1. Overview
To collaborate securely with external users, Microsoft Entra supports federation with multiple identity providers (IdPs). This lets external users authenticate using their existing credentials — whether from corporate systems (like AD FS, Okta) or social platforms (like Google and Facebook).
Federation simplifies access while maintaining centralized control.
2. Direct Federation (SAML / WS-Fed IdPs)
Direct federation (previously called “direct federation”) allows Entra to trust a SAML 2.0 or WS-Federation compatible identity provider.
When set up:
Important: The target domain for direct federation must not be DNS-verified in any Entra tenant.
3. How It Works
Existing guest users who joined before federation continue using their previous sign-in method.
4. Required Configuration for SAML 2.0
| Attribute / Claim | Required Value |
|---|---|
| AssertionConsumerService | https://login.microsoftonline.com/login.srf |
| Audience | urn:federation:MicrosoftOnline |
| NameID Format | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
| Claim: emailaddress | https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Issuer: must match the partner IdP’s URI.
5. Required Configuration for WS-Federation
| Attribute / Claim | Required Value |
|---|---|
| PassiveRequestorEndpoint | https://login.microsoftonline.com/login.srf |
| Audience | urn:federation:MicrosoftOnline |
| Claim: ImmutableID | https://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID |
| Claim: emailaddress | https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Supported WS-Fed IdPs include AD FS and Shibboleth.
6. Google Federation
You can federate directly with Google so that users sign in with their Gmail accounts.
Step 1 – Create a Google Developer Project
Step 2 – Configure Federation in Entra
Google users can now authenticate directly when invited to your tenant.
Note:
Google federation works for Gmail users only — not Google Workspace (G Suite) domains (those use SAML federation).
7. Facebook Federation (for Self-Service Sign-Up)
You can add Facebook as an identity provider for self-service user flows, allowing users to sign in with their Facebook accounts.
Steps:
Copy App ID and App Secret.
In Entra Admin Center → External Identities → All Identity Providers → Facebook, enter those values and click Save.
Facebook federation only works for self-service sign-up flows, not for B2B invitations.
8. Removing Federations
To delete Google or Facebook federation:
Go to Entra Admin Center → External Identities → All Identity Providers.
Select the provider → click the ellipsis (…) → Delete → confirm.
Users who used that provider will no longer be able to sign in.
9. Real-World Example
Scenario:
Contoso collaborates with an external marketing company that uses Google accounts.
Rather than requiring Microsoft accounts, Contoso sets up Google federation.
The invited marketers log in directly using their Gmail credentials — simple for users, secure for IT.
10. Exam Tip
Direct federation = for enterprise IdPs (SAML / WS-Fed).
Google / Facebook federation = for social or unmanaged accounts.
Google federation ≠ Google Workspace federation (use SAML for Workspace).
Removing federation invalidates existing users’ sign-ins.
Redirect URIs must always include your tenant ID.
Summary
Unit 12 covered how to integrate and manage identity providers.
Federation simplifies external access while maintaining centralized security policies — ensuring that collaboration remains seamless, standards-based, and secure.