Zum Hauptinhalt springen
🔐 Administration

Entra External ID for Power Pages:
Administrator Handbook

Complete handbook for Setup, Maintenance, Best Practices and Troubleshooting

By Tino Rabe, Microsoft Power Pages MVP • October 15, 2025 • 25 min Reading time

Table of Contents

1. Introduction and Objectives

Objective

This document describes the administrative tasks in managing Entra External ID (formerly Azure AD B2C)[1] for integration with Microsoft Power Pages. It clearly distinguishes between one-time setup tasks and ongoing maintenance work.

Target Audience

IT administrators and identity professionals with basic knowledge of Azure/Entra ID. Technical understanding of OAuth2/OpenID Connect[2] is beneficial but not mandatory.

Initial Setup

Required once

Setup Duration

2-4h
Depending on complexity[3]

Maintenance Effort

~2h
Per month[3]

Monitoring

Daily
5-10 minutes

Prerequisites

Category Requirement Required
Azure Access Azure subscription with active subscription Yes
Permissions Global Administrator or Identity Administrator[4] Yes
Licensing Entra External ID License (MAU-based)[5] Yes
Power Pages Power Pages Environment with Admin access[6] Yes
Domain Custom domain for Custom Branding (optional) No

2. Overview: One-Time vs. Regular Tasks

One-Time Setup Tasks

These tasks are performed once during initial setup:

  • ✓ Create Entra External ID Tenant[7]
  • ✓ Configure App Registration[8]
  • ✓ Set up User Flows (Sign-up/Sign-in)[9]
  • ✓ Configure Custom Branding[10]
  • ✓ Define MFA Policies[11]
  • ✓ Integration with Power Pages[12]
  • ✓ Create test users and perform tests

Regular Maintenance Tasks

These tasks occur during ongoing operations:

  • ✓ Monitor Sign-in Logs[13]
  • ✓ Review failed authentications
  • ✓ Deactivate inactive users
  • ✓ Rotate Client Secrets (every 6-12 months)[14]
  • ✓ Test User Flow updates
  • ✓ Monitor capacity and costs[5]
  • ✓ Apply security updates

Important

After successful setup, the administrative effort is minimal. Most activities are limited to monitoring and occasional updates. Portal users manage their accounts independently (password reset, profile updates).

3. One-Time Setup Tasks

3.1 Create Entra External ID Tenant
One-time

Create a dedicated External ID Tenant for portal authentication.[7]

Procedure:
  1. In Azure Portal navigate to: Microsoft Entra ID > External Identities
  2. Click on "Create a new tenant"
  3. Select Tenant type: "External"
  4. Assign Tenant name (e.g. portalauth)
  5. Select region (recommended: EU region for GDPR compliance)[15]
  6. Assign subscription and create
Important Settings:
  • Tenant Name: Should reflect the purpose (e.g. "PortalAuth")
  • Initial Domain: [name].onmicrosoft.com is created automatically
  • Pricing Tier: MAU-based (Monthly Active Users)[5]

Important:

The tenant name cannot be changed after creation. Select a meaningful name.

3.2 Configure App Registration
One-time

Register an application for OAuth2/OIDC integration with Power Pages.[8]

Procedure:
  1. In Entra External ID Tenant navigate to: App registrations > New registration
  2. Assign name: PowerPages-Portal
  3. Supported account types: "Accounts in this organizational directory only"
  4. Add Redirect URI:
    https://[portalname].powerappsportals.com/signin-[provider]
  5. Complete registration
Create Client Secret:
  1. In App Registration: Certificates & secrets > New client secret
  2. Assign description: PowerPages-Integration
  3. Validity period: 12 months (recommended)[14]
  4. Note Secret Value immediately! (only displayed once)
Configure API Permissions:
  1. Navigate to: API permissions > Add a permission
  2. Select Microsoft Graph
  3. Add delegated permissions:[16]
    • openid
    • profile
    • email
    • User.Read
  4. Grant Admin Consent

Security:

Never store Client Secret in code or public repositories. Use Azure Key Vault[17] or Power Pages Secure Settings.

3.3 Set up User Flows
One-time

Configure the user flows for registration, login and profile management.[9]

Create Sign up and sign in Flow:
  1. Navigate to: User flows > New user flow
  2. Flow type: "Sign up and sign in"
  3. Version: Recommended
  4. Assign name: B2C_1_signupsignin
  5. Enable identity providers:
    • ✓ Email signup (recommended)
    • Optional: Social Identity Providers (Google, Microsoft, etc.)[18]
Configure User Attributes:

Define which data is collected during registration:[19]

Attribute Collect Return Required
Email Address Yes
Given Name Yes
Surname Yes
Display Name No
Object ID - -
Create Password Reset Flow:
  1. Navigate to: User flows > New user flow
  2. Flow type: "Password reset"
  3. Name: B2C_1_passwordreset
  4. Enable email verification
  5. Configure return claims (email, objectId)

Tip:

Test each User Flow immediately after creation using the "Run user flow" button in Azure Portal.

3.4 Configure Custom Branding
One-time

Customize the appearance of authentication pages to match your corporate design.[10]

Branding Options:
  1. In User Flow navigate to: Page layouts > Customize
  2. Select template or upload Custom HTML
  3. Corporate Branding Elements:
    • Logo (recommended: 280x60 px, PNG/SVG)
    • Background Image (optional)
    • Brand Colors (Primary, Secondary)
    • Custom CSS for advanced customizations
  4. Configure languages (German, English, etc.)[20]
  5. Save and test changes

Accessibility:

Ensure sufficient contrasts and WCAG compliance[21] for accessible access when using Custom Branding.

3.5 Multi-Factor Authentication (MFA)
One-time

Configure MFA policies for enhanced security.[11]

Enable MFA:
  1. In User Flow navigate to: Properties > Multifactor authentication
  2. Select MFA Type:
    • Email OTP: Simplest method
    • SMS: Requires Phone Number Attribute
    • Authenticator App: TOTP-based (highest security)
  3. MFA Enforcement:
    • Off: MFA disabled
    • Always on: MFA for all users (recommended)
    • Conditional: MFA based on risk (requires Premium)[22]

Recommendation:

Enable MFA at least for administrative accounts. For standard portal users, MFA can remain optional, but should be considered.

3.6 Integration with Power Pages
One-time

Link Entra External ID as Identity Provider with your Power Pages Portal.[12]

Required information from Entra External ID:
Application (client) ID: [from App Registration] Client Secret: [noted during creation] Authority: https://[tenant].ciamlogin.com/ Metadata URL: https://[tenant].ciamlogin.com/[tenant].onmicrosoft.com/B2C_1_signupsignin/v2.0/.well-known/openid-configuration
Configuration in Power Pages:
  1. In Power Pages Admin Center: Security > Identity providers
  2. Click on "Add provider"
  3. Provider Type: "OpenID Connect"
  4. Enter configuration:
    • Name: Entra External ID
    • Authority: [see above]
    • Client ID: [see above]
    • Client Secret: [see above]
    • Redirect URI: https://[portal].powerappsportals.com/signin-oidc
  5. Configure mapping (Email → Email, Name → Full Name)
  6. Save and activate

Tip:

After successful integration, disable other Identity Providers (Local Login, Microsoft) to exclusively use Entra External ID.

3.7 Perform Testing
One-time

Perform comprehensive tests before putting the system into production.

Test Scenarios:
  1. Registration: Create new user and verify email verification
  2. Login: Sign in with newly created account
  3. Password Reset: Complete password reset flow
  4. MFA: Test Multi-Factor Authentication (if enabled)
  5. Token Claims: Verify all required claims are included in token[23]
  6. Logout: Test sign-out (Single Sign-Out)
  7. Error Handling: Test incorrect credentials, expired tokens, etc.

Go-Live Checklist:

The system should only be released for productive users after successful tests in all scenarios.

4. Regular Maintenance Tasks

4.1 Monitor Sign-in Logs
Daily

Monitor authentication activities for anomalies and errors.[13]

Access to Logs:
  1. In Entra Portal: Monitoring > Sign-in logs
  2. Set filter:
    • Time range: Last 24 hours
    • Status: Failed
    • Application: PowerPages-Portal
  3. Check for anomalies (e.g. multiple Failed Logins from same IP)
Important Metrics:
  • Failed Sign-ins: Should be < 5%
  • MAU (Monthly Active Users): For cost tracking[5]
  • Sign-in Duration: Performance indicator
  • MFA Success Rate: If MFA is enabled

Set up Alert:

Configure Azure Monitor Alerts[24] for unusually high error rates or sign-in activities.

4.2 Deactivate Inactive Users
Monthly

Identify and deactivate user accounts that haven't been used for an extended period.

Procedure:
  1. In Entra Portal: Users > All users
  2. Filter: Last sign-in > 90 days[25]
  3. Export list and coordinate with business department
  4. Deactivate accounts (do not delete!):
    • Select user
    • Properties > Account enabled: No
  5. Update documentation

Note:

Deactivated accounts can be reactivated at any time. Permanent deletion should only occur after explicit approval (GDPR requests)[15].

4.3 Rotate Client Secrets
Semi-annual

Renew Client Secrets regularly to comply with security best practices.[14]

Rotation Process:
  1. Create new Client Secret (see 3.2)
  2. Keep both secrets active in parallel
  3. Switch Power Pages configuration to new secret
  4. Test (Sign-in, Sign-up)
  5. Delete old secret after 48 hours
  6. Document the process

Important:

Coordinate secret rotation with the Power Pages team. Unplanned secret changes lead to authentication failures.

4.4 Monitor Capacity and Costs
Monthly

Monitor monthly active users (MAU) and associated costs.[5]

Cost Tracking:
  • Pricing Model: Entra External ID is billed based on MAU
  • Free Tier: First 50,000 MAU/month free[5]
  • Paid Tier: Approx. €0.00325 per MAU beyond that[5]
  1. In Azure Portal: Cost Management > Cost analysis[26]
  2. Filter on Entra External ID Resource
  3. Trend analysis: MAU development over the last 3 months
  4. Configure budget alerts (optional)
4.5 Security Updates and Patches
Quarterly

Regularly check for available updates and security patches.

Update Sources:
  1. Azure Portal: Service Health > Planned maintenance[27]
  2. Subscribe to Microsoft 365 Message Center[28]
  3. Follow Entra ID Release Notes[29]
  4. Check Security Advisories[30]

Automatic Updates:

Most updates are performed automatically by Microsoft. Manual adjustments are only required for breaking changes.

5. Monitoring and Troubleshooting

5.1 Dashboard Metrics

Metric Normal Value Alert Value Action
Failed Sign-ins < 5% > 10% Check sign-in logs, test user flow
Sign-in Duration < 3s > 10s Performance analysis, Azure Support
Token Errors < 1% > 5% Check token configuration, validate claims
MAU Growth Steady Sudden Spike Check for bot activity, cost alert

5.2 Common Errors and Solutions

AADB2C90118: User forgot password[31]

Cause: User clicked "Forgot password?"

Solution: This is normal behavior. Ensure that the Password Reset Flow is correctly configured.

AADB2C90091: User cancelled flow[31]

Cause: User cancelled the registration or login process

Solution: Check the User Flow design for usability issues. High cancellation rates may indicate UX problems.

Invalid Client Secret

Cause: Client Secret has expired or is incorrectly configured

Solution: Create a new Client Secret and update it in Power Pages (see 4.3).

Redirect URI mismatch

Cause: Redirect URI in App Registration does not match Power Pages

Solution: Align URIs to match exactly (including trailing slash).

6. Best Practices and Security

6.1 Security Best Practices

1. Principle of Least Privilege[32]

Grant only the minimum necessary permissions for service accounts and administrators. Use dedicated admin accounts, not personal accounts.

2. Conditional Access Policies[22]

Use Conditional Access (Premium feature) for risk-based MFA and location-based access control. Block sign-ins from high-risk countries.

3. Client Secret Management[14]

Never save secrets in code or configuration files. Use Azure Key Vault.[17] Rotate secrets every 6-12 months. Document all secret changes.

4. Audit Logging[13]

Enable comprehensive audit logging and retain logs for at least 90 days.[33] Regularly export logs to SIEM systems for long-term retention.

5. Regular Security Reviews

Conduct quarterly security reviews. Check: Active permissions, MFA adoption rate, failed sign-in patterns, inactive accounts.

6.2 Performance Optimization

Enable Token Caching

Configure token caching in Power Pages for reduced latency and fewer roundtrips to Entra ID.[34]

Minimize Claims

Reduce token size by minimizing claims. Request only actually needed user attributes.[23]

CDN for Custom Pages

Host custom branding assets (logo, CSS) on a CDN for faster loading times globally.

6.3 Compliance and Data Protection

GDPR Compliance[15]

Ensure that Entra External ID tenant is hosted in an EU region. Implement processes for GDPR requests (access, deletion, correction). Document all data processing activities.

Data Residency[35]

Select Azure region based on compliance requirements. EU data should remain in EU regions (West Europe, North Europe).

User Consent Management

Implement clear consent flows for data collection. Document all collected data and their purpose. Enable easy opt-out.

7. Frequently Asked Questions (FAQ)

How often must client secrets be rotated?
Best practice: Every 6-12 months.[14] Microsoft recommends a maximum validity of 12 months. Document every secret change and coordinate with the Power Pages team.
Can users delete their accounts themselves?
By default, no. Self-service account deletion must be implemented via Custom Policies (Identity Experience Framework).[36] Alternative: Establish a support process for deletion requests.
What does Entra External ID cost?
Pricing model: MAU-based (Monthly Active Users). First 50,000 MAU/month free. Beyond that approx. €0.00325 per MAU.[5] Premium features (Conditional Access) cost extra.
How long are sign-in logs retained?
By default 30 days in Entra Portal.[33] For longer retention: Export logs to Azure Log Analytics or external SIEM. Recommendation: at least 90 days retention.
Can social logins (Google, Facebook) be used?
Yes. Entra External ID supports federation with social identity providers.[18] Configuration via Identity Providers in User Flows. Consider privacy implications with social logins.
What happens if Entra External ID fails?
Microsoft offers 99.9% SLA for Entra External ID.[37] In case of outages: Check Azure Service Health for status updates. Implement graceful degradation in Power Pages (e.g., maintenance page).
How many parallel sessions are allowed?
No technical limitation for concurrent sessions per user. Token lifetime and refresh token policies control session duration. Default: 1 hour access token, 90 days refresh token.[38]

8. Checklists

8.1 Initial Setup Checklist

Entra External ID Tenant created (EU region)
App Registration configured (Client ID & Secret noted)
Sign-up/Sign-in User Flow created and tested
Password Reset User Flow created and tested
Custom Branding configured (logo, colors)
MFA policy enabled (at least for admins)
Integration with Power Pages tested (sign-up, sign-in, password reset)
Sign-in logs monitoring set up
Documentation created (configuration, secrets, processes)
Go-live tests performed (all scenarios)

8.2 Monthly Maintenance Checklist

Sign-in logs checked for anomalies
Failed sign-ins analyzed (< 5%)
Inactive users identified (> 90 days)
MAU and costs reviewed
Client Secret expiration date checked (< 30 days → plan rotation)
Azure Service Health checked for planned maintenance
Configuration backup created (App Registrations, User Flows)

8.3 Quarterly Security Review Checklist

Admin permissions reviewed (Principle of Least Privilege)
MFA adoption rate checked (target: > 90%)
Audit logs checked for suspicious activities
Password policies reviewed (complexity, expiry)
User Flow policies checked for currency
Custom Policies checked for breaking changes (if used)
Compliance documentation updated (GDPR, etc.)
Disaster Recovery Plan tested

Summary

After successful initial setup, the administrative effort for Entra External ID is minimal. Most maintenance tasks can be completed in a few hours per month. Automation (alerts, monitoring) further reduces manual effort.

Need Support with Setup?

In a free 30-minute consultation, we analyze your requirements and develop a tailored implementation plan for Entra External ID with Power Pages.

Book Initial Consultation Now
Tino Rabe

Tino Rabe

Microsoft Power Pages MVP

I help medium-sized companies build secure and GDPR-compliant customer portals with Microsoft Power Pages. My focus: Enterprise Security, Identity Management, and measurable ROI.

LinkedIn YouTube E-Mail

Related Articles

Power Pages Costs & Licensing 2025

The complete overview of licensing models, prices, and TCO

Read article →

Power Pages License Value in Detail

What you really get for authenticated & anonymous user licenses

Read article →