{"id":1649,"date":"2024-03-28T05:02:17","date_gmt":"2024-03-28T12:02:17","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/identity\/?p=1649"},"modified":"2024-04-05T07:55:49","modified_gmt":"2024-04-05T14:55:49","slug":"native-auth-for-external-id","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/identity\/native-auth-for-external-id\/","title":{"rendered":"Introducing Native Authentication for Microsoft Entra External ID"},"content":{"rendered":"<p>Today, we\u2019re excited to announce the public preview of Native Authentication for Microsoft Entra External ID. Native authentication empowers you to take complete control over the design of the sign-in experience of your mobile applications. It allows you to craft stunning, pixel-perfect authentication screens that are seamlessly integrated into your apps, rather than relying on browser-based solutions.<\/p>\n<p>To learn more about native authentication, <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/concept-native-authentication\">explore our docs<\/a>.<\/p>\n<p><div  class=\"d-flex justify-content-center\"><a class=\"cta_button_link btn-primary mb-24\" href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/samples-ciam-all?tabs=apptype#mobile-native-authentication\" target=\"_blank\">Get Started with Code Samples<\/a><\/div><\/p>\n<h2>Authentication on Mobile: Native authentication vs Browser-delegated<\/h2>\n<p>When it comes to implementing authentication for mobile apps on External ID, you have two options:<\/p>\n<ul>\n<li>Fully custom SDK based native authentication.<\/li>\n<li>Microsoft-hosted browser-delegated authentication. <\/li>\n<\/ul>\n<p>In the browser-delegated mobile app sign-in process, users often experience a disruptive jump during authentication. They&#8217;re taken to a browser for authentication and then redirected back to the app when the sign-in is complete. This leads to a diluted experience and branding can be compromised. While browser-delegated methods can reduce attack vectors and support single sign-on (SSO), they suffer from limited UI customization and poor user experience.<\/p>\n<p>Native authentication gives you full control over the user interface and experience.<\/p>\n<p><center>\n  <div style=\"width: 640px;\" class=\"wp-video\"><video class=\"wp-video-shortcode\" id=\"video-1649-1\" width=\"640\" height=\"360\" preload=\"metadata\" controls=\"controls\"><source type=\"video\/mp4\" src=\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/03\/Native-Authentication-Demo.mp4?_=1\" \/><a href=\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/03\/Native-Authentication-Demo.mp4\">https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/03\/Native-Authentication-Demo.mp4<\/a><\/video><\/div>\n<\/center><\/p>\n<h2>When to use native authentication<\/h2>\n<p>The approach you choose will depend on your app\u2019s specific requirements. While each app has unique authentication needs, there are some common considerations to keep in mind. Whether you choose native authentication or browser-delegated authentication, Microsoft Entra External ID supports both.<\/p>\n<p>The following table compares the two authentication approaches to help you decide which one is right for your app.<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left\">\n      <\/th>\n<th style=\"text-align: left\">\n        Native authentication\n      <\/th>\n<th style=\"text-align: left\">\n        Browser-delegated authentication\n      <\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left\">\n        <strong>User authentication experience<\/strong>\n      <\/td>\n<td style=\"text-align: left\">\n        Users have a\u202frich, native mobile-first sign-up and sign-in journey\u202fwithout ever leaving the app.\n      <\/td>\n<td style=\"text-align: left\">\n        Users are taken to a system browser or embedded browser for authentication only to be redirected back to the app when the sign-in is complete. This is recommended if the redirection doesn&#8217;t negatively impact the end user experience.\n      <\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left\">\n        <strong>Customization experience<\/strong>\n      <\/td>\n<td style=\"text-align: left\">\n        This API-centric approach offers a high level of customization, providing extensive flexibility in design and the ability to create tailored interactions and flows.\n      <\/td>\n<td style=\"text-align: left\">\n        Managed\u202f<a href=\"https:\/\/review.learn.microsoft.com\/en-us\/entra\/external-id\/customers\/how-to-customize-branding-customers\">branding and customization options<\/a>\u202fare available as an out-of-the-box feature.\n      <\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left\">\n        <strong>Applicability<\/strong>\n      <\/td>\n<td style=\"text-align: left\">\n        For customer first-party mobile apps, when the authorization server and app are operated by the same entity and the user perceives them both as the same entity.\n      <\/td>\n<td style=\"text-align: left\">\n        Suitable for Entra ID and External ID apps, it can be used for mobile and desktop apps, single-page applications, and web apps.\n      <\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left\">\n        <strong>Go live effort<\/strong>\n      <\/td>\n<td style=\"text-align: left\">\n        High. The developer builds, owns, and maintains the authentication experience.\n      <\/td>\n<td style=\"text-align: left\">\n        Low. Use it straight out of the box with minimal integration.\n      <\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left\">\n        <strong>Maintenance effort<\/strong>\n      <\/td>\n<td style=\"text-align: left\">\n        High. It demands updating SDK packages and adjusting to any changes.\n      <\/td>\n<td style=\"text-align: left\">\n        Low.\n      <\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left\">\n        <strong>Security<\/strong>\n      <\/td>\n<td style=\"text-align: left\">\n        Security responsibility is shared with developers, and best practices need to be followed. It&#8217;s prone to phishing attacks.\n      <\/td>\n<td style=\"text-align: left\">\n        Most secure option.\n      <\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left\">\n        <strong>Supported languages and frameworks<\/strong>\n      <\/td>\n<td style=\"text-align: left\">\n<ul>\n<li>\n            Android (Kotlin, Java)\n          <\/li>\n<li>\n            iOS (Swift, Objective-C)\n          <\/li>\n<\/ul>\n<\/td>\n<td style=\"text-align: left\">\n<ul>\n<li>\n            ASP.NET Core\n          <\/li>\n<li>\n            Android (Java)\n          <\/li>\n<li>\n            iOS (Objective-C)\n          <\/li>\n<li>\n            JavaScript\n          <\/li>\n<li>\n            React\n          <\/li>\n<li>\n            Angular\n          <\/li>\n<li>\n            Node.js\n          <\/li>\n<li>\n            Python\n          <\/li>\n<li>\n            Java\n          <\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>How to use native authentication\u202f<\/h2>\n<p>You can build apps that use native authentication by using our <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/reference-native-authentication-overview\">native authentication API<\/a> or the Microsoft Authentication Library (MSAL) SDK for <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/how-to-run-native-authentication-sample-android-app\">Android<\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/how-to-run-native-authentication-sample-ios-app\">iOS<\/a>. Whenever possible, we recommend you use MSAL to add native authentication to your apps. If you are planning to create a mobile app on a framework currently not supported by MSAL, you can use our <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/reference-native-authentication-overview\">authentication API<\/a>.<\/p>\n<p>The MSAL SDK abstracts the underlying protocol and provides you with simple, intuitive scenario-based interfaces. For example, to sign a user in using the\u202f<strong>email one-time passcode<\/strong>\u202fflow, it captures the user\u2019s email and sends them an email containing a one-time passcode to verify their email. When the user enters the valid one-time passcode, the app signs them in.<\/p>\n<p>In the example below where we sign a user in, we use the library&#8217;s\u202f<code>signIn(username)<\/code>\u202fmethod, the function will return a result that you can assign to the\u202f<code>actionResult<\/code>\u202ffield. The\u202f<code>actionResult<\/code>\u202frepresents the result of the previously performed action and can take multiple states (forms).<\/p>\n<p>To implement this, add a button to your application that calls the following code snippet when selected:<\/p>\n<h3>Kotlin<\/h3>\n<pre><code> CoroutineScope(Dispatchers.Main).launch {\n     val actionResult = authClient.signIn(\n         username = emailAddress\n     )\n     if (actionResult is SignInResult.CodeRequired) {\n         val nextState = actionResult.nextState\n         val submitCodeActionResult = nextState.submitCode(\n             code = code\n         )\n         if (submitCodeActionResult is SignInResult.Complete){\n             \/\/ Handle sign in success\n             val accountState = submitCodeActionResult.resultValue\n             val accessTokenResult = accountState.getAccessToken()\n             if (accessTokenResult is GetAccessTokenResult.Complete) {\n                 val accessToken = accessTokenResult.resultValue.accessToken\n                 val idToken = accountState.getIdToken()\n             }\n         }\n     }\n }\n<\/code><\/pre>\n<p>Error scenarios such as \u2018user not found\u2019 can be handled as shown in the code snippet below.<\/p>\n<h3>Kotlin<\/h3>\n<pre><code>val actionResult = authClient.sign(\n    username = emailAddress\n)\nif (actionResult is SignInResult.CodeRequired) {\n    \/\/ Next step: submit code\n} else if (actionResult is SignInError) {\n    \/\/ Handle sign in errors\n    when {\n         actionResult.isUserNotFound() -&gt; {\n             \/\/ Handle \"user not found\" error\n         }\n         else -&gt; {\n             \/\/ Handle other errors\n         }\n     }\n}\n<\/code><\/pre>\n<p>Ready to get started?<\/p>\n<p><div  class=\"d-flex justify-content-center\"><a class=\"cta_button_link btn-primary mb-24\" href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/samples-ciam-all?tabs=apptype#mobile-native-authentication\" target=\"_blank\">Get Started with Code Samples<\/a><\/div><\/p>\n<h2>Stay connected and informed<\/h2>\n<p>To learn more or test out features in the Microsoft Entra suite of products, visit our\u202f<a href=\"https:\/\/developer.microsoft.com\/en-us\/identity\/\">developer center<\/a>. Make sure you subscribe to the\u202f<a href=\"https:\/\/devblogs.microsoft.com\/identity\/\">Identity blog<\/a>\u202ffor more insights and to keep up with the latest on all things Identity. And, follow us on <a href=\"https:\/\/www.youtube.com\/@MicrosoftSecurity\/playlists\">YouTube<\/a> for video overviews, tutorials, and deep dives.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introducing the public preview of Native Authentication for Microsoft Entra External ID, a feature that allows you to design and control the sign-in experience within your mobile apps. We compare browser-delegated authentication to native authentication which enables you to create customized, visually cohesive login screens that enhance user experience and maintain brand consistency.<\/p>\n","protected":false},"author":119380,"featured_media":717,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[32,33],"tags":[17,16,47,50,39],"class_list":["post-1649","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-product-updates","tag-customer-identity","tag-entra","tag-external-id","tag-identity","tag-native-authentication"],"acf":[],"blog_post_summary":"<p>Introducing the public preview of Native Authentication for Microsoft Entra External ID, a feature that allows you to design and control the sign-in experience within your mobile apps. We compare browser-delegated authentication to native authentication which enables you to create customized, visually cohesive login screens that enhance user experience and maintain brand consistency.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts\/1649","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/users\/119380"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/comments?post=1649"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts\/1649\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/media\/717"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/media?parent=1649"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/categories?post=1649"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/tags?post=1649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}