Microsoft Entra External ID – perfect authentication experience with Native Authentication

Accessing consumer applications begins with authentication experiences, which serve as the gateway. Any obstacles or difficulties during the sign-up or sign-in processes can significantly affect user onboarding, retention rates, and, ultimately, the revenue of a company. It is crucial to ensure these procedures are seamless and in harmony with organization’s identity, fostering consumer confidence and trust. In Microsoft Entra External ID for Customers we can define authentication flows and adjust branding elements like background, logo or buttons’ colors. However, sometimes it is not enough.

This article explores Native Authentication in Microsoft Entra External ID which enables to take complete control over the design of the login or registration experience. We are going to explore possible ways to craft stunning, pixel-perfect authentication screens that seamlessly integrated into mobile applications, eliminating the need to depend on browser-based solutions. If you would like to learn more about Microsoft Entra External ID and its features, please read my previous article.

Typical approach for authentication handling

The most typical way of handling authentication in the modern applications is the redirection to the authorization server login page. It means that when we click login button in a mobile application, system browser is opened and user is redirected to the login page there. Once authentication is successfully completed, user is redirected back to the application.

This can result in a diminished user experience, and it may compromise the integrity of the brand. Developers of consumer mobile apps frequently seek solutions that provide them with enhanced control over both the user interface and overall user experience. Many organizations look for solutions that give them more flexibility and control over the user interface and experience.

Native Authentication support in Microsoft Entra External ID

Native Authentication gives developers full control over how login or registration pages look. It is possible to create beautiful, flawless login screens that smoothly fit into mobile applications, without needing to depend on browser-based solutions and disruptive redirection.

With the new platform, Microsoft Entra External ID, we can choose to utilize authentication API or the Microsoft Authentication Library (MSAL) for Android and iOS. We have the power to construct engaging sign-up and sign-in journeys. This API-centric approach not only grants the flexibility in design but also enables the development of highly tailored interactions and flows. These capabilities are crucial for building exceptional and enjoyable consumer mobile applications.

Microsoft Entra External ID offers SDK for Andorid and iOS developerss so they can implement all required authentication flows withing their applications. It provides easy-to-use interfaces for different scenarios like registration or code verification, removing the need for in-depth identity expertise. These interfaces handle the complexity of identity protocols, manage caching, sessions, and tokens automatically, ensuring a secure and dependable way to implement authentication.

The above picture presents Android studio Integrated Development Environment. SDK available in MSAL library makes integration easy by using IDE auto-completions, boosting developer productivity.
By using a state machine in the SDK, coding mistakes are minimized. This machine state mirrors the real user login process, and at each step, it limits the actions developers can take. For instance, if the system is waiting for a one-time passcode (CodeRequired state), developers can only use methods like submitCode() and resendCode(). This prevents them from making inappropriate method calls, reducing errors and simplifying the protocol orchestration process. Below there is presented a source code fragment for sign up flow implementation.

It is also very important to mention that Native Authentication SDK and its underlying API is being created on top of strong security considerations. The Microsoft Identity standards team, along with other industry experts in the Internet Engineering Task Force (IETF), is working on a new standard. This standard ensures that first-party clients (applications) can use secure interaction methods when authenticating users. Native Authentication API and SDK follow this standard, ensuring that native applications can authenticate securely.

Let’s discuss sign up scenario and what is happening underneath when Native Authentication is used. On the registration page user provides required details including e-mail and password. Once sign up button is clicked, API call is done to Microsoft Entra External ID. In the next step user has to provide verification code. Underneath Authentication API returns flow token which is required to be attached to the next request sent along with the verification code. This adds additional security when sending the following requests to complete specific flow – like registration one in this example. In the final response we receive required tokens for our application.

Browser-delegated vs native authentication – how to choose?

The approach we select will vary based on the specific requirements of our application. Although every app has its own authentication demands, there are some general factors to consider:

Consideration

Authentication experience

Browser-delegated

Users are directed to a separate browser window or a browser embedded within the app just for signing in. They’re then brought back to the app once the sign-in is done. This is a good choice if the redirection doesn’t bother the user.

Native

Users enjoy a seamless sign-up and sign-in process right within the app, designed specifically for mobile devices. They never have to leave the app for this.


Security

The most secure approach.

Developers share responsibility for security and must follow best practices. However, this method is vulnerable to phishing attacks.


Customization experience

We can easily customize and brand our app using built-in options in Microsoft Entra External ID for Customers.

This method, based on APIs, allows for lots of customization. We can design our app exactly how we want and create unique authentication user journeys.


Supported languages and frameworks

  • ASP.NET Core
  • Android (Java)
  • iOS (Objective-C)
  • JavaScript
  • React
  • Angular
  • Node.js
  • Python
  • Java
  • Android (Kotlin, Java)
  • iOS (Swift, Objective-C)

Implementation effort and applicability

This method works well for mobile and desktop apps, single-page applications, and web apps. Implementation effort is much lower as we can utilize built-in features in Microsoft Entra.

This approach relates to mobile apps where the authorization server and the app itself are run by the same company, and users see them as one entity. Implementation effort is higher as developers build, own, and maintain the authentication experience.

Summary

In essence, Microsoft Entra External ID for Customers represents the next frontier in Customer Identity and Access Management (CIAM) at Microsoft. Native Authentication support will make it much easier for organizations to implement crafted-to-perfection authentication flows with solid security. It is worth to mention that organizations will still have choice to user either web-hosted authentication pages, native flows or both.

At Formula5, we firmly believe in the efficiency of Microsoft Entra to assist organizations in deploying modern and secure CIAM solutions. Our commitment includes substantial investments in both knowledge acquisition and team skill development to effectively support clients on their journey towards identity modernization. Please contact us using this form if you need our help with building resilient, secure and user-friendly CIAM solution for your organization with either Azure AD B2C or Microsoft Entra External ID.

Written By

Modern Identity Lead

Related Posts

We are using cookies to give you the best experience. You can find out more about which cookies we are using or switch them off in privacy settings.
AcceptPrivacy Settings

GDPR

  • We value your privacy

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking “Accept All”, you consent to our use of cookies.

Let’s make your vision a reality!

Want to discuss my work or a challenge you’re facing?  Leave your details and I’ll get back to you!

Popup Form