Using Microsoft Entra External ID and Cerbos for authentication and authorization

Martin Gjoshevski

Alex Olivier

This blog post has been co-authored by Martin Gjoshevski, Senior Customer Engineer at Microsoft and Alex Olivier, Chief Product Officer at Cerbos, a Microsoft Partner.

In the realm of software development, authentication and authorization play a pivotal role, serving as guardians of your data and system security and integrity. These terms are often confused with one another; however, they serve two distinct functions.

In this blog post, part one of a three-part series, we look at the difference between authentication and authorization, and what to consider when choosing the right approach to authorization. We explore the concept of coupled and decoupled authentication and authorization and provide a high-level framework for choosing an approach that meets the needs of your specific scenario. We also share a brief teaser of what’s coming in part two!

authentication and authorization


Authentication is the process of validating the identity of a user or device. This typically involves using unique credentials, like a username-password pair or a digital certificate. It acts as a crucial first line of defence, ensuring only known users or devices gain access to your system or application. Without robust authentication measures, the door opens for entities to compromise sensitive data and jeopardize system security.

The choice of authentication method hinges on factors such as desired security levels, data sensitivity, and the entity undergoing authentication. Common methods include passwords, biometric authentication, token-based authentication, two-factor authentication, multifactor authentication, and certificate-based authentication.

Using a comprehensive, identity as a service (IDaaS) solution, like Microsoft Entra External ID eliminates the need to build and maintain your own authentication stack.


Authorization, on the other hand, decides whether to grant or deny access to specific resources or functionality based on a user’s identity and permissions. It controls which users or resources can access particular data or features, post-authentication.

Effective authorization aids in maintaining compliance with regulatory standards and mitigates the risk of data breaches and security incidents. Flawed authorization can lead to unauthorized data disclosure, modification, or destruction. According to the OWASP Top Ten, faulty access control tops the list of potential security issues in web applications.

In addition to robust authentication, implementing reliable authorization mechanisms is crucial to controlling user access. Various authorization methods exist, such as access control lists (ACL), role-based access control (RBAC), and attribute-based access control (ABAC)—all offering various levels of flexibility. Which one you choose depends on your system or application’s specific requirements and the desired security level.

Choosing the right authorization approach

Authorizing users in Software as a Service (SaaS) applications presents several challenges and demands the careful consideration of best practices to ensure effective security measures are put in place.

Role-based access control (RBAC) is a common approach to user authorization, where access permissions are assigned based on predefined roles. However, in the dynamic environment of SaaS applications, where user roles change frequently, building and maintaining an accurate and up-to-date RBAC system can be challenging.

Attribute-based access control (ABAC) addresses some of these challenges by considering various attributes, such as user characteristics or environmental factors in the decision-making process. This flexibility allows for more granular control over access rights, accommodating the diverse needs of SaaS applications. However, defining and managing a multitude of attributes can become complex and requires careful planning.

IDaaS solutions normally provide a range of both authentication and authorization features. If your IDaaS does not directly support a particular authorization approach, for example ABAC, you can often build it yourself within your application or use a specialized authorization service. For example, Cerbos provides a flexible and expressive policy engine designed specifically for SaaS applications. Cerbos is an open-source, scalable authorization solution that simplifies the implementation of RBAC, ABAC, and policy-based access control by offering a unified framework. Its dynamic policy evaluation adapts to changes in user roles and attributes, ensuring accurate access decisions. Cerbos also provides a centralized management console, enabling you to define and enforce policies across SaaS environments.

Coupled or decoupled authentication and authorization

As outlined above, authentication (AuthN) and authorization (AuthZ) can be implemented as separate or coupled processes, depending on the needs and preferences of the developers and users. In this section, we explore coupled and decoupled AuthN and AuthZ, and discuss scenarios where each approach may be suitable.

Coupled AuthN and AuthZ

Coupled AuthN and AuthZ refers to the situation where one service or framework handles both identity verification and access control, such as Microsoft Entra External ID. This is a common and convenient way to implement security in SaaS applications. It allows developers to use ready-made solutions that they can integrate with their code and add business logic customization.

Microsoft Entra External ID provides a comprehensive authentication service that supports various methods, such as passwords, biometrics, email verification, and social identities, and allows developers to add authorization logic, based on user roles, groups, or custom attributes as token claims.

It’s a solution that you can integrate with your applications that allows organizations to efficiently manage and secure access to users, such as customers, who are outside of their corporate domain. It enables seamless access to applications and resources, simplifies identity management, enhances security, and provides an intuitive experience for external users interacting with an organization’s resources.

Benefits of coupled AuthN and AuthZ

  • Simplified architecture: You don’t need to deal with multiple services or libraries for security and can rely on a single vendor or provider.

  • Customization: You can enrich tokens or credentials with additional information, such as user attributes or permissions, that can be used for subsequent access decisions. It makes it easy to start with industry protocols as OAuth 2.0.

  • Lower Operational Costs: Operating a single system for both AuthN and AuthZ can lead to cost savings on infrastructure, maintenance, and administrative overhead.

Things to consider when using coupled AuthN and AuthZ

  • Plan for growth: When using a coupled AuthN and AuthZ, evaluate the adaptability of your application to scaling or evolving business needs. In other words, it’s good to strategically plan ahead, where possible, to keep things flexible.

  • Keep things simple: Be mindful of the potential for complexity in managing authorization policies across different microservices or components of your application. Consider strategies for maintaining consistency across your system.

  • Implement security best practices: When implementing authorization logic within your application, it’s crucial to adopt robust security practices. This minimizes risks and ensures sufficient logging and monitoring are in place.

Decoupled AuthN and AuthZ

Decoupled AuthN and AuthZ refers to the approach where the identity authentication and access control are handled by separate services or frameworks, such as using Cerbos in conjunction with Microsoft Entra External ID. This is a flexible way to implement granular permissions logic in SaaS applications. It allows you to use specialized solutions that offer expressiveness and control.

Benefits of decoupled AuthN and AuthZ

  • Flexibility: You can choose the right authentication and authorization solutions for your needs, and switch or combine them as needed, without affecting other aspects of security.

  • Code separation: You can keep business logic separate from source code and avoid cluttering your code with authorization checks or conditions.

  • Agility: You can benefit from the increased agility and scalability of each solution’s security processes as you can update or change their policies without having to redeploy code or services.

Things to consider when using decoupled AuthN and AuthZ

  • Streamline integration: When working with separate services for sign-in security and access control, think about and plan for how these services will work together and with your application.

  • Optimize for performance: Your application may have to perform additional calls or queries for every API request as it must consult both the authentication and authorization services for access decisions. Consider how this impacts the speed and performance of your application.

  • Simplify service management: Maintaining and monitoring several security services or frameworks means keeping them all in sync, secure, and up-to-date. Implement an organized approach to help maintain a strong security posture.

Choosing between coupled or decoupled AuthN and AuthZ for your application

Deciding on whether to use coupled or decoupled AuthN and AuthZ depends on various factors, such as the size, complexity, and nature of the application, the security requirements and expectations of the users, and indeed your own preferences and skill level.

Coupled AuthN and AuthZ may be considered more suitable for applications, where performing complex authorization checks is not required, and where you value convenience and simplicity over flexibility.

Decoupled AuthN and AuthZ may be considered more suitable for applications with complex and dynamic authorization business logic—where you value flexibility, and are looking to standardize the authorization logic across different components or microservices.

Key takeaways, and what’s coming in part two

In software development, authentication and authorization are distinct yet crucial processes for ensuring the security and integrity of data and systems.

  • Authentication involves validating the identity of users or devices through unique credentials, acting as a crucial first line of defence against unauthorized access. The choice of authentication method, such as passwords or biometrics, depends on factors like security levels and data sensitivity.

  • Authorization determines access to specific resources based on user identity and permissions, playing a vital role in compliance and mitigating the risk of data breaches.

  • Using comprehensive solutions like Microsoft Entra External ID or Cerbos, either as standalone solutions or in conjunction with one another, provides efficient, prebuilt options that cater to immediate needs while offering scalability for evolving business requirements.

In part 2, we’ll walk you through the process of integrating Microsoft Entra External ID and Cerbos, look at how External ID enables SaaS applications to federate identities from across various identity providers, and explore how Cerbos enables applications to define and enforce fine-grained authorization policies.

Let’s stay connected

To learn more or test out features in the Microsoft Entra portfolio, visit our developer center. Sign up for email updates on the Identity blog for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.


Leave a comment

Feedback usabilla icon