Power Pages, a low-code platform from Microsoft, allows organizations to build secure, data-driven websites that can be accessed by internal users (employees) or external users (partners, vendors, customers). One of the most crucial aspects of building such web portals is authentication, which determines who can access what in your portal and under what conditions.
This in-depth guide explores all supported authentication methods in Power Pages, how to configure them, and best practices for implementation.
1. What is Authentication in Power Pages?
Authentication in Power Pages ensures that users accessing your portal are who they say they are. Once authenticated, authorization mechanisms determine the level of access a user has based on Web Roles and Permissions.
Authentication methods in Power Pages are broadly categorized into:
- Local (username and password)
- External Identity Providers (OpenID Connect, Azure AD, LinkedIn, Google, etc.)
- Single Sign-On (SSO) via Azure AD B2C
- SAML 2.0
2. Supported Authentication Methods
A. Local Authentication (Username and Password)
This is the default method that allows users to register and sign in using email and password. The credentials are stored in Dataverse.
Features:
- Enables self-service registration and login.
- Email confirmation supported.
- Password recovery and reset flow available.
Setup Steps:
- Go to Portal Management App.
- Navigate to Site Settings.
- Enable:
Authentication/Registration/Enabled→trueAuthentication/LocalLoginEnabled→true
- Ensure Basic Authentication is selected in Identity Providers.
Use CAPTCHA and 2FA options for security on public-facing portals.
B. Azure Active Directory (Azure AD)
Ideal for internal or organizational use. Users can sign in with their Microsoft 365 or Azure AD accounts.
Features:
- SSO for employees.
- Supports tenant restrictions.
- Can be integrated with Web Roles.
Setup Steps:
- Register your portal as an Azure AD App.
- Configure the App Registration with:
- Redirect URI:
https://<yourportal>.powerappsportals.com/signin-azuread
- Redirect URI:
- In Portal Management App, add an Identity Provider:
- Type:
Azure AD - Client ID, Tenant ID, Metadata URL, and Redirect URI.
- Type:
- Save and restart the portal.
Azure AD authentication is most commonly used in employee or partner portals.
C. Azure AD B2C (Business-to-Consumer)
Azure AD B2C provides scalable external identity management. It enables social logins, custom policies, and advanced user flows like MFA, profile editing, etc.
Features:
- Supports social identities like Google, Facebook, LinkedIn, etc.
- Enables custom sign-in, sign-up, and password reset flows.
- Highly configurable for branding and policies.
Setup Steps:
- Create an Azure AD B2C tenant.
- Register a new app and create user flows (e.g., sign-up, sign-in, password reset).
- Add Redirect URIs in the app settings:
https://<yourportal>.powerappsportals.com/signin-aadb2c - Go to Portal Management App, add an Identity Provider:
- Protocol: OpenID Connect
- Input
Authority,Client ID,Redirect URI,Scopes, andMetadata URL.
- Link the user flows to your portal via Site Settings.
Use B2C when building customer-facing portals with multiple login options.
D. External Identity Providers (OpenID Connect & OAuth 2.0)
You can integrate third-party identity providers like Google, Facebook, Twitter, LinkedIn, GitHub, or any service supporting OpenID Connect or OAuth 2.0.
Features:
- Provides users with the convenience of using existing accounts.
- Can be used alongside Azure B2C or separately.
Setup Steps:
- Register an app with the desired Identity Provider (e.g., Google Developer Console).
- Get the Client ID, Client Secret, Authorization Endpoint, and Token Endpoint.
- In Portal Management, go to Identity Providers and configure:
- Protocol: OpenID Connect
- Input the values.
- Save and restart the portal.
Make sure the redirect URI is properly set up in the provider’s developer console.
E. SAML 2.0 Authentication
Some enterprise environments prefer SAML for identity federation. Power Pages supports integration with SAML 2.0-compliant identity providers like Okta, AD FS, Ping Identity, etc.
Features:
- Federated identity support.
- Strong enterprise authentication and SSO.
Setup Steps:
- Obtain SAML metadata from the identity provider.
- Add a new Identity Provider in Portal Management:
- Protocol: SAML 2.0
- Set
Issuer,Sign-in URL,X.509 Certificate, etc.
- Set the reply URL (Assertion Consumer Service URL) to:
https://<yourportal>.powerappsportals.com/signin-saml - Map SAML claims to user profile fields.
3. Enabling Authentication in Design Studio
To configure authentication from the Power Pages Design Studio:
- Go to Set up → Identity providers.
- Choose the authentication types:
- Local, Azure AD, Azure AD B2C, or Custom OpenID Connect.
- Add client credentials, authority, and required scopes.
- Save and restart the portal to reflect changes.
4. Managing Users in Power Pages
Authenticated users are stored in Dataverse under the Contact table.
- When a user signs in for the first time, a contact record is automatically created.
- Each contact is linked to an authentication method (external identity or local).
- You can assign Web Roles to contacts to control access.
5. Mixing Authentication Methods
Yes, Power Pages supports multiple authentication methods simultaneously.
For example:
- You can offer Azure AD B2C (with Google and LinkedIn logins) for customers.
- Simultaneously allow Azure AD login for internal employees.
- And enable Local Login for admin users.
6. Web Roles and Authorization
Authentication works hand-in-hand with authorization in Power Pages.
Once authenticated:
- Users are assigned Web Roles based on their identity.
- These roles determine access to Web Pages, Lists, Forms, and Custom APIs.
You can automate Web Role assignment using Workflows or Power Automate based on email domains, contact fields, or sign-in provider.
7. Security Best Practices
- Enable CAPTCHA on registration forms to block bots.
- Use HTTPS-only portals.
- Restrict file uploads and MIME types.
- Enforce strong passwords for local accounts.
- Regularly review audit logs.
- Implement Multi-Factor Authentication (MFA) using Azure B2C policies.
8. Troubleshooting Authentication Issues
- Clear browser cache if portal doesn’t redirect correctly.
- Ensure redirect URI is whitelisted in Azure AD or other providers.
- Check for typos in client ID, metadata URLs.
- Confirm SSL certificates for custom domains are valid.
Use Fiddler, Browser Dev Tools, or Azure AD Sign-In Logs for advanced troubleshooting.