Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
There are two ways to configure a Microsoft Entra tenant, depending on how an organization intends to use the tenant and the resources that you want to manage:
- A workforce tenant configuration is for your employees, internal business apps, and other organizational resources. A workforce tenant uses B2B collaboration in Microsoft Entra External ID for collaboration with external business partners and guests.
- An external tenant configuration is exclusively for External ID scenarios where you want to publish apps to consumers or business customers.
This article gives a detailed comparison of the features and capabilities in workforce and external tenants. For more information about these tenants, see Workforce and external tenant configurations in Microsoft Entra External ID.
Note
During the preview, features or capabilities that require a premium license are unavailable in external tenants.
General feature comparison
The following table compares the general features and capabilities in workforce and external tenants.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| External identities scenario | Allow business partners and other external users to collaborate with your workforce. Guests can securely access your business applications through invitations or self-service sign-up. | Use External ID to help secure your applications. Consumers and business customers can access your consumer apps through self-service sign-up. Invitations are also supported. |
| Local accounts | Local accounts are supported for internal members of your organization only. | Local accounts are supported for:
|
| Groups | Use groups to manage administrative and user accounts. | Use groups to manage administrative accounts. Support for Microsoft Entra groups and application roles is being phased into customer tenants. For the latest updates, see Groups and application roles support. |
| Roles and administrators | Roles and administrators are fully supported for administrative and user accounts. | Roles are supported for all users. All users in an external tenant have default permissions unless they're assigned an admin role. |
| Microsoft Entra ID Protection | This product provides ongoing risk detection for your Microsoft Entra tenant. It allows organizations to discover, investigate, and remediate identity-based risks. | Not available. |
| Microsoft Entra ID Governance | This product enables organizations to govern identity and access lifecycles, along with secure privileged access. Learn more. | Not available. |
| Self-service password reset | Allow users to reset their password by using up to two authentication methods. | Allow users to reset their password by using email with a one-time passcode or SMS. Learn more. |
| Language customization | Customize the sign-in experience based on browser language when users authenticate into your corporate intranet or web-based applications. | Use languages to modify the strings displayed to your customers as part of the sign-in and sign-up process. Learn more. |
| Custom attributes | Use directory extension attributes to store more data in the Microsoft Entra directory for user objects, groups, tenant details, and service principals. | Use directory extension attributes to store more data in the customer directory for user objects. Create custom user attributes and add them to your sign-up user flow. Learn more. |
| Pricing | Get monthly active users (MAU) pricing for external guests through B2B collaboration (UserType=Guest). |
Get MAU pricing for all users in the external tenant regardless of role or UserType value. |
Interface customization
The following table compares the features for interface customization in workforce and external tenants.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Company branding | You can add company branding that applies to all these experiences to create a consistent sign-in experience for your users. | Same as workforce. Learn more. |
| Language customization | Customize the sign-in experience by browser language. | Same as workforce. Learn more. |
| Custom domain names | You can use custom domains for administrative accounts only. | You can use the custom URL domain feature for external tenants to brand app sign-in endpoints with your own domain name. |
| Native authentication for mobile apps | Not available. | Microsoft Entra native authentication gives you full control over the design of your mobile application's sign-in experiences. |
Adding your own business logic
You can use custom authentication extensions to customize the Microsoft Entra authentication experience by integrating with external systems. A custom authentication extension is essentially an event listener. When you activate it, it makes an HTTP call to a REST API endpoint where you define your own business logic.
The following table compares the events for custom authentication extensions in workforce and external tenants.
| Event | Workforce tenant | External tenant |
|---|---|---|
TokenIssuanceStart |
Add claims from external systems. | Add claims from external systems. |
OnAttributeCollectionStart |
Not available. | This event occurs at the beginning of the sign-up's attribute collection step, before the attribute collection page renders. You can add actions such as prefilling values and displaying a blocking error. Learn more. |
OnAttributeCollectionSubmit |
Not available. | This event occurs during the sign-up flow, after the user enters and submits attributes. You can add actions such as validating or modifying the user's entries. Learn more. |
OnOtpSend |
Not available. | Configure a custom email provider for one-time passcode send events. Learn more. |
Identity providers and authentication methods
The following table compares the identity providers and methods for primary authentication and multifactor authentication (MFA) in workforce and external tenants.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Identity providers for external users (primary authentication) | For self-service sign-up guests:
For invited guests:
|
For self-service sign-up users (consumers, business customers): For invited guests (preview) via a directory role (for example, admins):
You can invite external users for administrative purposes only. You can't use this feature to invite customers to sign in to your apps. This feature isn't compatible with customer identity and access management (CIAM) user flows. |
| Authentication methods for MFA | For internal users (employees and admins): For guests (invited or self-service sign-up): |
For self-service sign-up users (consumers, business customers): For invited users (preview): |
Authentication methods available in External ID
You can use some authentication methods as the primary factor when users sign in to an application, such username and password. Other authentication methods are available only as a secondary factor. The following table outlines when you can use an authentication method during sign-in, self-service sign-up, self-service password reset, and MFA in External ID.
| Method | Sign-in | Sign-up | Password reset | MFA |
|---|---|---|---|---|
| Email with password | 
|
|
||
| Email one-time passcode |
|
|
|
|
| SMS-based authentication |
|
|||
| Apple federation |
|
|
||
| Facebook federation |
|
|
||
| Google federation |
|
|
||
| Microsoft personal account (OpenID Connect) |
|
|
||
| Microsoft Entra ID federation |
|
|
||
| OpenID Connect federation |
|
|
||
| SAML/WS-Fed federation |
|
|
Application registration
The following table compares the features for application registration in each type of tenant.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Protocol | Protocols include SAML relying parties, OpenID Connect, and OAuth2. | Protocols include SAML relying parties, OpenID Connect, and OAuth2. |
| Supported account types | The following account types are available:
|
Always use accounts in this organizational directory only (single tenant). |
| Platform | The following platforms are available:
|
The following platforms are available:
|
| Redirect URIs for authentication | Microsoft Entra ID accepts these URIs as destinations when it returns authentication responses (tokens) after successfully authenticating or signing out users. | Same as workforce. |
| Front-channel logout URL for authentication | This URL is where Microsoft Entra ID sends a request to have the application clear the user's session data. The front-channel logout URL is required for single sign-out to work correctly. | Same as workforce. |
| Implicit grant and hybrid flows for authentication | Request a token directly from the authorization endpoint. | Same as workforce. |
| Certificates and secrets | Multiple credentials are available: | Same as workforce. |
| Rotation for certificates and secrets | Update client credentials to help ensure that they remain valid and secure, while users can continue to sign-in. You can rotate certificates, secrets, and federated credentials by adding a new one and then removing the old one. | Same as workforce. |
| Policy for certificates and secrets | Configure the application management policies to enforce secret and certificate restrictions. | Not available. |
| API permissions | Add, remove, and replace permissions to an application. After permissions are added to your application, users or admins need to grant consent to the new permissions. Learn more about updating an app's requested permissions in Microsoft Entra ID. | The following permissions are allowed: Microsoft Graph offline_access, openid, and User.Read, along with your My APIs delegated permissions. Only an admin can consent on behalf of the organization. |
| Expose an API | Define custom scopes to restrict access to data and functionality that the API helps protect. An application that requires access to parts of this API can request user or admin consent to one or more of these scopes. | Same as workforce. |
| Owners | Application owners can view and edit the application registration. Additionally, any user (who might not be listed) with administrative privileges to manage any application (for example, Cloud Application Administrator) can view and edit the application registration. | Same as workforce. |
| Roles and administrators | Administrative roles are used for granting access for privileged actions in Microsoft Entra ID. | Only the Cloud Application Administrator role can be used for apps in external tenants. This role grants the ability to create and manage all aspects of application registrations and enterprise applications. |
Access control for applications
The following table compares the features for application authorization in each type of tenant.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Role-based access control (RBAC) | You can define application roles for your application and assign those roles to users and groups. Microsoft Entra ID includes the user roles in the security token. Your application can then make authorization decisions based on the values in the security token. | Same as workforce. Learn more about using role-based access control for applications in an external tenant. For available features, see Groups and application roles support. |
| Security groups | You can use security groups to implement RBAC in your applications, where the memberships of users in specific groups are interpreted as their role memberships. Microsoft Entra ID includes user group membership in the security token. Your application can then make authorization decisions based on the values in the security token. | Same as workforce. The group optional claims are limited to the group object ID. |
| Attribute-based access control (ABAC) | You can configure the app to include user attributes in the access token. Your application can then make authorization decisions based on the values in the security token. For more information, see Token customization. | Same as workforce. |
| Require user assignment | When user assignment is required, only the users you assign to the application (either through direct user assignment or based on group membership) can sign in. For more information, see Manage user and group assignments to an application. | Same as workforce. For details, see Groups and application roles support. |
Enterprise applications
The following table compares the unique features for enterprise application registration in workforce and external tenants.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Application gallery | The application gallery contains thousands of applications that are integrated into Microsoft Entra ID. | Choose from a range of integrated apps. To find a partner app, use the search bar. The application gallery catalog isn't available. |
| Register a custom enterprise application | Add an enterprise application. | Register a SAML app in your external tenant. |
| Self-service application assignment | Let users self-discover apps. | Self-service application assignment in the My Apps portal isn't available. |
| Application proxy | Microsoft Entra application proxy provides secure remote access to on-premises web applications. | Not available. |
| Deactivate app registration | Deactivate an app registration to prevent token issuance while preserving configuration. | Same as workforce. |
Consent and permission features for enterprise applications
The following table shows which consent and permission features are available for enterprise applications in each type of tenant.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Admin consent for enterprise applications | You can grant tenant-wide admin permissions. You can also review and revoke them. | Same as workforce. |
| User consent for enterprise applications | You can configure how users consent to applications, and you can update these permissions. | Limited to permissions that don't require admin consent. |
| Review or revoke admin consent | Review and revoke permissions. | Use the Microsoft Entra admin center to revoke admin consent. |
| Review or revoke user consent | Review and revoke permissions. | Use Microsoft Graph API or PowerShell to revoke user consent. |
| Assign users or groups to apps | You can manage access to apps in an individual or group-based assignment. Nested group memberships aren't supported. | Same as workforce. |
| RBAC for app roles | You can define and assign roles for fine-grained access control. | Same as workforce. |
OpenID Connect and OAuth2 flows
The following table compares the features for OAuth 2.0 and OpenID Connect authorization flows in each type of tenant.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| OpenID Connect | Yes | Yes |
| Authorization code | Yes | Yes |
| Authorization code with Proof Key for Code Exchange (PKCE) | Yes | Yes |
| Client credentials | Yes | v2.0 applications |
| Device authorization | Yes | Yes |
| On-behalf-of flow | Yes | Yes |
| Implicit grant | Yes | Yes |
| Resource owner password credentials | Yes | No; for mobile applications, use native authentication |
Authority URL in OpenID Connect and OAuth2 flows
The authority URL indicates a directory that the Microsoft Authentication Library (MSAL) can request tokens from. For apps in external tenants, always use the following format: <tenant-name>.ciamlogin.com.
The following JSON shows an example of a .NET application appsettings.json file with an authority URL:
{
"AzureAd": {
"Authority": "https://<Enter_the_Tenant_Subdomain_Here>.ciamlogin.com/",
"ClientId": "<Enter_the_Application_Id_Here>"
}
}
Conditional Access
The following table compares the features for Microsoft Entra Conditional Access in each type of tenant.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Assignments | Users, groups, and workload identities. | Include all users, and exclude users and groups. For more information, see Add multifactor authentication (MFA) to an app. |
| Target resources | ||
| Conditions | ||
| Grant | Grant or block access to resources | |
| Session | Session controls | The following session controls are available:
|
Terms-of-use policies
The following table compares the features for terms-of-use policies in each type of tenant.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Conditional Access policies | See the Microsoft Entra terms of use. | Not available. |
| Self-service sign-up | Not available. | Add a required attribute linked to your terms-of-use policies on the sign-up page. You can customize the hyperlink to support various languages. |
| Sign-in page | You can add links to the lower-right corner for privacy information by using company branding. | Same as workforce. |
Account management
The following table compares the features for user management in each type of tenant. As noted in the table, certain account types are created through invitation or self-service sign-up. A user admin in the tenant can also create accounts via the admin center.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Types of accounts |
|
|
| Manage user profile info |
|
Same as workforce, except cross-tenant synchronization isn't available. |
| Reset a user's password | Administrators can reset a user's password if the user forgets the password, is locked out of a device, or never received a password. | Same as workforce. |
| Restore or remove a recently deleted user | After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. | Same as workforce. |
| Disable accounts | Prevent the new user from signing in. | Same as workforce. |
Password protection
The following table compares the features for password protection in each type of tenant.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Smart lockout | Smart lockout helps lock out bad actors who try to guess your users' passwords or use brute-force methods to get in. | Same as workforce. |
| Global banned passwords | The global banned passwords list automatically blocks commonly used weak or compromised passwords based on analysis of Microsoft Entra security data. | Same as workforce. |
| Custom banned passwords | Use the custom banned passwords list to add specific strings to evaluate and block during password creation and reset. | Same as workforce. |
Token customization
The following table compares the features for token customization in each type of tenant.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Claims mapping | Customize claims issued in the JSON web token (JWT) for enterprise applications. | Same as workforce. Optional claims must be configured through Attributes & Claims. |
| Claims transformation | Apply a transformation to a user attribute issued in the JWT for enterprise applications. | Same as workforce. |
| Custom claims provider | Use a custom authentication extension that calls an external REST API to fetch claims from external systems. | Same as workforce. Learn more. |
| Security groups | Configure group optional claims. | Configure group optional claims, limited to the group object ID. |
| Token lifetimes | Specify the lifetime of security tokens issued by Microsoft Entra ID. | Same as workforce. |
| Session and token revocation | An administrator can invalidate all the refresh tokens and session for a user. | Same as workforce. |
Single sign-on
Single sign-on (SSO) provides a more seamless experience by reducing the number of times a user is asked for credentials. Users enter their credentials once. Other applications can reuse the established session on the same device and web browser without further prompting.
The following table compares the features for SSO in each type of tenant.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Types of application registration |
Enterprise applications offer more options, like password-based, linked, and header-based registration. |
|
| Domain name | When a user is authenticated, a session cookie is set on the Microsoft Entra domain login.microsoftonline.com in the web browser. |
When a user is authenticated, a session cookie is set on the Microsoft Entra External ID domain <tenant-name>.ciamlogin.com or a custom URL domain in the web browser. To ensure that SSO functions correctly, use a single URL domain. |
| Stay signed in | You can turn on or turn off the option to stay signed in. | Same as workforce. |
| User provisioning | Use automatic user provisioning with System for Cross-domain Identity Management (SCIM) to sync user accounts between External ID and supported apps. This approach keeps user data up to date automatically. User provisioning supports differential queries. These queries sync only the changes since the last update. This behavior improves performance and reduces system load. |
Same as workforce. |
| Session invalidation | Scenarios where SSO might be invalidated, which requires reauthentication:
The application specifies in the authorization request to prompt the user for credentials by using the login=prompt query string parameter in OpenID Connect and the ForceAuthn attribute in the SAML request. |
Same as workforce. |
| Conditional Access | Check the Conditional Access section. | Check the Conditional Access section. |
| Microsoft Entra native authentication | Not available. | Native authentication doesn't support SSO. |
| Sign-out | When a SAML or OpenID Connect application directs the user to the logout endpoint, Microsoft Entra ID removes and invalidates the user's session from the browser. | Same as workforce. |
| Single sign-out | Upon successful sign-out, Microsoft Entra ID sends a sign-out notification to all other SAML and OpenID Connect applications that the user is signed in to. | Same as workforce. |
Integrated security solutions
Microsoft Entra External ID supports integrated security features and partner solutions to help protect identities across the lifecycle. These capabilities include protection against distributed denial-of-service (DDoS) attacks, prevention of sign-up fraud, and unified monitoring.
You can enable these solutions directly in External ID and access partner integrations through the Microsoft Security Store. This approach allows organizations to deploy trusted security tools quickly without complex setup.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Sign-up fraud protection | The Security Store wizard experience isn't available. | Use Arkose Labs and HUMAN Security to help protect against sign-up fraud and block automated bot attacks. |
| DDoS and web application firewall (WAF) protection | The Security Store wizard experience isn't available. | Use Cloudflare and Akamai to help protect against DDoS attacks and secure apps with a WAF. |
| Security analytics | The Security Store wizard experience isn't available. | Use Azure Monitor and Microsoft Sentinel to enable one-click monitoring, Log Analytics, and advanced threat detection. |
Akamai and Cloudflare
Akamai and Cloudflare provide DDoS protection, bot mitigation, and WAF capabilities. These capabilities help defend applications against malicious traffic, abusive automation, and common web vulnerabilities such as SQL injection, cross‑site scripting, and API‑based attacks.
When you integrate either service with External ID, you can apply these security controls in front of your customer-facing identity flows. This action improves resilience and reduces exposure to credential stuffing and other identity‑targeted threats.
Activity logs and reports
The following table compares the features for activity logs and reports across various types of tenants.
| Feature | Workforce tenant | External tenant |
|---|---|---|
| Audit logs | These logs provide a detailed report of all events logged in Microsoft Entra ID, including modifications to applications, groups, and users. | Same as workforce. |
| Sign-in logs | The sign-in logs track all sign-in activities within a Microsoft Entra tenant, including access to your applications and resources. | Same as workforce. |
| Sign-up logs (preview) | Not available. | Microsoft Entra External ID logs all self-service sign-up events, including both successful sign-ups and failed attempts. |
| Provisioning logs | The provisioning logs provide detailed records of provisioning events within a tenant, such as user account creations, updates, and deletions. | Not available. |
| Activity logs for retention policies | Microsoft Entra data retention policies determine how long various types of logs (like audit, sign-in, and provisioning logs) are stored. | Seven days. |
| Export activity logs | By using diagnostic settings in Microsoft Entra ID, you can integrate logs with Azure Monitor, stream logs to an event hub, or integrate with security information and event management (SIEM) tools. | Azure Monitor for external tenants (preview). |
| Reports for application user activity | Not available. | Application user activity provides analytics on how users interact with registered applications in your tenant. It tracks metrics like active users, new users, sign-ins, and MFA success rates. |
Microsoft Graph APIs
All features that are supported in external tenants are also supported for automation through Microsoft Graph APIs. Some features that are in preview in external tenants might be generally available through Microsoft Graph. For more information, see Manage Microsoft Entra identity and network access by using Microsoft Graph.