This document covers Power Pages authentication architecture, Microsoft Entra ID (Azure AD) integration, and how the Contact system enables external user access to your portal.
Prerequisites: Complete Site Provisioning Guide before working through this material.
Power Pages supports multiple authentication methods, allowing you to choose the best approach for your external users:
-
Microsoft Entra ID (Azure AD) - Recommended for enterprise scenarios
- Single Sign-On (SSO) with Microsoft 365
- Multi-factor authentication support
- Conditional access policies
- Guest user support
-
Local Authentication - Built-in username/password
- Simple email/password registration
- Password reset functionality
- Email verification
-
External Providers - OAuth 2.0 / OpenID Connect
- Google, Facebook, LinkedIn, etc.
- Custom OAuth providers
┌─────────────┐
│ User │
│ (Browser) │
└──────┬──────┘
│
│ 1. Request protected page
▼
┌─────────────────┐
│ Power Pages │
│ Site │
└──────┬──────────┘
│
│ 2. Check authentication
│
├─── Authenticated? ──► Display page
│
└─── Not authenticated? ──► Redirect to sign-in
│
▼
┌─────────────────┐
│ Identity Provider│
│ (Entra ID, etc.) │
└────────┬────────┘
│
│ 3. Authenticate
│
▼
┌─────────────────┐
│ Create/Find │
│ Contact Record │
└────────┬────────┘
│
│ 4. Link user
│
▼
┌─────────────────┐
│ Power Pages │
│ Session │
└─────────────────┘
Microsoft Entra ID (formerly Azure AD) is the recommended authentication method for Power Pages because:
- Enterprise Integration: Seamless SSO with Microsoft 365
- Security: Advanced security features (MFA, conditional access)
- User Management: Centralized user directory
- Guest Access: Invite external users without creating full accounts
-
Enable Entra ID in Power Pages
- Navigate to Site Settings → Authentication
- Select Microsoft Entra ID as primary provider
- Configure application registration (automatic or manual)
-
Application Registration (Automatic)
- Power Pages can create the app registration automatically
- Recommended for most scenarios
- Handles redirect URIs and permissions
-
Application Registration (Manual)
- Create app registration in Azure Portal
- Configure redirect URIs:
https://your-site.powerappsportals.com/signin-oidc - Grant API permissions for Dataverse
- Copy Client ID and Client Secret to Power Pages
-
Required API Permissions (Scopes)
When configuring the app registration, you need to grant the following Microsoft Graph API permissions:
Permission Type Description Admin Consent Required Group.ReadWrite.AllApplication Read and write all groups Yes User.Invite.AllApplication Invite guest users to the organization Yes User.ReadDelegated Sign in and read user profile No User.ReadWrite.AllApplication Read and write all users' full profiles Yes Important Notes:
- All permissions require admin consent to be granted (except
User.Readwhich is delegated) - After adding permissions, click "Grant admin consent for [Your Organization]" to approve all permissions
- These permissions enable Power Pages to:
- Authenticate users via Entra ID
- Read user profile information
- Invite guest users to the organization
- Manage group memberships (if needed)
- Create and link Contact records in Dataverse
To add permissions:
- Navigate to Azure Portal → App registrations → Your app
- Go to API permissions
- Click "Add a permission"
- Select Microsoft Graph
- Choose Application permissions or Delegated permissions as specified above
- Select the required permissions
- Click "Grant admin consent" to approve all permissions
- All permissions require admin consent to be granted (except
-
User Mapping
- Configure how Entra ID users map to Contact records
- Options: Email match, User Principal Name (UPN), Custom claim
When using Entra ID, the onboarding process works as follows:
- Admin creates invitation (via Power Automate or manually)
- Invitation email sent to user's email address
- User clicks link → Redirected to Entra ID consent screen
- User authenticates → Entra ID validates credentials
- Power Pages receives token → Creates/finds Contact record
- User redirected to portal → Session established
In Power Pages, Contact records serve as the identity for external portal users:
- One Contact = One Portal User
- Contact record stores user profile information
- Contact email (
emailaddress1) is used for authentication - Contact ID links to all related data (Pets, Appointments, etc.)
| Field | Purpose | Authentication Use |
|---|---|---|
contactid |
Primary key (GUID) | Links to portal user session |
emailaddress1 |
Email address | Login identifier, invitation target |
firstname |
First name | User profile display |
lastname |
Last name | User profile display |
telephone1 |
Phone number | Contact information |
adx_identity_username |
Portal username | Internal portal identity |
adx_identity_logon_enabled |
Login enabled | Controls portal access |
- User visits portal and clicks "Sign Up"
- User fills registration form (Entity Form on Contact)
- Contact record created with
adx_identity_logon_enabled = true - User receives verification email
- User clicks verification link → Account activated
- Admin creates Contact record manually or via automation
- Admin sends portal invitation email
- User receives email with invitation link
- User clicks link → Redirected to Entra ID
- User authenticates → Contact linked to Entra ID account
- User can now access portal
- Anonymous user submits Booking Request form
- Power Automate flow triggers on record creation
- Flow checks if Contact exists (by email)
- If not exists: Flow creates Contact record
- Flow sends portal invitation email
- Flow links Contact to Booking Request
- User receives invitation → Registers → Can view booking status
Web roles define groups of portal users with specific permissions:
- Authenticated Users - Default role for all logged-in users
- Administrators - Full access to portal management
- Custom Roles - Business-specific roles (e.g., "Veterinarian", "Pet Owner")
Table permissions control what data users can access:
| Scope | Description | Use Case |
|---|---|---|
| Global | All records in table | Public data (Services) |
| Contact | Records where Contact = current user | User's own Contact record |
| Account | Records where Account = user's account | Organization-level data |
| Parent | Records where parent Contact = current user | User's pets, appointments |
| Self | Only the user's own record | Contact self-service |
For anonymous access (booking form), configure:
- Table Permission: Booking Request table
- Scope: Global
- Privileges: Create only
- Web Role: Anonymous Users
This allows unauthenticated users to submit booking requests without logging in.
In the PawsFirst Veterinary Portal, we use the Contact system as follows:
- Initial State: User is anonymous (no Contact record)
- Booking Request: User submits form anonymously
- Power Automate Flow:
- Creates Contact record (if doesn't exist)
- Sends portal invitation email
- Links Contact to Booking Request
- User Registration: User receives email, registers via Entra ID
- Authenticated Access: User can now:
- View their booking requests
- Manage their pets
- Book additional appointments
- Upload documents
Contact (Pet Owner)
│
├─── Pet 1 (Max - Dog)
│ ├─── Appointment 1
│ ├─── Appointment 2
│ └─── Document 1
│
└─── Pet 2 (Whiskers - Cat)
├─── Appointment 1
└─── Document 1
Table Permission Pattern:
- Pet Read:
pa911_petowner= current user's Contact ID - Appointment Read:
pa911_pet.pa911_petowner= current user's Contact ID - Document Read:
pa911_pet.pa911_petowner= current user's Contact ID
This ensures users only see data for their own pets.
- Always use table permissions - Never rely on UI hiding alone
- Scope appropriately - Use Contact/Account scopes for user-specific data
- Anonymous access carefully - Only allow create operations, never read/update
- Validate server-side - Don't trust client-side validation
- Clear invitation emails - Explain what the portal is and how to register
- Simple registration - Minimize required fields
- Password reset - Enable self-service password reset
- Profile management - Allow users to update their Contact record
- Use Power Automate - Automate Contact creation and invitations
- Link records - Always link Contact to related records (Booking Request, etc.)
- Status tracking - Use status fields to track onboarding progress
- Error handling - Handle duplicate emails, failed invitations gracefully
Issue: User cannot log in after invitation
- Check:
adx_identity_logon_enabled= true on Contact record - Check: Email address matches exactly (case-sensitive in some scenarios)
- Check: Entra ID app registration redirect URIs are correct
- Check: ExternalId Dataverse table has required information
Issue: User sees "Access Denied" on pages
- Check: Table permissions are configured correctly
- Check: User has appropriate web role assigned
- Check: Scope filters are correct (Contact ID matching)
Issue: Anonymous form submission fails
- Check: Table permission exists for Anonymous Users web role
- Check: Permission has Create privilege
- Check: Required fields are provided in form
- Power Pages Authentication Overview
- Microsoft Entra ID Integration
- Table Permissions
- Web Roles
- Contact Entity Documentation
- Power Automate Integration - Build user onboarding automation flow
Note: Booking Request Form should already be completed as it's covered earlier in Day 2.