Introducing Native Authentication for Microsoft Entra External ID
Today, we’re excited to announce the public preview of Native Authentication for Microsoft Entra External ID. Native authentication empowers you to take complete control over the design of the sign-in experience of your mobile applications. It allows you to craft stunning, pixel-perfect authentication screens that are seamlessly integrated into your apps, rather than relying on browser-based solutions.
To learn more about native authentication, explore our docs.
Authentication on Mobile: Native authentication vs Browser-delegated
When it comes to implementing authentication for mobile apps on External ID, you have two options:
- Fully custom SDK based native authentication.
- Microsoft-hosted browser-delegated authentication.
In the browser-delegated mobile app sign-in process, users often experience a disruptive jump during authentication. They’re taken to a browser for authentication and then redirected back to the app when the sign-in is complete. This leads to a diluted experience and branding can be compromised. While browser-delegated methods can reduce attack vectors and support single sign-on (SSO), they suffer from limited UI customization and poor user experience.
Native authentication gives you full control over the user interface and experience.
When to use native authentication
The approach you choose will depend on your app’s specific requirements. While each app has unique authentication needs, there are some common considerations to keep in mind. Whether you choose native authentication or browser-delegated authentication, Microsoft Entra External ID supports both.
The following table compares the two authentication approaches to help you decide which one is right for your app.
| Native authentication | Browser-delegated authentication | |
|---|---|---|
| User authentication experience | Users have a rich, native mobile-first sign-up and sign-in journey without ever leaving the app. | Users are taken to a system browser or embedded browser for authentication only to be redirected back to the app when the sign-in is complete. This is recommended if the redirection doesn’t negatively impact the end user experience. |
| Customization experience | This API-centric approach offers a high level of customization, providing extensive flexibility in design and the ability to create tailored interactions and flows. | Managed branding and customization options are available as an out-of-the-box feature. |
| Applicability | For customer first-party mobile apps, when the authorization server and app are operated by the same entity and the user perceives them both as the same entity. | Suitable for Entra ID and External ID apps, it can be used for mobile and desktop apps, single-page applications, and web apps. |
| Go live effort | High. The developer builds, owns, and maintains the authentication experience. | Low. Use it straight out of the box with minimal integration. |
| Maintenance effort | High. It demands updating SDK packages and adjusting to any changes. | Low. |
| Security | Security responsibility is shared with developers, and best practices need to be followed. It’s prone to phishing attacks. | Most secure option. |
| Supported languages and frameworks |
|
|
How to use native authentication 
You can build apps that use native authentication by using our native authentication API or the Microsoft Authentication Library (MSAL) SDK for Android and iOS. Whenever possible, we recommend you use MSAL to add native authentication to your apps. If you are planning to create a mobile app on a framework currently not supported by MSAL, you can use our authentication API.
The MSAL SDK abstracts the underlying protocol and provides you with simple, intuitive scenario-based interfaces. For example, to sign a user in using the email one-time passcode flow, it captures the user’s email and sends them an email containing a one-time passcode to verify their email. When the user enters the valid one-time passcode, the app signs them in.
In the example below where we sign a user in, we use the library’s signIn(username) method, the function will return a result that you can assign to the actionResult field. The actionResult represents the result of the previously performed action and can take multiple states (forms).
To implement this, add a button to your application that calls the following code snippet when selected:
Kotlin
CoroutineScope(Dispatchers.Main).launch {
val actionResult = authClient.signIn(
username = emailAddress
)
if (actionResult is SignInResult.CodeRequired) {
val nextState = actionResult.nextState
val submitCodeActionResult = nextState.submitCode(
code = code
)
if (submitCodeActionResult is SignInResult.Complete){
// Handle sign in success
val accountState = submitCodeActionResult.resultValue
val accessTokenResult = accountState.getAccessToken()
if (accessTokenResult is GetAccessTokenResult.Complete) {
val accessToken = accessTokenResult.resultValue.accessToken
val idToken = accountState.getIdToken()
}
}
}
}
Error scenarios such as ‘user not found’ can be handled as shown in the code snippet below.
Kotlin
val actionResult = authClient.sign(
username = emailAddress
)
if (actionResult is SignInResult.CodeRequired) {
// Next step: submit code
} else if (actionResult is SignInError) {
// Handle sign in errors
when {
actionResult.isUserNotFound() -> {
// Handle "user not found" error
}
else -> {
// Handle other errors
}
}
}
Ready to get started?
Stay connected and informed
To learn more or test out features in the Microsoft Entra suite of products, visit our developer center. Make sure you subscribe to the Identity blog for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.
Light
Dark
5 comments
No mention of support for their own product Maui.NET, typical microsoft
Shouldn’t we be treating passwords like plutonium in 2024? Aren’t there any plans for integration with Passkeys?
Passwords will always be subject to phishing attacks, whereas with Passkeys, the key is not known by the end user, and will only be released to the original issuing site after confirmation by the user via biometrics or device PIN.
Passkeys are great because it brings in the right balance of user experience and security. We do see Passkeys playing a key role in the auth spectrum and it has been a big part of our focus. While the adoption of Passkeys is picking up in CIAM space, unfortunately it is still has limited familiarity among consumers who still find one-time pass-codes and passwords more familiar and is being used extensively by customers. With Native Authentication we aim to bring to our developers a wide range of auth methods so that they can choose what best suits their needs.
That’s great that Passkeys are on the radar.
Consumers may be more familiar with passwords, but at the same time, they’re really tired of them. We need to push for things like Passkeys for the sake of everyone. The average consumer shouldn’t really even have to know they’re using Passkeys – as far as they’re concerned it should just be a biometric interaction.
For initial sign ups, one time passwords sent by email do have the advantage of confirming the user’s email address. If Passkeys could be combined with filling out pre-verified details such as a default email address, that would be a bonus.
With Google, Apple and Microsoft all behind Passkeys as an open industry standard, it’s really up to you guys to push it as THE way forward, and remove any blockers that prevent developers and end users from adopting it.
I had problems while trying to use the Expo platform when I needed to make an authentication. Despite extensive searching on the internet, I couldn’t find much support from Google or Apple to resolve these issues. It’s amazing to see Microsoft working on a project like this, and I’m sure it will be helpful. Great job!