Share via

Entra External ID (External Tenant): How to send an email notification/invitation to local user created via "Create User" endpoint of Graph API

Suraj 0 Reputation points
2025-01-08T11:53:33.8666667+00:00

Hello everyone,

We are in the process of migrating our authentication provider from Auth0 to MS Entra External ID for External Tenants (B2C). We have a couple of workflows we need to replicate in MS Entra External ID, particularly Create User and Reset Password scenarios.

Current Workflow with Auth0

  1. Our Single Page React Application provides a “Create User” form.
  2. Upon form submission, our backend (NestJS) calls the Auth0 Management API to create a user with a random password.
  3. Right after creation, we trigger the dbconnections/change_password API, which sends a “welcome” email to the newly created user.
  4. The user receives an email containing a standard welcome message with a “Confirm Your Email” link.
  5. Clicking this link redirects the user to Auth0’s password reset flow, where they can set their own password for the first time.

This flow eliminates the need to send the user a random password explicitly. Instead, the user receives a welcome email and uses a link to set their own password.

What We’ve Tried in MS Entra External ID

  • Using the Microsoft Graph API, we can create a new user with a random password and set forceChangePasswordNextSignIn = true in the passwordProfile.
  • The user is indeed required to change their password on first sign-in.
  • However, we are missing two critical features:
    1. Sending a notification (like a “Your Account Has Been Created” email) to the newly created user.
    2. Providing a secure way for them to set their own password without sending the random temporary password in plain text via email.

Question

Is there a recommended way, out-of-the-box or via custom policies, to achieve this workflow in MS Entra External ID for B2C users (i.e. local accounts)? Specifically, can we create a new user via the Graph API and simultaneously trigger an email so that the user can complete their account setup (set their own password) without having to send a temporary password in plain text?

We’ve seen references to the “invitation” API, but that appears to be intended for Workforce tenants rather than External/B2C tenants. If there’s a similar functionality for B2C, or a best practice for implementing the same, we’d really appreciate any guidance or pointers. Any resources, documentation links, or suggestions would be greatly appreciated!

Thank you in advance for your help!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,798 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,987 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Udayashankar K.N 85 Reputation points Microsoft Employee
    2025-01-08T11:59:37.03+00:00

    Yes, you can create a new user via the Graph API and trigger an email to complete account setup in Microsoft Entra External ID

    https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers

    I have tried this in one of the scenarios it worked however in your scenario please check if these fits

    Microsoft Entra External ID also allows you to: 

    • Configure cross-tenant access settings 
    • Invite users to collaborate using their Microsoft Entra accounts, Microsoft accounts, or social identities 
    • Use B2B collaboration to let business guests access apps and resources 
  2. Akhilesh Vallamkonda 11,030 Reputation points Microsoft Vendor
    2025-01-17T19:26:32.1933333+00:00

    Hi @Suraj

    Thank you for reaching Microsoft Q&A Forum!

    I understand that you are looking for a way when the user is created via graph API it triggers an email notification to the newly created user that allows them to set their password.

    I regret to inform that In Entra External ID tenant, there is no feature available to trigger an email notification to the newly created user that allows them to set their password via Graph API.

    The user can choose their own password only via signup flow. If you create the local user account, the admin of the tenant can set the password, and the user needs to change it after the first login of the account. If the user wants to reset the password, you can use self-service password reset.
    In suggestion you can send an email to user with a password reset link after creating the user.

    The other side about guest user invitation in Entra external tenant you can invite the guest user as like work force tenant, but here there is no option to choose a new password for user. user will only get the Accept the invitation email.

    Appreciate if you could share the feedback on this on our feedback community forum, which is closely monitored by our product team.

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    Thanks,

    Akhilesh V.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.