Power Pages – External Identity Management

Process Documentation: Onboarding New Portal Users

Table of Contents

1. Introduction and Purpose

Purpose

This documentation describes the process for onboarding new portal users in Power Pages[1] with external identity management (Entra External ID[2]). The focus is on the division of tasks between the internal department and the external portal user.

Key Takeaway The internal department exclusively performs tasks in Dataverse[3]. The interaction with the external identity provider is carried out entirely by the portal user themselves.

Internal Effort

2
steps

Time Required

~1
minute per user[4]

Systems (internal)

Dataverse
+ Power Pages

Entra External ID

No
Interaction

2. Roles and Responsibilities

Internal Department (Dataverse)

Step Activity System
1 Create contact record[5] Dataverse
2 Initiate invitation[6] Power Pages

Note: No direct interaction with Entra External ID required.

External Portal User (Entra External ID)

Step Activity System
1 Open invitation link Email Client
2 Define password[7] Entra External ID
3 Activate account Entra External ID
4 Perform initial login[8] Power Pages

Note: Carried out entirely independently without internal support.

Important The internal department has no activities in the external identity provider.

3. Detailed Process: Internal Department

1
Create Contact Record
Required Data:
  • Email address (required, unique)
  • First name (required)
  • Last name (required)
  • Status: Active
System:

Microsoft Dataverse (Model-Driven App[9] or Power Pages Admin[10])

Time Required:

Approx. 30 seconds[4]

2
Initiate Invitation
Action:

The invitation function for the created contact is triggered via Power Pages Admin.[6] The system automatically generates a unique redemption code and sends an email to the stored email address.

System Action:

Power Pages creates an invitation record in Dataverse and sends a preconfigured email template.[11]

Time Required:

Approx. 5 seconds (button click)[4]

Internal Tasks Complete After completing these two steps, all tasks of the internal department are finished. Further process steps are carried out automatically or by the portal user.

4. Detailed Process: Portal User (Self-Service)

Important All subsequent steps are carried out independently by the portal user. The internal department has no tasks in this process section.
1
Receive Invitation Email

The portal user automatically receives an email with a unique invitation link. Validity: 7 days by default.[12]

2
Validate Redemption Code

By clicking the link, the portal user is redirected to Power Pages. The system validates the redemption code and, upon successful validation, redirects to Entra External ID.[13]

3
Registration in Entra External ID

The portal user is redirected to the signup page of the external identity provider.[14] There, they enter and confirm a self-chosen password and any additional profile data as required.

4
Account Activation

After successful registration, Entra External ID creates an active user account. The link to the Dataverse contact is established via the email address.[15]

5
Authentication and Portal Access

After completing registration, the portal user is automatically redirected to the Power Pages portal and authenticated.[8] From this point on, full portal access is available.

Result The portal user is now fully registered and can independently sign in to the portal at any time using their credentials (email + password). Password management is handled exclusively through Entra External ID.[16]

5. System Architecture and Data Flow

System Components Overview

Dataverse

  • Contact records[3]
  • Invitation records
  • Permission management[17]

Power Pages

  • Invitation management[6]
  • OAuth2/OIDC integration[18]
  • Portal frontend[1]

Entra External ID

  • Authentication[2]
  • User accounts
  • Password management[16]

Data Flow: User Onboarding

Department
Dataverse

Create contact + initiate invitation

Power Pages
Email
Portal User

Send invitation link

Portal User
Entra External ID

Registration + authentication (fully self-service)

Important Note The integration between Power Pages and Entra External ID uses standardized OAuth2/OpenID Connect protocols.[18] The internal department does not need knowledge of these technical details and has no activities in the external identity provider.

6. Frequently Asked Questions (FAQ)

Is interaction with Entra External ID required from the internal department?
No. The internal department exclusively performs tasks in Dataverse and Power Pages Admin. All interaction with the external identity provider is carried out independently by the portal user.
Does the internal department need to manage or reset passwords?
No. Password management is handled entirely through Entra External ID.[16] Portal users can independently perform password resets. The internal department has no access to passwords.
How long is an invitation valid?
Default validity: 7 days.[12] After expiry, the invitation can be resent (identical process to the initial send).
Is bulk creation of portal users possible?
Yes. Via Power Automate[19], contact records and invitations can be created automatically from lists (e.g., Excel, CSV). This significantly reduces the manual effort for larger user groups.
How is a portal user deactivated?
The contact record in Dataverse is set to status "Inactive".[20] Authentication via Entra External ID is then no longer possible. Reactivation is done by changing the status back to "Active".
What happens if the invitation email fails to deliver?
The invitation can be resent via the Power Pages Admin interface. Most common cause: spam filter at the recipient. The portal user should be instructed to check their spam folder.

7. Summary

Effort for the Internal Department

Number of Steps

2

Time Required

~1
minute[4]

Systems

Dataverse
+ Power Pages

Entra External ID

No
Interaction

Advantages of This Architecture

1
Minimal Internal Effort

Only two simple steps required per portal user

2
No Password Management

Fully delegated to Entra External ID[16]

3
Self-Service for Portal Users

Registration and login completely independent[7]

4
Scalability

Bulk import via Power Automate possible for larger user groups[19]

Key Takeaway Onboarding new portal users requires the internal department to perform only two tasks: creating a contact record and initiating an invitation. All further process steps — in particular, all interaction with the external identity provider — are carried out independently by the portal user. This results in minimal effort for the department while maintaining high scalability of the process.

Sources and References

[1] Microsoft Power Pages Dokumentation: https://learn.microsoft.com/en-us/power-pages/
[2] Microsoft Entra External ID Dokumentation: https://learn.microsoft.com/en-us/entra/external-id/
[4] Own estimate based on typical processing times. Actual duration may vary depending on system performance and user experience.
[11] Email Templates for Invitations: https://learn.microsoft.com/en-us/power-pages/security/invite-contacts (Power Pages uses invitation workflows to send customized emails)
[12] The 7-day validity is a configurable default setting. The actual duration can be adjusted in the Power Pages settings.
[15] Identity mapping between Power Pages and Entra ID: The link is established by default via the email address as the unique identifier.
[18] Configure OpenID Connect Provider for Power Pages: https://learn.microsoft.com/en-us/power-pages/security/authentication/openid-provider
[20] Deactivate Contacts in Power Pages: The contact status in Dataverse controls portal access. When status is "Inactive", authentication is no longer possible.

Created by

Tino Rabe

Microsoft MVP for Power Pages

tino@amingi.net | www.powerportals.de