top of page
Search

Go With the Flow: Mastering Microsoft Entra User Flows—Self-Service Sign-Up in a Workforce tenant

  • Writer: Sebastian F. Markdanner
    Sebastian F. Markdanner
  • Apr 28
  • 10 min read

Managing new guest accounts can be a daunting task—especially when you’re dealing with high turnover, distributed teams, or unknown user lists. Today, I’ll show you how Microsoft Entra User Flows, otherwise known as Self-Service Sign-Up, can help automate and streamline this process within a workforce tenant.

Colorful waves with user icons and tech symbols. Text: "Go with the Flow: Mastering Microsoft Entra U User Flows." Futuristic and dynamic design.

Organizations such as retail chains, shipping companies, or accounting firms frequently collaborate with diverse groups of customers, vendors, and external partners. Often, these organizations can’t predict exactly who will need access ahead of time.


Additionally, these partners might originate from different domains and prefer various Identity Providers (IdPs)—including federated accounts, personal Microsoft accounts, Google accounts, or others.


Rather than manually managing B2B guest accounts or setting up domain-specific federation (SAML/WS-Fed), you can take advantage of Self-Service Sign-Up to securely onboard users at scale—without sacrificing control.


Ready to simplify your life? Let’s jump straight in!


Table of Contents


What is a Microsoft Entra User Flow?

Microsoft Entra User Flows provide a custom self-service sign-up experience for applications registered in Microsoft Entra ID. They allow users to sign up using familiar credentials from various identity providers (IdPs), including Microsoft Entra (work or school accounts), Microsoft Personal accounts, Google, Facebook, Custom IdPs, or even via Email OTP.


User Flows can be customized to collect specific attributes and data from users at sign-up. Additionally, they can trigger up to two API connectors at different stages of the flow. These connectors integrate seamlessly with external systems like HR platforms, Azure Logic Apps, third-party CRM solutions, Azure API Management services, or Power Automate flows—essentially, anything with a valid API endpoint.


While your tenant can have multiple User Flows—and each flow can be associated with multiple applications—each individual application can only be linked to one User Flow at a time.



Why User Flows Matter

In today’s Microsoft cloud environments, we’re not just securing employees — we’re enabling a broad ecosystem of partners, contractors, and service providers to collaborate securely and efficiently.


While User Flows are a core part of CIAM (Customer Identity and Access Management) in external tenants, they’re increasingly valuable in workforce tenants for scenarios involving B2B guest users.


For customers, User Flows provide a smooth sign-up experience using familiar credentials—removing friction by avoiding the need for yet another account. This aligns with CIAM strategies focused on scalability and user experience.


For partners and B2B collaborators, User Flows offer a flexible, automated gateway into your organization, often using work identities like Microsoft Entra ID accounts or personal credentials depending on your policies. This simplifies the initial AuthN/AuthZ experience and offloads manual onboarding.



User Flows in a Workforce Tenant

In B2B collaboration scenarios, Self-Service Sign-Up can dramatically improve user experience while reducing administrative overhead—without compromising security.


Whether you’re onboarding unknown project collaborators, external developers, or temporary contractors, User Flows can help:


  • Automatically create guest accounts

  • Gather required user information

  • Enforce policy-driven onboarding

  • Seamlessly integrate with internal systems via API connectors


To allow for as much flexibility as possible, User Flows supports the following IdPs:


  • Microsoft Entra

  • Microsoft (Personal)

  • Email

  • Facebook

  • Google

  • 3rd party custom OIDC or SAML/WS-FED IdP


Let’s walk through a few real-world examples.



Scenario 1: Supplier Access for Retail Portals

Your organization runs a retail business and has built a SharePoint-based supplier portal to manage product submissions, availability, and restocking. You work with hundreds of suppliers, many of whom rotate frequently throughout the year.


Manually onboarding every supplier — or managing domain whitelisting for B2B access — just isn’t feasible.


With Self-Service Sign-Up, these external users can onboard themselves securely, using their existing Microsoft or Google accounts. SharePoint access can be governed using your existing Entra Conditional Access policies, ensuring compliance and visibility across all collaborators.



Scenario 2: Contractor Lifecycle on Offshore Oil Rigs

You’re an energy company operating offshore rigs and managing a rotating workforce of short-term contractors—none of whom need access to your core business apps, but who do need to be onboarded into your HR and procurement systems.


By configuring a User Flow to allow personal accounts, contractors can sign up using their preferred identity (e.g., a personal Microsoft account). An API Connector can then trigger a Logic App to automate resource provisioning: ordering work clothes, creating HR records, and even managing access badges.


All without IT ever needing to manually touch a user account



Scenario 3: Large-Scale Customer Access in Finance

You’re a financial institution serving 20,000+ business customers through a custom web app that lets users pull reports, manage accounts, and view invoices. Each customer may have multiple users—1and those users could come from Google, Microsoft Entra, Yahoo, or even unmanaged domains.


Your app isn’t Entra ID-integrated and uses a legacy identity system for access control.


By deploying a Self-Service Sign-Up flow with custom user attributes, you can capture the metadata needed by your legacy app (e.g., customer ID, company name, user role) at sign-up. This creates a seamless registration experience while enabling your app to enforce access logic using your own database.



These are just a few scenarios, but as you can tell we're able to manage a lot of different cases, and with the option to utilize custom extensions and custom user attributes, we can integrate our user flows directly with the organizations application directly and via API connectors.



Known Limitations & Pitfalls

Throughout this post, few caveats will be touched upon—so let’s clearly outline the key limitations to keep in mind when working with Microsoft Entra User Flows in a Workforce environment.


  • Microsoft Entra Authentication

    When users sign up via Self-Service Sign-Up using a Microsoft Entra identity, they’re required to create their accounts with a password. Passwordless authentication methods, such as Passkeys, Windows Hello for Business (WH4B), or Phone Sign-In (PSI), aren’t supported during initial sign-up. However, after the account is created and permissions are accepted, users can seamlessly use passwordless authentication for future sign-ins. (Note: This limitation only applies to User Flows in workforce tenants.)


  • Authentication Strength

    While Authentication Strength has significantly improved for external accounts and now supports various authentication methods, it isn’t currently supported for users created via User Flows, with a mail identity - such as personal gmail accounts etc. At the moment, only the traditional Require Multifactor Authentication option is supported.


  • User Attribute Data Types

    Custom user attributes support three data types—Boolean, String, and Integer—but not all are supported in User Flows in workforce tenant scenarios. Only String and Integer types are supported. However, you can creatively use these two types to simulate Boolean behavior if needed.


  • User Attributes Data Persistence

    Custom user attribute data collected during sign-up doesn’t automatically map directly onto user objects in the directory. Instead, you can leverage API connectors to capture and persist this information externally. For example, using an API connector to call Microsoft Graph allows you to explicitly set and secure attribute data on user objects for future use.


  • User Attribute Collection

    Custom user attributes are fantastic for gathering critical information—but keep in mind that users will only see these prompts once, during their initial account creation. Afterward, users won’t have an opportunity to revisit or update these attributes through the sign-up flow. This means you should clearly plan and carefully determine exactly what data you need, why you need it, and how you’ll use it—right from the start.



How To Configure Microsoft Entra User Flow

Now that we’ve covered the theory, let’s dive into a hands-on example demonstrating how you can utilize User Flows—from both administrative and end-user perspectives.


In this example, the User Flow will be configured to support these identity providers (IdPs):

  • Microsoft Entra

  • Microsoft Personal

  • Google

  • Email OTP


We’ll also set up the flow to collect both built-in (string) and custom (string & integer) user attributes. Additionally, the collected data will trigger a Logic App, sending a notification email to the user and an internal pre-configured Distribution List.



Configuring Microsoft Entra User Flow Step-By-Step

First, you’ll need to activate the self-service sign-up feature and perform the initial configuration in the Microsoft Entra Admin Portal.


  1. Activating Self-Service Sign-Up

    Navigate to External collaboration settings in the External identities menu, and enable the option Enable guest self-service sign up via user flows

    Microsoft Entra settings page showing "External collaboration settings" with options for guest user access, invite settings, and self-service sign-up.

  2. Creating Custom User Attributes

    Within the External identities menu, move into Custom user attributes.

    Here you'll see a full list of the built-in attributes. Click Add to open the attribute creation pane

    • Provide a clear Name for your attribute

    • Choose the appropriate Data type

    • Optionally, include a helpful Description for administrators

    UI screen showing "Custom user attributes" setup with fields like City, Country, and Job Title. "Add an attribute" sidebar is open.

  3. Preparing to Create the User Flow

    Navigate to User Flows in the External identities menu. Click on New user flow to begin setup.

    Microsoft Etra admin center screen showing External Identities User flows. "New user flow" button highlighted. Sidebar menu with options.

  4. Creating the user flow

    • Provide a descriptive Name for the User Flow

      The custom part of the name will be referenced in your MSAL call under extraQueryParameters.


    • Select the desired Identity Providers This list dynamically updates based on configured IdPs in the tenant


    • Select required User Attributes

      Including built-in and custom attributes you’ve configured

    User flow creation screen with options for naming, identity providers (Google, Microsoft), and attributes like Given Name and Surname.

This initial setup is just the start. Once created, the User Flow allows further configuration of Identity Providers, User Attributes, API Connectors, Page Layouts, and associated Entra-registered applications.

Settings page for B2X sign-up flow showing identity providers, user attributes, API connectors, page layouts, and languages options.

Modifying User Attributes and Page Layouts

You can adjust required and optional attributes from the Page layouts section. Here, you define how attributes are presented to users, including input types and display labels.

User flow settings page for identity management, displaying form layout options and fields for email, names, and company, with radio buttons.
Screen showing user flow page layout settings with attributes like Email, Display Name, and a "Like" editor on the right.


Configuring API Connector Step-By-Step

To fully leverage the power of User Flows, we’ll integrate API Connectors. For this example, I’ve created a Logic App triggered by an HTTP request, sending notification emails to the user and an internal Distribution List.


While Identity Providers, User Attributes, Page Layouts, and Application Settings are relatively straightforward, API Connectors warrant a closer look.


Creating an API Connector

To create a new API Connector, you’ll need:

  • Display name: A friendly name identifying the connector

  • Enpoint URL: The API endpoint (e.g., your Logic App URL)

  • Authentication: Basic (username/password) or preferably certificate-based (can be self-signed).

    API configuration screen showing setup fields for display name, endpoint URL, and authentication type. No connectors present.

Generating the API endpoint URL

In this example, our endpoint is a Logic App triggered via HTTP request. After deploying the Logic App, you’ll obtain an automatically generated URL from the trigger, which serves as the API connector endpoint.

HTTP request setup screen showing URL, request method options, and JSON schema with email, company name, and display name fields.

Adding an API connector

Go to External identities → All API Connectors.

Click New API connector and provide the required details and save the connector.

API connector configuration screen with fields for Display Name, Endpoint URL, Authentication type, Certificate, and password.

Associating the API Connector with Your User Flow Return to your User Flow configuration, and navigate to API connectors.

Assign your newly created API connector to the appropriate step(s).

Interface for Azure API connectors setup with options for "Azure Email Logic App" after identity provider federation and user creation.

With this, your User Flow will invoke the connector at the configured points, integrating seamlessly with your external systems.



Configuring the HTML Single-Page Application (SPA)

Every Microsoft Entra User Flow needs an associated application—this can be any app registered in Entra ID, as long as it includes a customizable sign-in/sign-up flow.


Since I’m not exactly a developer, I’ve opted for a simple HTML-based SPA hosted as an Azure Static Web App. Here’s the basic user journey:


  • User visits the webpage → Automatically redirected to Microsoft’s sign-up page.

  • User creates an account or signs in → Redirected back to the app.

  • User sees a success message (5-second loading animation) → Redirected to my blog at chanceofsecurity.com.


The app maintains session state securely and includes basic error handling for failed authentication attempts.


Curious? Check out the code for this simple SPA on my GitHub: SSSU HTML SPA



Setting Up Azure Static Web App Step-by-Step

Here’s how you create the Azure Static Web App:

  1. Navigate to the Azure Portal, search for Static web app, and click Create.

    Azure portal screenshot showing "Static Web Apps" search result in a dropdown. Services, Marketplace, and documentation options visible.
    Azure dashboard showing "Static Web Apps." A "Create" button is highlighted. Listed app: UserFlowApplication in West Europe, SKU: Free.

  2. Choose your Subscription, Resource Group, and Hosting Plan.

    The Free tier is perfect for smaller apps and testing purpose.

    Choose your deployment source (GitHub for this example)

    Form to create a static web app on Azure. Selected options include GitHub as the source, Visual Studio subscription, and a custom name.
    GitHub deployment setup screen showing organization, repository, and branch fields. Build details are custom. Blue "Preview workflow file" button.

  3. Choose your desired Deployment authorization policy.

    Skip the Advanced & Tags menus (unless needed) and finalize by reviewing and creating the app

    Azure Static Web App setup screen. Tabs include Basics and Deployment configuration. Deployment token option is selected. White background.
    Web app setup screen showing details like subscription ID, resource group "rg-logic-we," and GitHub repo link. "Create" button below.

  4. After creation, deploy your code using your chosen deployment method (I use Visual Studio Code connected to GitHub)

    You’ll receive a public URL for your web app—hold onto this for further down the line

    Azure app management page displays details for "UserFlowApplication" with options to refresh, delete, and view app. Tabs show settings and tasks.


Setting Up the Email Logic App

Our configured API Connector calls a Logic App, which sends email notifications to the newly registered user and internal staff. The Logic App extracts data (custom attributes, email, display name) from the request body and sends a predefined email.


Logic App overview:

Azure Logic App Designer interface showing a flowchart with "When an HTTP request is received" leading to two "Send an email (V2)" actions.


Microsoft Entra Self-Service Sign-Up User Experience

Now, let’s walk through what users experience when using your configured flow.

The SPA is publicly available, so you can try it yourself and follow along!


User Experience Step-By-Step

  1. Accessing the web app

    The user navigates to the public URL of the web app:

    https://thankful-moss-09a29c903.6.azurestaticapps.net

    They are immediately redirected to the Microsoft Login/Sign-Up page and must click Create one! to start account creation.

    Microsoft sign-in screen with fields for email, phone, or Skype. Links to create an account and access options, with a "Next" button.

  2. Choosing the correct IdP

    Users select the IdP matching their credentials:

    • Sign up with email: For Microsoft Entra identities or personal accounts from federated IdPs (e.g., Gmail, Yahoo, etc.).

    • Sign up with Microsoft: Exclusively for personal Microsoft accounts (outlook.com, hotmail.com, etc.).

    • Other options (Google, Facebook, etc.): For accounts federated explicitly with these IdPs.

      Sign-up options screen with "Create account" header. Options: email, Microsoft, Google. Icons are beside text. "Back" button below.

  1. Creating the account

    Users provide credentials. Federated accounts redirect users to their respective IdP for authentication.

    Sign-in page for microsoftonline.com with a dark background. An email "mctestesent@gmail.com" is input. Options: Forgot email?, Create account, Next.
    Microsoft account creation page with email input "mctestesent@gmail.com". Includes "Back" and "Next" buttons. White background.

  • Email sign-ups trigger an Email OTP verification step:

    Gmail message with account verification code, sender "Cloudy With a Chance Of Security" via Microsoft. Code: 17328937. Compose button visible.

  1. Accepting permissions

    Users consent to required permissions.

    Permission request from Cloudy With a Chance of Security displayed. Options to cancel or accept. Text about data access and trust advisories.

  2. Authenticating with or Configuring MFA

    Users complete MFA setup or authentication, based on your security policies.

    Microsoft security prompt asks for more information to secure an account. Options: "Use a different account," "Learn more," and "Next" button.

  1. Final App Redirection

    After authentication, users return to the SPA, see a brief welcome message for 5 seconds, then they are redirected to the final destination—my blog.

    Sign-up confirmation screen for Microsoft Entra ID with a welcome message, rocket emoji, and loading icon on a light blue background.
    Cloud graphics with "Cloudy with a Chance of Security" text. Latest blog posts shown below in vibrant colors. Website navigation on top.

  1. Subsequent Sign-Ins

    Future sign-ins follow a streamlined login process without repeating the sign-up steps.

    Microsoft sign-in page displaying an email input with text "mctestesent@gmail.com" and options to create an account or seek help.

Throughout this process, your Logic App sends two emails—one to the end user confirming successful registration, and one internally to notify your team.


Enduser email:

Email with subject "Welcome to Chance Of Security!" includes logo with shield and cloud, text about collaboration, and support contact info.

Internal email:

Email screenshot with "New SSSU guest user created" subject. Features a company logo and "NEW USER ALERT!" message. User info: Test McTest.


Wrapping Up: Go With the (User) Flow!

Microsoft Entra User Flows offer a powerful yet straightforward way to manage external identities at scale, reducing friction and administrative overhead. Whether you're onboarding suppliers, contractors, or thousands of external customers, Self-Service Sign-Up ensures users can securely access your resources using credentials they're already comfortable with.


With flexible identity provider support, customizable attributes, and powerful API connectors, User Flows can integrate deeply with your internal processes and systems, enabling truly streamlined and automated guest account management.


And as always, next up is the mandatory bad dad joke!


My kids kept teasing me, and simply wouldn't give me space.

So I ended up changing my keyboard! 😎


Keep in mind the limitations and best practices we've discussed, especially around authentication methods, attribute collection, and data persistence, to ensure a smooth implementation.


Ready to go with the flow and simplify your guest management? Dive in today!


Until next time, keep your security posture tight and your onboarding process seamless—after all, identity management doesn't have to be a drag!

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page