or run the workflow *Reset Security Stamp* from the flow menu.
Create a new External Identity record (adx_externalidentity) with the following values (schema names provided if you are using a script or building an import):
| Column Name | Schema | Value |
|---|---|---|
| Contact | adx_contactid | A lookup to the contact record. |
| Username | adx_username | auth0|66bd0e8c1934a09a32c68f70 (example, same as updated in contact record) This is the Object ID value from Azure AD B2C or the user_id from OKTA. |
| Identity Provider | adx_identityprovidername | URL to the Identity provider, which would be the same as the Authority value in the identity provider configuration, or the value of the Authentication/OpenIdConnect/OpenId_x/Authority site setting. |
Once these values are in place, the user should be able to login to the Power Pages website without needing to register or go through the invitation process. If the identity provider is set as the default, the user can go right to being signed into the portal if they have already authenticated in the same browser to another app. (Single sign-on).
Automation
The whole onboarding process can be automated for potentially onboarding new users or migrating from existing systems. There are APIs to create Azure AD B2C and OKTA users and there are different ways to create Dataverse contacts. Hopefully the information provided in this post gives you what you need for your own projects.
Summary
Using an external identity provider is highly recommended over using local authentication. There are a number of ways to onboard your users and properly link the Power Pages user and the external identity provider user.
Nick Doelman is a Microsoft MVP, podcaster, trainer, public speaker, competitive Powerlifter and is speaking at a whole bunch of events this fall/winter! Follow Nick on X at @readyxrm or LinkedIN. Listen or watch the the Power Platform Boost podcast with Nick and co-host Ulrikke Akerbæk every second week for news and updates from the Power Platform community.
Original Post https://readyxrm.blog/2024/08/16/power-pages-onboarding-external-identity-users/
