Create self-service sign-up user flows for apps in external tenants

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

Tip

This article applies to user flows in external tenants. For information about workforce tenants, see Add a self-service sign-up user flow to an app.

You can create a simple sign-up and sign-in experience for your customers by adding a user flow to your application. The user flow defines the series of sign-up steps customers follow and the sign-in methods they can use (such as email and password, one-time passcodes, or social accounts from Google, Facebook, Apple) or a custom OIDC federation. You can also collect information from customers during sign-up by selecting from a series of built-in user attributes or adding your own custom attributes.

You can create multiple user flows if you have multiple applications that you want to offer to customers. Or, you can use the same user flow for many applications. However, an application can have only one user flow.

Note

If you're creating local user accounts via Microsoft Graph and only need to support sign-in, you don't need to attach a user flow to your app. Refer to the Microsoft Graph REST API reference for an example of how to create a customer account in external tenants.

Tip

Try it now

To try out this feature, go to the Woodgrove Groceries demo and start the “Online retail” use case.

Prerequisites

  • A Microsoft Entra external tenant: Before you begin, create your Microsoft Entra external tenant. You can set up a free trial, or you can create a new external tenant in Microsoft Entra ID.
  • Email one-time passcode enabled (optional): If you want customers to use their email address and a one-time passcode each time they sign in, make sure Email one-time passcode is enabled at the tenant level (in the Microsoft Entra admin center, navigate to External Identities > All Identity Providers > Email One-time-passcode).
  • Custom attributes defined (optional): User attributes are values collected from the user during self-service sign-up. Microsoft Entra ID comes with a built-in set of attributes, but you can define custom attributes to collect during sign-up. Define custom attributes in advance so they're available when you set up your user flow. Or you can create and add them later.
  • Identity providers defined (optional): You can set up federation with Google, Facebook or an OIDC identity provider in advance, and then select them as sign-in options as you create the user flow.

Create and customize a user flow

Follow these steps to create a user flow a customer can use to sign in or sign up for an application. These steps describe how to add a new user flow, select the attributes you want to collect, and change the order of the attributes on the sign-up page.

To add a new user flow

  1. Sign in to the Microsoft Entra admin center.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.

  3. Browse to Identity > External Identities > User flows.

  4. Select New user flow.

    Screenshot of the new user flow option.

  5. On the Create page, enter a Name for the user flow (for example, "SignUpSignIn").

  6. Under Identity providers, select the Email Accounts check box, and then select one of these options:

    • Email with password: Allows new users to sign up and sign in using an email address as the sign-in name and a password as their first-factor authentication method. You can also configure options for showing, hiding, or customizing the self-service password reset link on the sign-in page (learn more). If you plan to require multifactor authentication, this option lets you choose from email one-time passcodes, SMS text codes, or both as second-factor methods.

    • Email one-time passcode: Allows new users to sign up and sign in using an email address as the sign-in name and email one-time passcode as their first-factor authentication method. If you plan to require multifactor authentication, you can enable SMS text codes as a second-factor method.

    Note

    The Microsoft Entra ID Sign up option is unavailable because although customers can sign up for a local account using an email from another Microsoft Entra organization, Microsoft Entra federation isn't used to authenticate them. Google and Facebook become available only after you set up federation with them. Learn more about authentication methods and identity providers.

    Screenshot of Identity provider options on the Create a user flow page.

  7. Under User attributes, choose the attributes you want to collect from the user during sign-up.

    Screenshot of the user attribute options on the Create a user flow page.

  8. Select Show more to choose from the full list of attributes, including Job Title, Display Name, and Postal Code.

    This list also includes any custom attributes you defined. Select the checkbox next to each attribute you want to collect from the user during sign-up

    Screenshot of the user attribute pane after selecting Show more.

  9. Select OK.

  10. Select Create to create the user flow.

Next steps