Hi all,

In my company we are using Microsoft Entra External ID as CIAM for one of our applications. Users are external to the company (i.e. ‘consumers’). Users are initially created by IT, as the app is not open for the general public.

Everything works fine so far and, in addition to the authentication, we are using Entra External ID for authorization as well. For that, we are using regular Entra groups that travel to the app using OIDC claims, so once the user has successfully authenticated, the apps gets the group/s membership as well.

Here comes the question:

We now want to have a non-IT, Business user to manage authorizations, (i.e group memberships). The options we manage are:

1) Provide the business user access to the Entra External ID console, with a heavily restricted role that will only allow him to manage users of a certain app (in general, a limited collection of apps).

2) Create a (web) application that handles user authorization management. It would basically show the list of users and group membership for each, and allow making modification to them.  

For option 2) we would like to keep it “CIAM agnostic”, meaning we don’t want to have it solved via something like MS Graph API , for instance. Instead, we would like (if possible) a solution based on standards such as OIDC. We are open to use any other different standard protocol such as SAML.

We don’t know if any of the options are actually feasible, or if there is a better approach that should be considered. Ideas about how we can handle this?

  Thank you all in advance for you help. 

​Hi all, In my company we are using Microsoft Entra External ID as CIAM for one of our applications. Users are external to the company (i.e. ‘consumers’). Users are initially created by IT, as the app is not open for the general public. Everything works fine so far and, in addition to the authentication, we are using Entra External ID for authorization as well. For that, we are using regular Entra groups that travel to the app using OIDC claims, so once the user has successfully authenticated, the apps gets the group/s membership as well. Here comes the question:We now want to have a non-IT, Business user to manage authorizations, (i.e group memberships). The options we manage are: 1) Provide the business user access to the Entra External ID console, with a heavily restricted role that will only allow him to manage users of a certain app (in general, a limited collection of apps). 2) Create a (web) application that handles user authorization management. It would basically show the list of users and group membership for each, and allow making modification to them.   For option 2) we would like to keep it “CIAM agnostic”, meaning we don’t want to have it solved via something like MS Graph API , for instance. Instead, we would like (if possible) a solution based on standards such as OIDC. We are open to use any other different standard protocol such as SAML. We don’t know if any of the options are actually feasible, or if there is a better approach that should be considered. Ideas about how we can handle this?   Thank you all in advance for you help.   Read More

​