Entra External ID Administration

Administrator Guide for Power Pages Integration

Table of Contents

1. Introduction and Objective

Objective

This document describes the administrative tasks involved in managing Entra External ID (formerly Azure AD B2C)[1] for integration with Microsoft Power Pages. It clearly distinguishes between one-time setup tasks and ongoing maintenance work.

Target Audience IT administrators and identity managers with basic knowledge of Azure/Entra ID. Technical understanding of OAuth2/OpenID Connect[2] is beneficial but not strictly required.

Initial Setup

Required once

Setup Duration

2-4h
Depending on complexity[3]

Maintenance Effort

~2h
Per month[3]

Monitoring

Daily
5–10 minutes

Prerequisites

Category Prerequisite Required
Azure Access Azure subscription with active subscription Yes
Permissions Global Administrator or Identity Administrator[4] Yes
Licensing Entra External ID license (MAU-based)[5] Yes
Power Pages Power Pages environment with admin access[6] Yes
Domain Custom domain for custom branding (optional) No

2. Overview: One-Time vs. Recurring Tasks

One-Time Setup Tasks

These tasks are performed once during initial setup:

  • Create Entra External ID tenant[7]
  • Configure app registration[8]
  • Set up user flows (Sign-up/Sign-in)[9]
  • Configure custom branding[10]
  • Define MFA policies[11]
  • Integration with Power Pages[12]
  • Create test users and perform tests

Recurring Maintenance Tasks

These tasks arise during ongoing operations:

  • Monitor sign-in logs[13]
  • Review failed authentications
  • Deactivate inactive users
  • Rotate client secrets (every 6–12 months)[14]
  • Test user flow updates
  • Monitor capacity and costs[5]
  • Apply security updates
Important After a successful setup, the administrative overhead is minimal. Most activities are limited to monitoring and occasional updates. Portal users manage their own accounts independently (password reset, profile updates).

3. One-Time Setup Tasks

3.1 Create Entra External ID Tenant
One-Time

Create a dedicated External ID tenant for portal authentication.[7]

Procedure:
  1. In the Azure Portal, navigate to: Microsoft Entra ID > External Identities
  2. Click "Create a new tenant"
  3. Select tenant type: "External"
  4. Assign a tenant name (e.g., portalauth)
  5. Select a region (recommended: EU region for GDPR compliance)[15]
  6. Assign a subscription and create
Important Settings:
  • Tenant Name: Should reflect the purpose (e.g., "PortalAuth")
  • Initial Domain: [name].onmicrosoft.com is created automatically
  • Pricing Tier: MAU-based (Monthly Active Users)[5]
Important: The tenant name cannot be changed after creation. Choose a meaningful name.
3.2 Configure App Registration
One-Time

Register an application for OAuth2/OIDC integration with Power Pages.[8]

Procedure:
  1. In the Entra External ID tenant, navigate to: App registrations > New registration
  2. Enter a name: PowerPages-Portal
  3. Supported account types: "Accounts in this organizational directory only"
  4. Add redirect URI:
    https://[portalname].powerappsportals.com/signin-[provider]
  5. Complete registration
Create Client Secret:
  1. In the app registration: Certificates & secrets > New client secret
  2. Enter a description: PowerPages-Integration
  3. Validity: 12 months (recommended)[14]
  4. Note the Secret Value immediately! (shown only once)
Configure API Permissions:
  1. Navigate to: API permissions > Add a permission
  2. Select Microsoft Graph
  3. Add delegated permissions:[16]
    • openid
    • profile
    • email
    • User.Read
  4. Grant admin consent
Security: Never store the client secret in code or public repositories. Use Azure Key Vault[17] or Power Pages Secure Settings.
3.3 Set Up User Flows
One-Time

Configure the user flows for registration, sign-in, and profile management.[9]

Create Sign up and Sign in Flow:
  1. Navigate to: User flows > New user flow
  2. Flow-Typ: "Sign up and sign in"
  3. Version: Recommended
  4. Enter a name: B2C_1_signupsignin
  5. Enable identity providers:
    • ✓ Email signup (recommended)
    • Optional: Social Identity Providers (Google, Microsoft, etc.)[18]
Configure User Attributes:

Define which data is collected during registration:[19]

Attribute Collect Return Required
Email Address Yes
Given Name Yes
Surname Yes
Display Name No
Object ID - -
Create Password Reset Flow:
  1. Navigate to: User flows > New user flow
  2. Flow type: "Password reset"
  3. Name: B2C_1_passwordreset
  4. Enable email verification
  5. Configure return claims (email, objectId)
Tip: Test each user flow immediately after creation using the "Run user flow" button in the Azure Portal.
3.4 Configure Custom Branding
One-Time

Customize the appearance of authentication pages to match your corporate design.[10]

Branding Options:
  1. In the user flow, navigate to: Page layouts > Customize
  2. Select a template or upload custom HTML
  3. Corporate branding elements:
    • Logo (recommended: 280x60 px, PNG/SVG)
    • Background Image (optional)
    • Brand colors (primary, secondary)
    • Custom CSS for advanced customization
  4. Configure languages (German, English, etc.)[20]
  5. Save and test changes
Accessibility: When customizing branding, ensure sufficient contrast and WCAG compliance[21] for accessible access.
3.5 Multi-Factor Authentication (MFA)
One-Time

Configure MFA policies for enhanced security.[11]

Enable MFA:
  1. In the user flow, navigate to: Properties > Multifactor authentication
  2. Select MFA type:
    • Email OTP: Simplest method
    • SMS: Requires phone number attribute
    • Authenticator App: TOTP-based (highest security)
  3. MFA enforcement:
    • Off: MFA disabled
    • Always on: MFA for all users (recommended)
    • Conditional: MFA based on risk (requires Premium)[22]
Recommendation: Enable MFA at minimum for administrative accounts. For standard portal users, MFA can remain optional, but should be considered.
3.6 Integration with Power Pages
One-Time

Link Entra External ID as an identity provider to your Power Pages portal.[12]

Required Information from Entra External ID:
Application (client) ID: [aus App Registration] Client Secret: [noted at creation] Authority: https://[tenant].ciamlogin.com/ Metadata URL: https://[tenant].ciamlogin.com/[tenant].onmicrosoft.com/B2C_1_signupsignin/v2.0/.well-known/openid-configuration
Configuration in Power Pages:
  1. In the Power Pages Admin Center: Security > Identity providers
  2. Click "Add provider"
  3. Provider Type: "OpenID Connect"
  4. Enter configuration:
    • Name: Entra External ID
    • Authority: [siehe oben]
    • Client ID: [siehe oben]
    • Client Secret: [siehe oben]
    • Redirect URI: https://[portal].powerappsportals.com/signin-oidc
  5. Configure mapping (Email → Email, Name → Full Name)
  6. Save and activate
Tip: After successful integration, disable other identity providers (Local Login, Microsoft) to use exclusively Entra External ID.
3.7 Perform Testing
One-Time

Perform comprehensive testing before going live.

Test Scenarios:
  1. Registration: Create a new user and verify email verification
  2. Login: Sign in with the newly created account
  3. Password Reset: Complete the password reset flow
  4. MFA: Test multi-factor authentication (if enabled)
  5. Token Claims: Verify that all required claims are included in the token[23]
  6. Logout: Test sign-out (single sign-out)
  7. Error Handling: Test incorrect credentials, expired tokens, etc.
Go-Live Checklist: The system should only be released to production users after successful testing across all scenarios.

4. Recurring Maintenance Tasks

4.1 Monitor Sign-in Logs
Daily

Monitor authentication activity for anomalies and errors.[13]

Access Logs:
  1. In the Entra Portal: Monitoring > Sign-in logs
  2. Set filters:
    • Time range: Last 24 hours
    • Status: Failed
    • Application: PowerPages-Portal
  3. Review anomalies (e.g., multiple failed logins from the same IP)
Key Metrics:
  • Failed Sign-ins: Should be < 5%
  • MAU (Monthly Active Users): For cost tracking[5]
  • Sign-in Duration: Performance indicator
  • MFA Success Rate: If MFA is enabled
Set Up Alerts: Configure Azure Monitor Alerts[24] for unusually high error rates or sign-in activity.
4.2 Deactivate Inactive Users
Monthly

Identify and deactivate user accounts that have not been used for an extended period.

Procedure:
  1. In the Entra Portal: Users > All users
  2. Filter: Last sign-in > 90 days[25]
  3. Export the list and align with the department
  4. Deactivate accounts (do not delete!):
    • Select user
    • Properties > Account enabled: No
  5. Update documentation
Note: Deactivated accounts can be reactivated at any time. Permanent deletion should only occur with explicit approval (GDPR requests)[15].
4.3 Rotate Client Secrets
Semi-annually

Renew client secrets regularly to comply with security best practices.[14]

Rotation Process:
  1. Create a new client secret (see 3.2)
  2. Keep both secrets active in parallel
  3. Update Power Pages configuration to use the new secret
  4. Test (sign-in, sign-up)
  5. Delete old secret after 48h
  6. Document the action
Important: Coordinate secret rotation with the Power Pages team. Unplanned secret changes cause authentication outages.
4.4 Monitor Capacity and Costs
Monthly

Monitor monthly active users (MAU) and associated costs.[5]

Cost Tracking:
  • Pricing Model: Entra External ID is billed per MAU
  • Free Tier: First 50,000 MAU/month free[5]
  • Paid Tier: Approx. €0.00325 per MAU beyond that[5]
  1. In the Azure Portal: Cost Management > Cost analysis[26]
  2. Filter on Entra External ID resource
  3. Trend analysis: MAU development over the past 3 months
  4. Configure budget alerts (optional)
4.5 Security Updates and Patches
Quarterly

Regularly check for available updates and security patches.

Update Sources:
  1. Azure Portal: Service Health > Planned maintenance[27]
  2. Subscribe to Microsoft 365 Message Center[28]
  3. Follow Entra ID release notes[29]
  4. Review security advisories[30]
Automatic Updates: Most updates are applied automatically by Microsoft. Manual adjustments are only required for breaking changes.

5. Monitoring and Troubleshooting

5.1 Dashboard Metrics

Metric Normal Value Alert Value Action
Failed Sign-ins < 5% > 10% Review sign-in logs, test user flow
Sign-in Duration < 3s > 10s Performance analysis, Azure support
Token Errors < 1% > 5% Check token configuration, validate claims
MAU Growth Steady Sudden Spike Check for bot activity, cost alert

5.2 Common Errors and Solutions

AADB2C90118: User forgot password[31]

Cause: User clicked "Forgot password?"

Solution: This is normal behavior. Ensure the password reset flow is correctly configured.

AADB2C90091: User cancelled flow[31]

Cause: User cancelled the registration or login process

Solution: Review the user flow design for usability issues. A high drop-off rate may indicate UX problems.

Invalid Client Secret

Cause: Client secret has expired or is incorrectly configured

Solution: Create a new client secret and update it in Power Pages (see 4.3).

Redirect URI mismatch

Cause: Redirect URI in the app registration does not match Power Pages

Solution: Align URIs and ensure they match exactly (including trailing slash).

6. Best Practices and Security

6.1 Security Best Practices

1. Principle of Least Privilege[32]

Grant only the minimum necessary permissions to service accounts and administrators. Use dedicated admin accounts, not personal ones.

2. Conditional Access Policies[22]

Use Conditional Access (premium feature) for risk-based MFA and location-based access control. Block sign-ins from high-risk countries.

3. Client Secret Management[14]

Never store secrets in code or configuration files. Use Azure Key Vault.[17] Rotate secrets every 6–12 months. Document all secret changes.

4. Audit Logging[13]

Enable comprehensive audit logging and retain logs for at least 90 days.[33] Regularly export logs to SIEM systems for long-term retention.

5. Regular Security Reviews

Conduct quarterly security reviews. Check: active permissions, MFA adoption rate, failed sign-in patterns, inactive accounts.

6.2 Performance Optimization

Enable Token Caching

Configure token caching in Power Pages to reduce latency and minimize round-trips to Entra ID.[34]

Minimize Claims

Reduce token size by minimizing claims. Only request user attributes that are actually needed.[23]

CDN for Custom Pages

Host custom branding assets (logo, CSS) on a CDN for faster load times globally.

6.3 Compliance and Data Protection

GDPR Compliance[15] Ensure the Entra External ID tenant is hosted in an EU region. Implement processes for GDPR requests (access, deletion, correction). Document all data processing activities.

Data Residency[35]

Select an Azure region based on compliance requirements. EU data should remain in EU regions (West Europe, North Europe).

User Consent Management

Implement clear consent flows for data collection. Document all data collected and its purpose. Enable easy opt-out.

7. Frequently Asked Questions (FAQ)

How often must client secrets be rotated?
Best practice: Every 6–12 months.[14] Microsoft recommends a maximum validity of 12 months. Document every secret change and coordinate with the Power Pages team.
Can users delete their own accounts?
Not by default. Self-service account deletion must be implemented via Custom Policies (Identity Experience Framework)[36] Alternatively, establish a support process for deletion requests.
What does Entra External ID cost?
Pricing model: MAU-based (Monthly Active Users). First 50,000 MAU/month free. Beyond that, approx. €0.00325 per MAU.[5] Premium features (Conditional Access) cost extra.
How long are sign-in logs retained?
By default, 30 days in the Entra Portal.[33] For longer retention: export logs to Azure Log Analytics or an external SIEM. Recommendation: at least 90 days retention.
Can social logins (Google, Facebook) be used?
Yes. Entra External ID supports federation with social identity providers.[18] Configuration is done via identity providers in user flows. Be aware of data protection implications with social logins.
What happens if Entra External ID experiences an outage?
Microsoft offers a 99.9% SLA for Entra External ID.[37] During outages: check Azure Service Health for status updates. Implement graceful degradation in Power Pages (e.g., a maintenance page).
How many parallel sessions are allowed?
No technical limit for concurrent sessions per user. Token lifetime and refresh token policies govern session duration. Default: 1 hour access token, 90 days refresh token.[38]

8. Checklists

8.1 Initial Setup Checklist

Entra External ID tenant created (EU region)
App registration configured (Client ID & Secret noted)
Sign-up/Sign-in user flow created and tested
Password Reset user flow created and tested
Custom branding configured (logo, colors)
MFA policy activated (at minimum for admins)
Integration with Power Pages tested (sign-up, sign-in, password reset)
Sign-in logs monitoring configured
Documentation created (configuration, secrets, processes)
Go-live tests completed (all scenarios)

8.2 Monthly Maintenance Checklist

Sign-in logs reviewed for anomalies
Failed sign-ins analyzed (< 5%)
Inactive users identified (> 90 days)
MAU and costs reviewed
Client secret expiry date checked (< 30 days → plan rotation)
Azure Service Health checked for planned maintenance
Configuration backup created (App Registrations, User Flows)

8.3 Quarterly Security Review Checklist

Admin permissions reviewed (Principle of Least Privilege)
MFA adoption rate checked (target: > 90%)
Audit logs reviewed for suspicious activities
Password Policies reviewed (Complexity, Expiry)
User flow policies reviewed for currency
Custom policies reviewed for breaking changes (if used)
Compliance documentation updated (GDPR, etc.)
Disaster recovery plan tested
Summary After a successful initial setup, the administrative overhead for Entra External ID is minimal. Most maintenance tasks can be completed in a few hours per month. Automation (alerts, monitoring) further reduces the manual effort.

Sources and References

[1] Microsoft Entra External ID Documentation: https://learn.microsoft.com/en-us/entra/external-id/
[3] Own estimate based on typical implementation times. Actual duration varies depending on the complexity of requirements and administrator experience.
[5] Entra External ID Pricing (as of October 2025): First 50,000 MAU/month free, then approx. €0.00325 per MAU. Current pricing: https://azure.microsoft.com/en-us/pricing/details/active-directory/external-identities/
[14] Best Practices for Client Secret Management: https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal - Microsoft recommends a maximum validity of 12 months.
[16] Microsoft Graph Permissions Reference: https://learn.microsoft.com/en-us/graph/permissions-reference
[17] Azure Key Vault Documentation: https://learn.microsoft.com/en-us/azure/key-vault/
[21] Web Content Accessibility Guidelines (WCAG): https://www.w3.org/WAI/WCAG21/quickref/
[22] Conditional Access in Entra External ID: https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview (Premium Feature)
[25] The 90-day rule is a best-practice recommendation. The actual threshold should be determined based on your security policy.
[30] Microsoft Security Response Center: https://msrc.microsoft.com/update-guide
[36] Identity Experience Framework (Custom Policies): https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-overview
[37] Azure Active Directory SLA: https://azure.microsoft.com/en-us/support/legal/sla/active-directory/v1_1/ - 99.9% Uptime Guarantee
[38] Token Lifetimes: Access Token default 1 hour, Refresh Token up to 90 days. Source: https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes

Created by

Tino Rabe

Microsoft MVP for Power Pages

tino@amingi.net | www.powerportals.de