Microsoft Entra External ID
Microsoft Corporation
Last verified 2026-05-22 · Reviewed by guptadeepak
Editorial verdict
Microsoft Entra External ID went GA in September 2024 as the modern successor to Azure AD B2C, which entered end-of-sale to new customers on May 1, 2025 and retires existing B2C tenants on March 15, 2026, every Azure AD B2C customer should be in active migration. Entra External ID is the right CIAM choice when the organization is already standardized on Microsoft 365 and Azure, and when FedRAMP High or strict Microsoft-shop compliance is required. The materially modernized policy model and DX (vs B2C) close part of the gap, but still trail the developer-first tier on velocity and ergonomics. Outside Microsoft-native architectures, the integration story rarely justifies the friction.
Last verified by @guptadeepak on 2026-05-22.
At a glance
- Best for
- Organizations already standardized on Microsoft 365 / Entra / Azure
- Pricing
- tiered-mau
- Free tier
- 50,000 MAU
- Deployment
- cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- No
- Open source
- No
Funding & business
- Funding model
- Platform division
- Total raised
- None
- Latest round
- None disclosed
- Years in business
- 2 yrs
- Profitable
- Not disclosed
Part of Microsoft Entra (NASDAQ: MSFT); funded internally, never a standalone company.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Successor to Azure AD B2C with materially modernized DX, simplified policy model, and unified Entra console.
- FedRAMP High, PCI Level 1, HIPAA, ISO 27001/27018, strongest compliance footprint among hyperscaler CIAM.
- Native Azure integration, Conditional Access, Logic Apps, Sentinel, and the broader Microsoft security graph.
- Generous free tier (50k MAU) and competitive per-MAU pricing at consumer scale.
Limitations
- DX is improved over Azure AD B2C but still trails Auth0 / Clerk / Stytch, Microsoft's documentation tone, terminology, and admin console are AAD-shaped.
- B2B Organizations model is partial, multi-tenancy works through Entra tenants but lacks the SaaS-native ergonomics of WorkOS or Frontegg.
- No native FGA / Zanzibar-style fine-grained authorization.
- Migrations between Azure AD B2C (the predecessor) and External ID are non-trivial; legacy customers carry policy debt.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | No |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | Yes |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Partial |
| Adaptive MFA | Yes |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Yes |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Partial |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Yes |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Partial |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | Yes |
| SDKs | js, node, react, dotnet, python, java, go, ios, swift, android, kotlin |
| CLI | Yes |
| Terraform provider | Yes |
| Local emulator | No |
| Extension model | Azure Functions + Custom policies (External Identities) |
| Bot detection | Yes |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | Yes |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | Partial |
| MCP support | Partial |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | Partial |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | Yes |
| HIPAA | Yes |
| PCI DSS | Level 1 |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | High |
| EU data residency | Yes |
| Consent management | Partial |
|---|---|
| Preference center | Partial |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $0/mo |
|---|---|
| 100,000 MAU | $165/mo |
| 500,000 MAU | $1,500/mo |
| 1,000,000 MAU | $3,300/mo |
- Free tier: 50k MAU on standard authentication
- Per-MAU pricing applies above free tier, competitive at consumer scale
- Premium features (P1 / P2) priced separately for advanced threat detection
- Azure infrastructure costs for Logic Apps, Functions, and audit log retention add up
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Organizations already standardized on Microsoft 365 / Entra / Azure
- Workloads requiring FedRAMP High, PCI Level 1, or strict Microsoft-compliance baselines
- Cost-sensitive consumer apps in the Microsoft ecosystem
Not for
- Teams that prioritize developer velocity and DX over Microsoft-ecosystem integration
- B2B SaaS needing first-class Organizations / SCIM / per-tenant audit
- Multi-cloud or AWS / GCP-native deployments
FAQ
- How is Entra External ID different from Azure AD B2C?
- Entra External ID is the successor product, generally available in 2024, with a unified Entra admin console, simplified policy model, and modernized SDK surface. Azure AD B2C remains supported for existing customers but is no longer the recommended path for new deployments. Migrations are non-trivial, custom policies must be redesigned around the new External ID model.
- Does Entra External ID support FedRAMP?
- Yes, FedRAMP High via Azure Government and the in-scope commercial regions. Combined with PCI Level 1 and HIPAA, this is the broadest compliance footprint among hyperscaler-native CIAM, materially ahead of Cognito and Firebase Auth on attestation breadth.
- When does Entra External ID make sense over Auth0?
- When the organization runs on Microsoft 365 / Azure and benefits from Conditional Access integration, Sentinel security graph integration, or Logic Apps automation. For AWS-native or developer-velocity-focused teams, Auth0 retains a meaningful DX advantage.
Sources
- Microsoft Entra External ID overviewaccessed 2026-04-22
- Microsoft Entra pricingaccessed 2026-04-22
What Entra External ID is
Entra External ID is Microsoft's customer identity product, generally available in 2024 as the successor to Azure AD B2C. The product line sits inside the broader Entra (formerly Azure AD) family, same admin console, same conditional access engine, same audit pipeline, but with a distinct tenant model for external customer identities and a policy surface designed for B2C and B2B-mixed workloads. The buyer is typically an organization already running Microsoft 365 or Azure infrastructure, where unified identity governance across employees, partners, and customers is the strategic anchor.
Where Entra External ID wins
The Microsoft-stack integration is the structural advantage. Conditional Access policies that govern employee identities can extend coherently to external identities; Microsoft Sentinel captures the audit signal in the same SIEM pane; Logic Apps and Azure Functions extend the policy surface without leaving the Microsoft tooling. For organizations whose security operations are already built around Microsoft, this avoids a parallel toolchain.
Compliance breadth is unmatched among hyperscaler CIAM. FedRAMP High, PCI DSS Level 1, HIPAA, ISO 27001/27018, GDPR, all attested at the Microsoft service level. For federal workloads, healthcare, and fintech, Entra External ID often lands as the only fully-attested cloud-native option.
The free tier (50k MAU) and per-MAU pricing curve are competitive with Cognito and below most SaaS CIAM at consumer scale. For high-MAU consumer apps in the Microsoft ecosystem, the unit economics favor Entra over Auth0 by a wide margin.
The DX is materially improved over Azure AD B2C, simplified policy model, unified console, modernized SDKs, though still not at the level of developer-first CIAM.
Where Entra External ID hurts
DX is the lasting friction. Microsoft's documentation tone is reference-first, the terminology is Azure-AD-shaped, and the admin console reflects enterprise-IT design rather than developer-product design. Teams accustomed to Auth0 / Clerk / Stytch find the onboarding curve longer.
The B2B Organizations model is partial. Multi-tenancy works through Entra tenants but lacks the SaaS-native ergonomics of WorkOS or Frontegg, no embedded Admin Portal, no per-tenant feature flags, no first-class Organizations object. For B2B SaaS specifically, the gap is meaningful.
There's no native Zanzibar-style FGA. ABAC works through claims and Conditional Access; for fine-grained per-resource permissions, pair with an authorization service.
Migrations from Azure AD B2C to External ID are non-trivial. Custom policies do not port cleanly; the new External Identities policy model is simpler but different. Legacy AAD B2C customers carry policy debt.
Outside the Microsoft ecosystem, the integration story is weaker. AWS-native or GCP-native architectures typically reach for Cognito or Firebase Auth instead.
How Entra External ID compares
The closest hyperscaler comparisons are Cognito vs Entra External ID and Firebase Auth vs Entra External ID. For developer velocity at comparable compliance footprint, Auth0 is the alternative. For strict on-prem deployment with similar compliance autonomy, Keycloak is the self-hosted option.
Editorial changelog (2 entries)
Routine profile review: capabilities, pricing, and editorial verdict re-verified.
Verdict updated to reflect Entra External ID GA (September 2024) and the Azure AD B2C retirement timeline (end-of-sale May 1 2025; tenants retire March 15 2026). Existing B2C customers should be in active migration.