Manage Self-service Sign-up for Guests in Microsoft Entra

On Day 6 of Cybersecurity awareness month, learn to manage self-service sign-up for guests in Microsoft Entra to enhance security and streamline external user onboarding in your organization. Stay tuned for more insightful blog posts in the M365 Cybersecurity blog series. 

In today’s digital landscape, collaborating with external partners, clients, and stakeholders is inevitable. However, the traditional approach of manually adding these external users for accessing your organization applications has long been a labor-intensive process. This antiquated approach not only places a heavy burden on administrators but also highlights the challenges of maintaining consistent security policies, including password complexity standards, multi-factor authentication (MFA) enforcement, and conditional access policies to external user types. 

Security culture can achieve more than prohibition posture.

– Stephane Nappo 

Enhancing security involves securely granting access to external users, rather than simply denying or limiting guest user privileges. Here comes self-service sign-up for guests in Microsoft Entra (formerly known as Azure AD), enabling external users to access your organization’s apps in a secure way. 

In this blog, we delve into the revolutionary concept of managing self-service sign-up for external users in Microsoft Entra, bridging the gap in security management and simplifying the onboarding process for external users. The blog covers, 

1. What is self-service sign-up?   
2. Self-service sign-up user flow    
3. Enable self-service sign-up for guests in Microsoft Entra    
4. Create the self-service sign-up user flow in Microsoft Entra   
5. Customize the page layout of the attribute collection form 
6. How to add self-service sign-up user flow to an app?   

What is Self-service Sign-up for Guests in Microsoft Entra? 

Self-service sign-up for external entities is a feature that empowers external users to independently establish guest accounts and gain access to your organization resources without any need for your intervention, all while maintaining a high level of security. 

This B2B collaboration functionality allows you to create a personalized sign-up experience, integrate with social identity providers for seamless sign-in, and collect user information during the guest user self-service registration process. 

Self-service Sign-up User Flow  

The self-service sign-up user flow enables you to shape the sign-up process for external users accessing your applications with intense security. This functionality grants you the flexibility to tailor the user experience according to your preferences. Within the self-service sign-up user flow settings, you have the ability to personalize how users register and log in to your application. 

• This includes the option to request specific user attributes for validation, such as their first name, postal code, country, or region. 

• Furthermore, you can offer users a range of secure sign-in methods, including social account integration with platforms like Facebook, or using Microsoft Entra accounts. This broadens the choices available to your users when accessing your application. 

• In addition to the above, users can seamlessly sign-in to your application across different platforms, including web, mobile devices, desktop computers, or single-page applications (SPAs). This ensures a versatile and user-friendly sign-in experience across various devices and environments. 

The application initiates an authorization request by sending it to the designated endpoint provided by the user flow. The user flow has full control over how users go through the sign-up process when accessing the application. 

Once the user successfully completes the sign-up procedure, Entra ID generates a token and redirects the user back to the application. Simultaneously, a guest account is created for the external user within your tenant. Moreover, a single user flow can be employed across multiple applications, streamlining the B2B guest user sign-up experience and management process for external users across various services. 

IMPORTANT: Self-service sign-up user flows are specifically designed for applications developed within your organization and cannot be utilized for Microsoft applications such as SharePoint or Teams. 

Enable Self-service Sign-up for Guests in Microsoft Entra  

Prior to incorporating self-service sign-up user flows into your applications, it is essential to enable self-service sign-up for guest users within Microsoft Entra. Once this feature is activated, you gain access to the necessary controls for associating user flows with your applications. So, let’s dive into the process of enabling self-service sign-up for external users in Entra ID. 

1. Navigate through the path below to enable guests self-service sign-up user flows in Microsoft Entra at least as a User administrator. 

Microsoft Entra admin center 🡢 Identity 🡢 Users 🡢 User settings 🡢 External users 🡢 Manage external collaboration settings. 

2. Now, toggle the “Enable guest self-service sign-up via user flows” switch to ‘Yes’. 
3. Lastly, don’t forget to click the “Save” button to save this configuration. 

Create the Self-service Sign-up User Flow in Microsoft Entra 

Strengthen security while broadening your circle of external user onboarding, let’s create a user flow for self-service sign-up and integrate it into your application 

1. Follow the path below to create self-service sign-up user flow for external users with at least a User administrator role. 

Microsoft Entra admin center 🡢 Identity 🡢 External Identities 🡢 User flows 🡢 New user flow. 

2. Then, choose the user flow type for example sign-up and sign-in and the version such as Recommended or Preview. 

3. After navigating to the “Create page”, write a suitable name to your user flow. It’s significant to note that the prefix of the name is automatically designated as B2X_1_. 

4. Next, you have the option to select identity providers for external users to access your application. By default, the “Azure Active Directory Sign up” option is pre-selected. Please note that you can add identity providers to this list to give users more options. 

• Identity provider options include: 
  • Google 
  • Facebook 
  • Microsoft Account 
  • Email One-Time Passcode Authentication 

• Adding identity providers is optional, as Microsoft Entra ID serves as the default identity provider for managing self-service sign-up for guests in Microsoft Entra. This allows for a seamless sign-up and sign-in experience for your users. 

5. In the “User attributes” section, you have the flexibility to select the specific attributes you require from external users signing into your application. If you need additional attributes, simply click on the “Show more” option. It’s important to note that you also have the freedom to define custom user attributes to align with your organization’s unique needs and configurations. 

6. Click “Create” and a new user flow will appear in the list of User flows. 

NOTE: The user flow gathers user attributes only during the initial B2B guest user sign-up. Once a user has completed the sign-up process, they will not be prompted to provide attribute information again, even if you make changes to the user flow. 

Customize the Page layout of the Attribute Collection Form 

To control the sequence in which your attributes appear on the B2B guest user sign-up page, you can tailor the page layout of the attribute collection form. 

1. To begin, access the page layouts by following this path: 

Microsoft Entra admin center 🡢 Identity 🡢 External Identities 🡢 User flows 

2. Next, pick the self-service sign-up user flow from the available list. 
3. Now, under the “Customize” section, locate and click on the “Page layouts” option. 
4. Here, you will find your selected list of attributes to collect from the user. To arrange their display order, simply select an attribute and use the provided options such as “Move up,” “Move down,” “Move to top,” and “Move to bottom.” 
5. Lastly, remember to Save your configuration. 

How to Add Self-service Sign-up User Flow to an App? 

Now, it’s the right moment to add applications to the user flow, allowing guest user self-service registration for your organization’s owned apps. As a result, newcomers accessing these apps will encounter the revamped self-service sign-up process. Let’s explore this section to understand how to add a self-service sign-up user flow to an application. 

1. Navigate through the path below to add self-service sign-up for guests in Entra ID.  

Microsoft Entra admin center 🡢 Identity 🡢 External Identities 🡢 User flows 

2. Pick the self-service sign-up user flow you’ve created from the list. 
3. Within the “Use” section, choose “Applications.” 
4. Next, click on “Add application.” 
5. Afterward, choose the application from the available list or utilize the search function to add the self-service sign-up for external entities to the desired application. 
6. Click the “Select” button to confirm. 

In conclusion, hope you’ve successfully implemented self-service sign-up for guests in Microsoft Entra. Ensure you manage guest self-service sign-up settings aligned with your organization’s security and compliance policies. You can also enable additional security measures, such as multi-factor authentication (MFA) with this approach, to enhance security for guest users. This not only enhances the smoothness of external access to your applications but also ensures consistent security settings.  

Moreover, don’t forget to explore and enable other security features in Microsoft Entra for your organization. By doing so, you can streamline and fortify your organizational processes with these advanced settings. 

We hope this blog has provided you with a clear understanding of how to effortlessly manage guest user self-service registration. If you have any doubts or questions, please don’t hesitate to reach out to us through the comments section. Your security and efficiency are our top priorities.