Native authentication empowers you to take complete control over the design of the sign-in experience of your mobile applications. It allows you to craft stunning, pixel-perfect brand-aligned authentication user flows (including design elements, logo placement, and layout) that are seamlessly integrated into your mobile apps, rather than relying on browser-based solutions. While at the same time, ensuring that sign-in and sign-up processes remain secure and frictionless. This balance of customization and security drives better onboarding, retention, and, ultimately, user trust.
Authentication on Mobile: Native authentication vs Browser-delegated
When it comes to implementing authentication for mobile apps on External ID, you have two options:
- Fully custom SDK based native authentication.
- Microsoft-hosted browser-delegated authentication.
In the browser-delegated mobile app sign-in process, users often experience a disruptive jump during authentication. They’re taken to a browser for authentication and then redirected back to the app when the sign-in is complete. This leads to a diluted experience and branding can be compromised. While browser-delegated methods can reduce attack vectors and support single sign-on (SSO), they suffer from limited UI customization and poor user experience.
Whether you choose native authentication or browser-delegated authentication, Microsoft Entra External ID supports both of them. Refer to this documentation to understand when to use native authentication and when to use browser-delegated authentication.
Native authentication gives you full control over the user interface and experience.
Available authentication methods
Native authentication currently supports local identity provider for two sign-in methods:
- Email with one-time passcode (OTP) sign-in.
- Email and password sign-in with support for self-service password reset (SSPR).
How to enable native authentication
1. Register application in the external tenant
To enable your application to sign in users with Microsoft Entra, Microsoft Entra External ID must be made aware of the application you create. The app registration establishes a trust relationship between the app and Microsoft Entra. When you register an application, External ID generates a unique identifier known as an Application (client) ID, a value used to identify your app when creating authentication requests.
For Native Authentication, we use external tenant, not workforce tenant. You need to have an external tenant. If you don’t already have one, sign up for a free trial.
The following steps show you how to register your app in the Microsoft Entra admin center:
- Sign In Microsoft Entra admin center as at least an Application Developer.
- If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
- Browse to Identity >Applications > App registrations.
- Select + New registration.
- In the Register an application page that appears;
- Enter a meaningful application Name that is displayed to users of the app, for example ciam-client-app.
- Under Supported account types, select Accounts in this organizational directory only.
- Select Register.
- The application's Overview pane displays upon successful registration. Record the Application (client) ID to be used in your application source code.
2. Enable public client and native authentication flows.
Enable native authentication in the Microsoft Entra admin center:
- In Microsoft Entra admin center, browse to Applications> App registrations and select your app.
- Navigate to Authentication and select the Settings tab.
- Select the Allow native authentication and the Allow public client flow field.
3. Grant admin consent
Once you register your application, it gets assigned the User.Read permission. However, since the tenant is an external tenant, the customer users themselves can't consent to this permission. You as the admin must consent to this permission on behalf of all the users in the tenant:
- From the App registrations page, select the application that you created (such as ciam-client-app) to open its Overview page.
- Under Manage, select API permissions.
- a) Select Grant admin consent for <your tenant name>, then select Yes.
- b) Select Refresh, then verify that Granted for <your tenant name>appears under Status for the permission.
4. Create user flow in the external tenant.
Follow these steps to create a user flow.
- Sign in to the Microsoft Entra admin center as at least an Application Developer.
- If you have access to multiple tenants, make sure you use the directory that contains your external tenant:
a) Select the Directories + subscriptions icon in the toolbar.
b) On the Portal settings | Directories + subscriptions page, find your external tenant directory in the Directory name list, and then select Switch.
3. On the sidebar menu, select Identity.
4. Select External Identities > User flows.
5. Select + New user flow.
6. On the Create page:
a) Enter a Name for the user flow, such as SignInSignUpSample.
b) In the Identity providers list, select Email Accounts. This identity provider allows users to sign-in or sign-up using their email address.
c) Under Email accounts, you can select one of the two options. For this tutorial, select Email one-time passcode.
-
-
- Email with password: Allows new users to sign up and sign in using an email address as the sign-in name and a password as their first factor credential.
- Email one-time passcode: Allows new users to sign up and sign in using an email address as the sign-in name and email one-time passcode as their first factor credential. For this option to be available at the user flow level, make sure you enable email one-time passcode (OTP) at the tenant level (select All Identity Providers, and then for Email One-time passcode select Configured, select the Yes option, and then select Save).
-
d) Under User attributes, you can choose the attributes you want to collect from the user upon sign-up. For this guide, select Country/Region and City.
7. Select Create. The new user flow appears in the User flows list.
5. Associate the application with the user flow
For the customer users to see the sign-up or sign-in experience when they use your app, you need to associate your app with a user flow. Although many applications can be associated with your user flow, a single application can only be associated with one user flow.
- On the sidebar menu, select Identity.
- Select External Identities, then User flows.
- In the User flows page, select the User flow name you created earlier, for example, SignInSignUpSample.
- Under Use, select Applications.
- Select Add application.
- Select the application from the list such as ciam-client-app or use the search box to find the application, and then select it.
- Choose Select.
6. Update your configuration code
You can build apps that use native authentication by using our native authentication APIs or the Microsoft Authentication Library (MSAL) SDK for Android and iOS/macOS.
Below are the supported languages and frameworks:
- Android (Kotlin, Java)
- iOS/macOS (Swift, Objective-C)
For other languages and platforms, you can use our native authentication API. Whenever possible, we recommend using MSAL to add native authentication to your apps.
The next step is to update your application’s configuration code to support native authentication flows for Android or iOS/macOS. To do so, you need to add the challenge type field to your configuration. Challenge types are a list of values that the app uses to notify Microsoft Entra about the authentication method it supports.
We have the below code samples for Android and iOS/macOS. Clone the code sample for the language or platform of your choice. Find the place holders Enter_the_Application_Id_Here and Enter_the_Tenant_Subdomain in the configuration file highlighted in the table below and replace with the Application (client) ID and Directory (tenant) subdomain. These details can be found from Microsoft Entra admin center > Applications > App registrations then select your app.
| Language/ Platform |
Clone Code sample |
Code sample configuration file to be edited |
| Android (Kotlin) | https://github.com/Azure-Samples/ms-identity-ciam-native-auth-android-sample |
app/src/main/res/raw/native_auth_sample_app_config.json (Open on Android Studio) |
| iOS (Swift) |
https://github.com/Azure-Samples/ms-identity-ciam-native-auth-ios-sample.git |
NativeAuthSampleApp/Configuration.swift (Open on Xcode) |
| macOS (Swift) |
https://github.com/Azure-Samples/ms-identity-ciam-native-auth-macos-sample.git |
NativeAuthSampleAppMacOS/Configuration.swift (Open on Xcode) |
7. Run and test the sample
Android mobile application - To build and run your app, follow these steps:
- In Android Studio toolbar, select your app from the run configurations menu.
- In the target device menu, select the device that you want to run your app on.
If you don't have any devices configured, you need to either create an Android Virtual Device to use the Android Emulator or connect a physical Android device.
3. Select the Run button. The app opens the Email & OTP screen.
iOS/macOS application - To build and run your code, select Run from the Product menu in Xcode. After a successful build, Xcode will launch the sample app in the Simulator.
Kudos, you’ve successfully configured Microsoft Entra External ID native authentication on an android or iOS/macOS app.
Next steps
Continue exploring Microsoft Entra External ID Native Authentication by checking out the documentation.
You can also explore other features in the Microsoft Entra portfolio by visiting our
- Developer center
- Identity blog
- YouTube for tutorials, deep dives, and the latest news.
Microsoft
