Introducing Native Authentication for Microsoft Entra External ID

Kaushik Kislay

Today, we’re excited to announce the public preview of Native Authentication for Microsoft Entra External ID. Native authentication empowers you to take complete control over the design of the sign-in experience of your mobile applications. It allows you to craft stunning, pixel-perfect authentication screens that are seamlessly integrated into your apps, rather than relying on browser-based solutions.

To learn more about native authentication, explore our docs.

Authentication on Mobile: Native authentication vs Browser-delegated

When it comes to implementing authentication for mobile apps on External ID, you have two options:

  • Fully custom SDK based native authentication.
  • Microsoft-hosted browser-delegated authentication.

In the browser-delegated mobile app sign-in process, users often experience a disruptive jump during authentication. They’re taken to a browser for authentication and then redirected back to the app when the sign-in is complete. This leads to a diluted experience and branding can be compromised. While browser-delegated methods can reduce attack vectors and support single sign-on (SSO), they suffer from limited UI customization and poor user experience.

Native authentication gives you full control over the user interface and experience.

When to use native authentication

The approach you choose will depend on your app’s specific requirements. While each app has unique authentication needs, there are some common considerations to keep in mind. Whether you choose native authentication or browser-delegated authentication, Microsoft Entra External ID supports both.

The following table compares the two authentication approaches to help you decide which one is right for your app.

Native authentication Browser-delegated authentication
User authentication experience Users have a rich, native mobile-first sign-up and sign-in journey without ever leaving the app. Users are taken to a system browser or embedded browser for authentication only to be redirected back to the app when the sign-in is complete. This is recommended if the redirection doesn’t negatively impact the end user experience.
Customization experience This API-centric approach offers a high level of customization, providing extensive flexibility in design and the ability to create tailored interactions and flows. Managed branding and customization options are available as an out-of-the-box feature.
Applicability For customer first-party mobile apps, when the authorization server and app are operated by the same entity and the user perceives them both as the same entity. Suitable for Entra ID and External ID apps, it can be used for mobile and desktop apps, single-page applications, and web apps.
Go live effort High. The developer builds, owns, and maintains the authentication experience. Low. Use it straight out of the box with minimal integration.
Maintenance effort High. It demands updating SDK packages and adjusting to any changes. Low.
Security Security responsibility is shared with developers, and best practices need to be followed. It’s prone to phishing attacks. Most secure option.
Supported languages and frameworks
  • Android (Kotlin, Java)
  • iOS (Swift, Objective-C)
  • ASP.NET Core
  • Android (Java)
  • iOS (Objective-C)
  • JavaScript
  • React
  • Angular
  • Node.js
  • Python
  • Java

How to use native authentication 

You can build apps that use native authentication by using our native authentication API or the Microsoft Authentication Library (MSAL) SDK for Android and iOS. Whenever possible, we recommend you use MSAL to add native authentication to your apps. If you are planning to create a mobile app on a framework currently not supported by MSAL, you can use our authentication API.

The MSAL SDK abstracts the underlying protocol and provides you with simple, intuitive scenario-based interfaces. For example, to sign a user in using the email one-time passcode flow, it captures the user’s email and sends them an email containing a one-time passcode to verify their email. When the user enters the valid one-time passcode, the app signs them in.

In the example below where we sign a user in, we use the library’s signIn(username) method, the function will return a result that you can assign to the actionResult field. The actionResult represents the result of the previously performed action and can take multiple states (forms).

To implement this, add a button to your application that calls the following code snippet when selected:


 CoroutineScope(Dispatchers.Main).launch {
     val actionResult = authClient.signIn(
         username = emailAddress
     if (actionResult is SignInResult.CodeRequired) {
         val nextState = actionResult.nextState
         val submitCodeActionResult = nextState.submitCode(
             code = code
         if (submitCodeActionResult is SignInResult.Complete){
             // Handle sign in success
             val accountState = submitCodeActionResult.resultValue
             val accessTokenResult = accountState.getAccessToken()
             if (accessTokenResult is GetAccessTokenResult.Complete) {
                 val accessToken = accessTokenResult.resultValue.accessToken
                 val idToken = accountState.getIdToken()

Error scenarios such as ‘user not found’ can be handled as shown in the code snippet below.


val actionResult = authClient.sign(
    username = emailAddress
if (actionResult is SignInResult.CodeRequired) {
    // Next step: submit code
} else if (actionResult is SignInError) {
    // Handle sign in errors
    when {
         actionResult.isUserNotFound() -> {
             // Handle "user not found" error
         else -> {
             // Handle other errors

Ready to get started?

Stay connected and informed

To learn more or test out features in the Microsoft Entra suite of products, visit our developer center. Make sure you subscribe to the Identity blog for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.


Leave a comment

  • Mark Radcliffe 0

    No mention of support for their own product Maui.NET, typical microsoft

  • Daniel Smith 0

    Shouldn’t we be treating passwords like plutonium in 2024? Aren’t there any plans for integration with Passkeys?

    Passwords will always be subject to phishing attacks, whereas with Passkeys, the key is not known by the end user, and will only be released to the original issuing site after confirmation by the user via biometrics or device PIN.

    • Kaushik KislayMicrosoft employee 2

      Passkeys are great because it brings in the right balance of user experience and security. We do see Passkeys playing a key role in the auth spectrum and it has been a big part of our focus. While the adoption of Passkeys is picking up in CIAM space, unfortunately it is still has limited familiarity among consumers who still find one-time pass-codes and passwords more familiar and is being used extensively by customers. With Native Authentication we aim to bring to our developers a wide range of auth methods so that they can choose what best suits their needs.

      • Daniel Smith 0

        That’s great that Passkeys are on the radar.

        Consumers may be more familiar with passwords, but at the same time, they’re really tired of them. We need to push for things like Passkeys for the sake of everyone. The average consumer shouldn’t really even have to know they’re using Passkeys – as far as they’re concerned it should just be a biometric interaction.

        For initial sign ups, one time passwords sent by email do have the advantage of confirming the user’s email address. If Passkeys could be combined with filling out pre-verified details such as a default email address, that would be a bonus.

        With Google, Apple and Microsoft all behind Passkeys as an open industry standard, it’s really up to you guys to push it as THE way forward, and remove any blockers that prevent developers and end users from adopting it.

  • Renan Botasse 0

    I had problems while trying to use the Expo platform when I needed to make an authentication. Despite extensive searching on the internet, I couldn’t find much support from Google or Apple to resolve these issues. It’s amazing to see Microsoft working on a project like this, and I’m sure it will be helpful. Great job!

Feedback usabilla icon