Share via

Entra External ID (External Tenant): How to send an email notification/invitation to local user created via "Create User" endpoint of Graph API

Suraj 0 Reputation points
2025-01-08T11:53:33.8666667+00:00

Hello everyone,

We are in the process of migrating our authentication provider from Auth0 to MS Entra External ID for External Tenants (B2C). We have a couple of workflows we need to replicate in MS Entra External ID, particularly Create User and Reset Password scenarios.

Current Workflow with Auth0

  1. Our Single Page React Application provides a “Create User” form.
  2. Upon form submission, our backend (NestJS) calls the Auth0 Management API to create a user with a random password.
  3. Right after creation, we trigger the dbconnections/change_password API, which sends a “welcome” email to the newly created user.
  4. The user receives an email containing a standard welcome message with a “Confirm Your Email” link.
  5. Clicking this link redirects the user to Auth0’s password reset flow, where they can set their own password for the first time.

This flow eliminates the need to send the user a random password explicitly. Instead, the user receives a welcome email and uses a link to set their own password.

What We’ve Tried in MS Entra External ID

  • Using the Microsoft Graph API, we can create a new user with a random password and set forceChangePasswordNextSignIn = true in the passwordProfile.
  • The user is indeed required to change their password on first sign-in.
  • However, we are missing two critical features:
    1. Sending a notification (like a “Your Account Has Been Created” email) to the newly created user.
    2. Providing a secure way for them to set their own password without sending the random temporary password in plain text via email.

Question

Is there a recommended way, out-of-the-box or via custom policies, to achieve this workflow in MS Entra External ID for B2C users (i.e. local accounts)? Specifically, can we create a new user via the Graph API and simultaneously trigger an email so that the user can complete their account setup (set their own password) without having to send a temporary password in plain text?

We’ve seen references to the “invitation” API, but that appears to be intended for Workforce tenants rather than External/B2C tenants. If there’s a similar functionality for B2C, or a best practice for implementing the same, we’d really appreciate any guidance or pointers. Any resources, documentation links, or suggestions would be greatly appreciated!

Thank you in advance for your help!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,776 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,981 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Udayashankar K.N 80 Reputation points Microsoft Employee
    2025-01-08T11:59:37.03+00:00

    Yes, you can create a new user via the Graph API and trigger an email to complete account setup in Microsoft Entra External ID

    https://zcusa.951200.xyz/en-us/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers

    I have tried this in one of the scenarios it worked however in your scenario please check if these fits

    Microsoft Entra External ID also allows you to: 

    • Configure cross-tenant access settings 
    • Invite users to collaborate using their Microsoft Entra accounts, Microsoft accounts, or social identities 
    • Use B2B collaboration to let business guests access apps and resources 
  2. Udayashankar K.N 80 Reputation points Microsoft Employee
    2025-01-08T12:00:10.9866667+00:00

    Microsoft Entra External ID also allows you to: 

    • Configure cross-tenant access settings 
    • Invite users to collaborate using their Microsoft Entra accounts, Microsoft accounts, or social identities 
    • Use B2B collaboration to let business guests access apps and resources 
    0 comments
  3. Suraj 0 Reputation points
    2025-01-08T14:39:31.6066667+00:00

    I found a relevant questions and an answer here: https://zcusa.951200.xyz/en-us/answers/questions/1144234/how-to-generate-forgotpassword-link-dynamically

    Basically, in the previous version of Entra External ID i.e. ADB2C, there was a password reset policy. Which used to generate such a link as

    https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_pwdReset&client_id=xxxx-xxx-xxx-xxx-xxx&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login

    Upon user creation, sending such a link via email would also enable users to login to the application with a fresh password as a start. But the question is, how this can now be implemented via new Entra External ID?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.