Power Platform Security: External Authentication

Explore authentication models for Azure AD guest users, B2C federations, and external Power Pages portals to ensure complete security and governance.

Overview of External Authentication in Power Platform

The security of Microsoft Power Platform extends beyond internal users: the platform also enables authentication of external users — customers, partners, citizens, or collaborators — through different methods. The main options include Azure Active Directory guest users, Azure AD B2C federations, and integrated authentication mechanisms in Power Pages portals.

Managing external identities is critical for building public or collaborative solutions while maintaining control over data and compliance. Each option has unique advantages and use cases.

Quick Comparison of External Authentication Models

  • Azure AD Guest Users: Invited users accessing via the organization's tenant.
  • Azure AD B2C: Federation with external providers for consumer or partner users.
  • Power Pages: Public or authenticated portals with local or federated login options.

Azure Active Directory Guest Users (B2B Collaboration)

Guest users provide the most direct way to allow external access to Power Platform resources. Using Azure AD’s invitation feature, an organization can add external users as guest members of its tenant, granting controlled access to Power Apps or Power Automate.

Each invited user must accept the invitation to be registered in the tenant. Once accepted, they can access shared applications in “user” mode but not as co-owners, preventing unauthorized modifications to flows or apps.

This model uses Azure Active Directory as the main authentication provider, integrating with tenant security policies such as Conditional Access and Multi-Factor Authentication.

Main Advantages

  • Centralized access management through Azure AD.
  • Support for enterprise security policies and MFA.
  • Controlled access to shared Power Apps and flows.
  • Easy access revocation through guest user management.

Limitations

  • Guest users cannot be resource co-owners.
  • Requires manual invitation and acceptance for each user.
  • Not suitable for large-scale consumer scenarios.

Azure Active Directory B2C: Federation with External Providers

For consumer or large-scale scenarios, Azure AD B2C (Business-to-Consumer) offers the most flexible solution. It allows federating identities from external providers such as Microsoft, Google, LinkedIn, Facebook, or Twitter, enabling users to sign in with their existing credentials.

This model is ideal for public portals or partner networks requiring external identity management without registering users directly in the corporate tenant.

Key Features

  • Support for multiple authentication providers.
  • Self-service user registration management.
  • Customizable sign-in and sign-up flows.
  • Compliance with privacy and GDPR requirements through configurable policies.

Integration with Power Platform

Azure AD B2C can be used as a provider for Power Pages, offering secure, scalable federation for external access. Configuration is done in the Power Pages administration panel, allowing multiple providers to be enabled simultaneously.

External Authentication in Power Pages Portals

Power Pages is the Power Platform component dedicated to publishing external portals based on Dataverse. As these portals expose data to public users, authentication management plays a crucial role.

Each authenticated user must have a record in the Contact table in Dataverse. Available authentication modes include:

  • Local Authentication: Credentials stored directly in the Contact table, suitable for internal or test portals.
  • External Authentication: Delegated to providers such as Azure AD, B2C, or social logins (Microsoft, Google, LinkedIn, Facebook, Twitter).

Multiple providers can be combined in the same portal, allowing users to choose their preferred access method. Portals also support:

  • Open Registration — anyone can register, automatically creating the Dataverse contact.
  • Invitation-based Registration — only existing contacts receive an invitation code to activate access.
  • IP Restrictions — limit access from specific regions or networks.

Authorization and Roles

Authentication is just the first step: authorization in Power Pages portals is managed through Web Roles and Table Permissions in Dataverse. Web Roles define navigation and content access privileges, while Table Permissions control data visibility and modification rights.

External User Authentication (AAD/B2C) Dataverse Contact

The diagram illustrates the external authentication flow: the external user signs in through a provider (Azure AD or B2C), which validates the identity and links the session to the Dataverse Contact record.

Frequently Asked Questions

What is the difference between local and external authentication in Power Pages?

Local authentication stores credentials directly in Dataverse, while external authentication relies on providers such as Azure AD or B2C, offering greater security and scalability.

Can I use multiple authentication providers in the same portal?

Yes, Power Pages allows configuring multiple providers simultaneously. Users can choose to sign in with Microsoft, Google, LinkedIn accounts, or local credentials.

How can I protect a Power Pages portal for specific regions?

It’s possible to define IP restrictions to limit access to specific geographic regions or corporate networks, increasing the security of public portals.

Related Links and Resources

Want to learn more about Power Platform Security?

Explore our training and certification paths dedicated to governance, security, and ALM in Power Platform. Learn how to implement advanced authentication and authorization strategies.

Go to Training Explore Governance