Authentication systems streamline the management of user authentication across the internet and internal networks, enabling smoother collaboration and simplifying end-user administration. Federated Identity Management (FIM) and Single Sign-On (SSO) are closely related concepts. FIM enables multiple organizations to collaborate using federations that support SSO. For instance, once an employee logs in to Company A’s network, they can seamlessly access resources on Company B’s network without needing to log in again.
Beyond federated identity management systems, many websites use Single Sign-On (SSO) to enhance the user experience while maintaining security. SSO ensures that user credentials for one site are not shared with others. For example, imagine transferring money from Bank A to Bank B. If Bank B required you to provide your Bank A credentials, it would pose a significant security risk. Users should never need to share their credentials with third parties. Protocols like SAML, OAuth, OpenID, and OIDC address this issue by securely handling authentication processes.
The fundamental email protocols used on the internet ensure efficient message delivery but do not include safeguards for confidentiality, integrity, or availability. In other words, basic email lacks inherent security. However, there are various methods to enhance email security.
App registrations (also known as OAuth apps) act like passports for applications — allowing both user-based apps and machine-to-machine apps to securely access resources hosted on resource servers (such as APIs exposing emails, media, documents, etc.).
An app registration in Microsoft Entra ID represents a client application in the identity platform (which acts as the authorization server). This client uses OAuth flows to request access tokens, which it sends to the resource server to perform actions, based on the scopes (permissions) defined and granted.
A resource server (such as a web API) trusts an authorization server (Entra ID) by validating the access tokens it receives from clients. This trust is established through Entra ID’s use of signed JWT tokens, which the resource server verifies using Entra’s public signing keys (via the OpenID Connect metadata endpoint), ensuring the token’s issuer, audience, and signature are valid.
Understanding Microsoft Entra External ID, B2B & B2C
Microsoft Entra External ID simplifies how organizations securely collaborate and connect with external users — whether they are business partners (B2B) or consumers (B2C). In this blog, we break down the key concepts behind External ID, explain the differences between B2B and B2C identity scenarios, and show how Entra helps manage access, authentication, and user experience across both models. As of May 1, 2025, Azure AD B2C P1 and P2 SKUs (External Identities) will no longer be available to new customers.
Identity Focus 