Create a sign-up and sign-in user flow for customers

You can create a simple sign-up and sign-in experience for your customers by adding a user flow to your application. The user flow defines the series of sign-up steps customers follow and the sign-in methods they can use (such as email and password, one-time passcodes, or social accounts from Google or Facebook). You can also collect information from customers during sign-up by selecting from a series of built-in user attributes or adding your own custom attributes.

You can create multiple user flows if you have multiple applications that you want to offer to customers. Or, you can use the same user flow for many applications. However, an application can have only one user flow.

Tip

To try out this feature, go to the Woodgrove Groceries demo and start the “Online retail” use case.

Prerequisites

• A Microsoft Entra external tenant: Before you begin, create your Microsoft Entra external tenant. You can set up a free trial, or you can create a new external tenant in Microsoft Entra ID.
• Email one-time passcode enabled (optional): If you want customers to use their email address and a one-time passcode each time they sign in, make sure Email one-time passcode is enabled at the tenant level (in the Microsoft Entra admin center, navigate to External Identities > All Identity Providers > Email One-time-passcode).
• Custom attributes defined (optional): User attributes are values collected from the user during self-service sign-up. Microsoft Entra ID comes with a built-in set of attributes, but you can define custom attributes to collect during sign-up. Define custom attributes in advance so they're available when you set up your user flow. Or you can create and add them later.
• Identity providers defined (optional): You can set up federation with Google or Facebook in advance, and then select them as sign-in options as you create the user flow.

Create and customize a user flow

Follow these steps to create a user flow a customer can use to sign in or sign up for an application. These steps describe how to add a new user flow, select the attributes you want to collect, and change the order of the attributes on the sign-up page.

To add a new user flow

1. Sign in to the Microsoft Entra admin center.

2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.

3. Browse to Identity > External Identities > User flows.

4. Select New user flow.

   

5. On the Create page, enter a Name for the user flow (for example, "SignUpSignIn").

6. Under Identity providers, select the Email Accounts check box, and then select one of these options:

   • Email with password: Allows new users to sign up and sign in using an email address as the sign-in name and a password as their first-factor authentication method. You can also configure options for showing, hiding, or customizing the self-service password reset link on the sign-in page (learn more).

   • Email one-time passcode: Allows new users to sign up and sign in using an email address as the sign-in name and email one-time passcode as their first-factor authentication method.

   Note

   The Microsoft Entra ID Sign up option is unavailable because although customers can sign up for a local account using an email from another Microsoft Entra organization, Microsoft Entra federation isn't used to authenticate them. Google and Facebook become available only after you set up federation with them. Learn more about authentication methods and identity providers.

   

7. Under User attributes, choose the attributes you want to collect from the user during sign-up.

   

8. Select Show more to choose from the full list of attributes, including Job Title, Display Name, and Postal Code.

   This list also includes any custom attributes you defined. Select the checkbox next to each attribute you want to collect from the user during sign-up

   

9. Select OK.

10. Select Create to create the user flow.

Disable sign-up in a sign-up and sign-in user flow

If you want your customer users to only sign in and not sign up, you can disable the sign-up experience in your user flow by using the Update authenticationEventsFlow API in Microsoft Graph, and updating the onInteractiveAuthFlowStart property > isSignUpAllowed property to false. You need to know the ID of the user flow whose sign-up you want to disable. You can't read the user flow ID from the Microsoft Entra admin center, but you can retrieve it via Microsoft Graph API if you know the app associated with it.

1. Read the application ID associated with the user flow:

   1. Browse to Identity > External Identities > User flows.
   2. From the list, select your user flow.
   3. In the left menu, under Use, select Applications.
   4. From the list, under Application (client) ID column, copy the Application (client) ID.

2. Identify the ID of the user flow whose sign-up you want to disable. To do so, List the user flow associated with the specific application. This is a Microsoft Graph API, which requires you to know the application ID you obtained from the previous step.

3. Update your user flow to disable sign-up.

   Example:

   PATCH https://graph.microsoft.com/beta/identity/authenticationEventsFlows/{user-flow-id} 
   

   Request body

       {    
           "@odata.type": "#microsoft.graph.externalUsersSelfServiceSignUpEventsFlow",    
           "onInteractiveAuthFlowStart": {    
               "@odata.type": "#microsoft.graph.onInteractiveAuthFlowStartExternalUsersSelfServiceSignUp",    
               "isSignUpAllowed": "false"    
         }    
       }
   

   Replace {user-flow-id} with the user flow ID that you obtained in the previous step. Notice the isSignUpAllowed parameter is set to false. To re-enable sign-up, make a call to the Microsoft Graph API endpoint, but set the isSignUpAllowed parameter to true.

Next steps

• Add your application to the user flow
• Create custom user attributes and customize the order of the attributes on the sign-up page.