Getting started with Azure AD Self-Service Sign-Up via user flows

Microsoft has added several great features to help with managing identity and access of an external user in B2B collaboration. One such feature is the Azure AD Self-Service Sign-Up via user flows for an external user to sign up as a guest user in the host Azure AD tenant. I found the feature to be promising, but at the time of writing, it’s still in preview and have limitations.

What is Self-Service Sign-Up via user flows?

The self-service sign-up provides several configurations for capturing information about the user on sign-up, integrating with social identity providers (Facebook, Google and other SAML/WS-Fed IdP), and integrating with custom REST APIs to manage approval process and perform necessary business logics.

Before you can use the self-service sign-up, you need to enable it. Under Azure Active Directory, go to User settings and click on the link Manage external collaboration settings.

Once enabled, you can select the options for self-service sign-up under External Identities blade.

Capturing user attributes

Within a self-service sign-up user flow, you can define the attributes you want the user to provide on sign-up. Besides the built-in attributes for capturing the user’s name and address, you can add custom attributes to tailor your needs. For example, I added the attribute “Business name” as the below image shown.

Unlike am azure ADB2C user flow which allows you to customize the look and feel using JavaScript and CSS, at the time of writing, only UI customizations to a self-service sign-up user flow I see are changing the ordering of the attributes and providing localized values for different languages.

• 

• 

Configuring identity providers

By default, an external user can sign up if he or she has an azure ad account. Besides azure ad, you can also enable sign-up using Microsoft personal account, or email one time passcode as these providers are already preconfigured.

In my testing, I was able to sign up using my personal Microsoft account but Email One Time Passcode did not work for me. When I select Sign up with email and enter my personal gmail, I get the error as shown in the screenshot below.

Besides the preconfigured identity providers, you can also configure sign up using Google, Facebook or another SAML/WS-Fed identity provider.

The process of adding Google as an identity provider is fairly straightforward. Basically, you need to register an application via google developer console , generate client id and secret, and add correct authorized redirect URIs. For step-by-step instructions, checkout the document. Some instructions in the document may no longer align with the actual steps you need to do on the Google side, but the ideas are still the same.

The process for adding Facebook as an identity provider is similar to that for adding Google. You can follow the document for step-by-step instructions. I also found some screens from Facebook do not match exactly with the instructions, but the overall ideas remain the same.

After adding the social identity providers, you can go back to the user flow and enable them.

Integrating self-service sign-up to your app

Initially, I was confused about how do I let a user to use the self-service sign up flow that I had configured because the authorization and other endpoints do not contain any information that link to a user flow. In contrast, with azure ADB2C, the authorization URL includes the name of the policy or the user flow such that you can redirect the user directly to your custom sign-up or sign-in page. For azure ad self-service sign-up, none of the endpoints contain information about a user flow. In my angular web app which I use oidc-client-js to connect to azure AD, I did not need to do any special configurations besides setting the client id, and the authority URL.

 export const environment = {
  production: false,

  oidcSettings: {
    client_id: "9f75d3e0-e3f0-49d8-886f-aba387584a96",
    authority:
      "https://login.microsoftonline.com/{replaceWithTenantId}/v2.0/",
    response_type: "code",
    post_logout_redirect_uri: "http://localhost:4200/",
    loadUserInfo: false,
    redirect_uri: "http://localhost:4200/",
    silent_redirect_uri: "http://localhost:4200/",
    scope: "openid profile",
  },
};

As far as azure AD is concerned, once you have registered your app in azure AD and configured a user flow, all you have to do is adding your application, as shown in the below screenshot.

The user experience

When the user clicks the button to login in your application, the user sees the login screen with any custom logo and background image that associates with your tenant. Below screenshot shows an example of the login screen I configured in my test azure AD account.

Notice the link Create one! in the above screenshot. When the user clicks on it, Microsoft displays the self-service sign-up flow. For example, below screenshot shows the identity providers I configured in my user flow.

Clicking on one of the available options allows the user to sign up using the user’s identity from the provider. For instance, I can sign up using Google, Facebook, or my personal Microsoft account. Again, in my testing, the only thing that did not work for me is the Sign up with Email option.

On the initial sign-up, the user may see the consent screen from the user’s identity provider. For example, the below screenshot shows the consent screen from Facebook.

API connectors

Azure AD self-service sign-up provides API connectors which you can use to integrate with your own APIs to implement approval workflows, updating backend databases, validate user’s inputs etc …

In the next follow-up post, I am going to go over using API connectors.

References

Add a self-service sign-up user flow to an app

Add Google as an identity provider

Add Facebook as an identity provider for B2B guest users

Manage partner access with azure AD B2B