microsoft-entra-idazure-entra-idmicrosoft-entra-external-id

How to create an only invitation user flow in Entra External ID

I am developing an application using Entra External ID as identity provider.

The user flow should be:

  1. Users can only sing-up by invitation (admin to add manually users to Entra External ID)
  2. After users are created, an invitation is sent to users by email
  3. After the invitation is received, users can setup his own password
  4. Then, users can log-in using their password
  5. If users would not remember their password, they can reset it on their own

I believe, my user case is quite standard. But I could not find a way to implement it using Microsoft Entra admin center dashboard.

Any official docs or link?

Solution

  • Currently through the Entra admin center it is only possibly to create "Sign up and sign in" user flows. I was able to modify my user flow using Microsoft Graph to disable the "sign up" part of the experience.

    In my case, I just want to create the user through my own application and send the email through my own application, so I was able to use the POST User endpoint of the Microsoft Graph API to create the user with a temp password which I would then email. However, it should also be possible to create a user invitation through the Graph API.

    You can use the Graph Explorer to test out the Graph API. It was a little tricky to get the Graph Explorer connected to my external tenant, so I followed these steps:

    1. Open Graph Explorer in a Private/Incognito window
    2. append &tenant={tenantId} to the URL, reload
    3. Now click the user badge to sign in, you will be signing into your external tenant

    The POST User endpoint is standard, but to edit a user flow, I had to change the API to a beta version in the Graph Explorer.

    https://learn.microsoft.com/en-us/answers/questions/1611622/external-identity-user-flows-disabling-sign-up-in