# Evaluating Entra External Id

**Category:** [Open Forum](https://forum.rcpch.tech/c/general/4)
**Created:** 2024-11-20 15:23 UTC
**Views:** 8
**Replies:** 0
**URL:** https://forum.rcpch.tech/t/evaluating-entra-external-id/251

---

## Post #1 by @michael.barton

See https://forum.rcpch.tech/t/evaluating-external-identity-providers-draft/250 for the background.

Entra External ID is a totally separate instance. In "external tenants" mode it's dedicated to interactions with users outside of your company. For us this would be NHS users for clinical audit platforms, developers integrating with our APIs etc.

## Logging in with an external OpenID provider

This is the biggest glaring omission, blocking our adoption today. Azure B2C does support this which is frustrating - I believe on balance we should try and adopt the newer Microsoft technology if we adopt anything at all. Otherwise we're just setting ourselves up for a migration within 5 years.

That said, the pros say it's coming in 2024:

- https://kocho.co.uk/blog/migrate-azure-ad-b2c-entra-external-id-customers/
- https://learn.microsoft.com/en-us/answers/questions/1691773/microsoft-entra-external-id-and-authentication-usi

So I think it's reasonable to evaluate it as if this feature were available.

You can create a [user flow](https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers) that allows sign up or force it only to work with existing users only using a [nasty Microsoft Graph API call](https://learn.microsoft.com/en-us/answers/questions/1611622/external-identity-user-flows-disabling-sign-up-in). I'm not sure exactly how this would work as we would really want to require RCPCH users to authenticate against our internal AD.

:question:  *How would we force some users to use a federated provider rather than username and password?*

You can customise the branding as we do with the RCPCH internal AD login.

## Managing OAuth credentials

We would need two sets of [app registrations](https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-register-ciam-app?tabs=spa) in our external tenant:

- The API you want to consume (eg NPDA patient data POST)
- Your app registration as a holder for your client ID and secrets

You can grant 

Obtaining a token is a straight forward OAuth client credentials call, see [the example here (private link)](https://github.com/rcpch/api-management-api/blob/42616431d2016d6504216ebd8033d61c6f2a1957/main.py#L109).

In Azure APIM it's easy to verify a token once obtained using [validate-azure-ad-token](https://learn.microsoft.com/en-us/azure/api-management/validate-azure-ad-token-policy) in the policy:

```xml
<policies>
    <!-- Throttle, authorize, validate, cache, or transform the requests -->
    <inbound>
        <validate-azure-ad-token tenant-id="{{tenant-id}}">
            <audiences>
              <audience>{{client ID of the API you want to consume}}</audience>
            </audiences>
        </validate-azure-ad-token>
        <base />
    </inbound>
```

You grant access to the API by adding an app role in the API to be consumed and adding it in the API permissions section of the app registration for the client.

In the application itself we must then verify the token to ensure unauthorised access is not possible even if we keep the app itself exposed on the internet and not behind the APIM instance. [See example here (private link)](https://github.com/rcpch/api-management-api/blob/42616431d2016d6504216ebd8033d61c6f2a1957/main.py#L75).

For the future there is an API for managing applications, including [creating client secrets](https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http).However this is via the Microsoft Graph API and you [cannot access resources cross tenant using a managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant). This leaves us [managing a self generated certificate](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-self-signed-certificate), as whatever instance of our code (eg our [discourse-apim plugin](https://github.com/rcpch/discourse-apim)) will necessarily be running in a different Entra tenant.

You must specifically request the scopes to perform such requests, otherwise they fail even if the user you log in as can do them in the admin UI

---


**Canonical:** https://forum.rcpch.tech/t/evaluating-entra-external-id/251
**Original content:** https://forum.rcpch.tech/t/evaluating-entra-external-id/251