Native Authentication in Microsoft Entra External ID

Native Authentication for Microsoft Entra External ID

This post comes as a follow-up to our previous post on Microsoft Entra External ID. One of the most-talked developer-friendly features brought to Microsoft Entra ID is its native authentication support which is now in public preview🎉.  

Traditionally, authentication for mobile apps often relied on browser-delegated flows. While functional, they can introduce friction during sign-up and login, potentially impacting user onboarding, retention, and ultimately business profitability❌. This is where native authentication in Microsoft Entra External ID comes in. It allows developers to implement a seamless sign-up and login experience directly within their mobile apps, eliminating the need for browser redirects and enhancing user convenience. 

Now, let’s delve into the limitations of browser-delegated authentication and explore how native authentication enhances the overall user experience. 

Browser-delegated Authentication and its Drawbacks 

Browser-delegated authentication is the standard & easy mobile-app signing process in which users are temporarily redirected to a system browser authentication. It means that when we click the login button in a mobile application, the system browser is opened, and the user is redirected to the login page there. Once authentication is successfully completed, the user is redirected back to the application. 

While browser-based logins offer security and support for SSO, they lack the ability to fully configure company branding and can feel impersonal. To address this, Microsoft introduced Native Authentication in Entra External ID, offering a more customized and engaging sign-in experience that strengthens brand identity.

Native authentication vs browser-delegated
Browser-delegated authentication experience

Native Authentication for Microsoft Entra External ID 

Smooth authentication processes, tailored to match your brand’s identity, are more than just a technicality. They’re the first impression users have of your application—a moment to establish trust and confidence. Here’s where native authentication really stands out. 

Native authentication offers a customizable SDK-based approach to authentication. It empowers users with complete control over the design of their mobile app’s sign-in process. With Native Authentication, developers can craft visually stunning, pixel-perfect authentication screens that blend with their app’s interface. 

  • This solution enables the creation of authentication experiences directly within the application, avoiding the need to redirect to browsers.  
  • The login interface is hosted on the client application, allowing developers to control the application’s look and feel using the same technologies used to create the app. This ensures developers have full control of the signup-sign-in experience. 
Native Authentication
Native Authentication experience

What Customizations Can Be Done with Native Authentication Support in External ID? 

You can fully customize the UI of your mobile application interface, including design elements, logo placement, and layout with native authentication. 

Supported Authentication Methods in Native Authentication 

Microsoft Entra’s native authentication supports two methods for authentication. A customer app that uses native authentication to sign in users can use either of the authentication methods for MFA. 

  • Email with one-time passcode (OTP) sign-in. 
  • Email and password sign-in with support for self-service password reset. 

For successful calls to Microsoft Entra, the app must specify the supported authentication method. Through challenge types, Microsoft Entra allows the customer app to showcase the authentication methods it supports. 

However, native authentication currently doesn’t support the following features that are available in browser-based authentication. 

  • Federated identity providers like social or enterprise identities. 
  • Multifactor authentication with email OTP. 
  • Single sign-on (SSO). 

Difference Between Browser-Delegated Authentication and Native Authentication 

Microsoft Entra External ID supports both browser-delegated and native authentication. Developers can choose between both. While each app has unique authentication needs, there are some common considerations to keep in mind. Let’s discuss them below. 

Features Native authentication Browser-delegated authentication 
User authentication experience Seamless sign-up and sign-in experience within the mobile app.  Redirects users to a system or embedded browser for sign-in, ensuring a smooth transition back to the app post- authentication.  
Customization experience Employs an API-centric approach allowing extensive customization for tailored interactions and design flexibility.    
When implementing browser-delegated auth, the system offers built-in options for authentication such as branding elements and other customization options.    
Applicability Suitable for customer-first mobile apps where both the authorization server and app are perceived as one entity by the user.  Ideal for Entra ID and External ID apps, applicable to mobile, desktop, single-page, and web applications.   
Go live effort High effort: Developers build, own, and maintain the authentication experience.  Low effort: Ready to use with minimal integration.  
Maintenance effort High: Involves updating SDK packages and adapting to changes.   Low.  
Security Security responsibility is shared with developers, requiring adherence to best practices to mitigate phishing attacks.  Offers the most secure option.  
Supported languages and frameworks Android (Kotlin, Java) iOS (Swift, Objective-C) ASP.NET Core Android (Java) iOS (Objective-C) JavaScript React Angular Node.js Python Java 

How to Use Microsoft Entra Native Authentication to Build Apps? 

You can build apps that use native authentication by using native authentication APIs or the Microsoft Authentication Library (MSAL) SDK for Android and iOS. However, Microsoft recommends using MSAL to add native authentication to your apps. 

Note: If you’re planning to develop a mobile app on a framework that isn’t currently supported by MSAL, you can utilize the authentication API instead.  

Additionally, web fallback allows a client app that uses native authentication to use browser-delegated authentication as a backup mechanism for enhanced resilience. This situation arises when native authentication alone can’t fulfill the authentication process. For instance, if the authorization server demands functionalities beyond the client’s capabilities. 

For more information on native authentication code samples and tutorials, check the following table. 

Language/ Platform Code sample guide Build and integrate guide 
Android (Kotlin) â€˘ Sign in users â€˘ Sign in users 
iOS (Swift)  â€˘ Sign in users â€˘ Sign in users 

Advantages of Using MSAL SDK for Your Mobile App Authentication 

Here are some compelling benefits of adopting the MSAL SDK for authentication on mobile apps. 

1. No identity expertise required: The native authentication SDK simplifies authentication by offering easy-to-use interfaces that handle all the complex identity stuff for you. You don’t need to be an identity expert to use it! 

2. Discoverable via IDE: It’s super easy to integrate into your project because it works seamlessly with your IDE, offering autocomplete suggestions to speed up development. 

3. State machines limit developer error: Microsoft has built the SDK around a state machine model, which mimics the actual login process. This means developers can only perform actions that make sense at each stage of the login process, reducing the chance of errors. 

4. Secure from the ground up: SDK and API are designed with security at their core, following industry standards to ensure your app’s authentication process is rock solid. This helps native apps confirm identities safely, using the strong security features of the platform. Plus, it sets the stage for adding extra security layers like conditional access and MFA in the future. 

Closing Lines 

To wrap up, Microsoft Entra External ID for Customers is a big step forward in managing customer identities. With its Native Authentication support, it’s easier for companies to set up secure login processes. We hope this blog has sparked your interest in Entra’s native authentication capabilities. Thanks for reading. If you have further queries, reach out to us in the comments section. We will be happy to assist you. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Native Authentication for Microsoft Entra External ID

time to read: 5 min
Follow us!