Blog Post

Microsoft Entra Blog
2 MIN READ

Customize External Identities self-service sign-up with web API integrations

Alex Simons (AZURE)'s avatar
Jun 24, 2020

Howdy folks,

 

Last month at Microsoft Build, we announced the public preview of Azure Active Directory (Azure AD) External Identities, introducing self-service sign-up for external users. Since then, we’ve been excited to see so many customers trying out  user flows to create customized sign-up experiences, including bring-your-own-identity options for their external users.

 

As a follow-up to that announcement, the team has released the public preview of the API connectors feature mentioned in Principal Group PM Manager Robin Goldstein’s blog postThis means you can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows.

 

Here are three examples to get started with API connectors today:

 

Integrate with your existing approval workflows: Enable external users to bring their own identities and self-register without sacrificing control. With API connectors, you can integrate with your own approval system to apply onboarding logic that fits your needs. Trigger manual review processes, implement allow-and-block lists, or send out special invite codes to manage which external user accounts are created in the directory. Read the documentation to learn more.

 

 

Perform identity verification: Verifying a user’s identity can be critical to securing an application from fraudulent and malicious actors. API connectors make it possible to connect with identity verification solutions from IDology, Experian, and other providers to automatically verify identities based on user attributes collected at sign-up. See our samples to learn more.

 

 

Validate or overwrite user information: As part of Azure AD External Identities, we enabled custom attributes, which allow you to customize the data gathered from external users during sign-up. Now, you can use your own web APIs to validate or overwrite that information. For example, you can validate if the user information is in a particular format, and ask a user to re-enter their information or overwrite the user-provided value.

 

Azure AD External Identities API connectors offer powerful customizations well beyond these examples. Check out our API connectors overview documentation to get started today and let us know what you think at @AzureAD on Twitter or in the comments below.

 

Best regards,
Alex Simons (@Alex_A_Simons)
Corporate Vice President of Program Management
Microsoft Identity Division

 

 

 

Updated Jul 24, 2020
Version 7.0
  • Clarifying one point made by Kelvin Xia - this user experience, and the rest of the user flows for external identities may have Microsoft icon replaced by using the Company Branding feature right now.  Thanks!

  • Dean_Gross we currently support limited branding with Azure AD's Company Branding feature. We don't have a date right now, but we do have more plans to allow additional UI elements to be replaced - such as the browser favicon, and terms of use and privacy links - so that all references to Microsoft can be removed from the experience.

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    It seems to me, that if an external use is registering to use an app, then the app creator's branding should show instead of Microsoft's. I realize that MS is doing the ultimate management of the ID, but that should be hidden from the user, they  are not registering an MS app, they are register an app from my client. 

  • Jason-Ra I see a few questions - 1.  Is it going to work with Identity governance and Lifecycle management. Looking ahead, we do plan to integrate the External Identities flow with the Identity Governance features of Azure AD including lifecycle management for guests.  2. Is this going to work when the other org isn't Azure AD? We currently have functionality that supports direct federation with non Azure AD orgs (via SAML, WS-Fed) in public preview. We are working to make sure future extensibility is available to all types of users. 3. Is this going to replace lifecycle management? No, it won't replace lifecycle management. The API connectors function can be used for a variety of scenarios including ID verification and if desired, connecting with an internal process such as a company's bespoke lifecycle management system (UI strings in this post are representative of how the system can be configured by a customer). 

  • Jason-Ra's avatar
    Jason-Ra
    Copper Contributor

    Thanks for the update and rapid-fire enhancements of this feature. For E5 customers, is this expected to come for Azure AD Entitlement Management? That is, support for Connected Organisations where the other IdP is not Azure AD? Or are these new API features for external IDs expected to replace the external ID lifecycle capabilities of EM?

  • belaie Thanks for bringing that up! We don't have a date yet for when this will work for Members, but we've got it as part of our vision to make the user flows work across all use cases. Thanks for your feedback here!

  • belaie's avatar
    belaie
    Brass Contributor

    Alex Simons (AZURE)  that's great!; when is this experience is coming to azure ad non-external users  (Members)? , another example in our case  we have custom enterprise azuread apps (SAML 2.0) based where we wish to carry on sign-up (self service) with approval flow for non external (member) users