Power Pages Authentication: A Comprehensive Guide

Power Pages Authentication: A Comprehensive Guide

Power Pages, a low-code development platform from Microsoft, empowers users to create external-facing business websites with secure access to Dataverse data. A crucial aspect of building these websites is implementing robust authentication mechanisms to ensure that only authorized users can access specific pages and data. This article provides a comprehensive overview of the different authentication types supported in Power Pages, along with best practices and considerations for choosing the most suitable option for your specific needs. ?

Power Pages Portal Authentication

In Power Pages, each authenticated user is associated with a contact record in Dataverse, which means the contact record must exist in Dataverse before the user can authenticate. Power Pages portal authentication involves two steps: ?

1. Create contacts in Dataverse.
2. Associate identity providers with the contact. Note that there can be multiple identity providers for a contact, however, you can have only one instance of each identity provider type for OAuth 2.0 (such as Facebook, LinkedIn, Google, Twitter, and Microsoft). This association can happen when a user registers or can be created manually to migrate existing users.

The authorization flow in Power Pages is based on OAuth flow with implicit grant. ?

Identity Mapping

Identity mapping is the process of associating a user's external identity with their corresponding contact record in Dataverse. Power Pages uses email claims from the identity provider to perform this mapping. After a user logs in, the email claim in the token or SAML response is used to search for a matching email address in the 'primary email address' field of the contact records. If a unique match is found, the user is associated with that contact. If no match is found, a new contact is created along with the associated external identity record. ?

Authentication Methods in Power Pages

Power Pages offers a range of authentication methods to cater to diverse user access scenarios. These methods can be broadly categorized into two main types:

• Local Authentication: This method involves storing user credentials (username and password) directly within the Dataverse environment. While this approach might seem straightforward, it is generally discouraged due to security concerns and limitations in functionality. Microsoft strongly recommends customers to move from Local Authentication and switch to Azure AD B2C. ?
• External Authentication: This method relies on external identity providers to handle user authentication and password management. By using external identity providers, you can offload the responsibility of managing user credentials and password resets, reducing the administrative burden and improving the user experience. Power Pages supports various external identity providers, including: Azure Active Directory (Azure AD): A comprehensive identity and access management service that allows users to sign in with their organizational accounts. It's important to note that even employees using Azure AD to log in need to have a corresponding contact record in Dataverse. ? Azure Active Directory B2C (Azure AD B2C): A business-to-consumer identity management service that enables users to sign in with their preferred social or local accounts. Migrating to Azure AD B2C provides significant security benefits, including the ability to enable multi-factor authentication (MFA), enforce password complexity rules, and implement measures to mitigate credential attacks. ? Other Identity Providers: Power Pages also supports popular social login providers like LinkedIn, Facebook, Google, and Twitter, as well as other identity providers that comply with OpenID Connect, SAML 2.0, and WS-Federation protocols. It's important to note that your website can have only one instance of an OAuth 2.0 identity provider (such as Facebook, LinkedIn, Google, or Twitter) configured at a time. ?

?

Power Pages supports four main external identity protocols: OAuth2, SAML, WS-Federation, and Open ID Connect. Power Pages allows users to sign in with their choice of an external account based on ASP.NET Identity. Users can also sign in using a local contact membership provider-based account, although this is not recommended. One of the advantages of Power Pages authentication is that you can enable multiple identity providers, giving users a choice on the sign-in page. ?

Setting Up User Authentication

To set up user authentication for your site, follow these steps: ?

1. Select general authentication settings.
2. Enter the settings for a specific identity provider.

To configure general authentication settings, go to Security > Identity providers > Authentication settings in the Power Pages design studio. ?

The available general settings are:

• External login: Enables or disables external authentication using third-party identity providers.
• Open registration: Controls whether users can create local user accounts on the site.
• Require unique email: Specifies whether users need to provide a unique email address during registration.

Note that changes to your site's authentication settings might take a few minutes to be reflected on the site. To see the changes immediately, restart the site in the admin center. ?

Configuring Identity Providers

This section provides detailed steps on how to configure each type of authentication in Power Pages. ?

Adding an Identity Provider

To add an identity provider, follow these steps: ?

1. In your Power Pages site, select Security > Identity providers.
2. Select + New provider.
3. In the...source an OpenID Connect provider. Configure a SAML 2.0 provider. Configure a WS-Federation provider.
4. Select Confirm.

Editing an Identity Provider

To edit an identity provider, follow these steps: ?

1. In your Power Pages site, select Security > Identity providers.
2. To the right of the identity provider name, select More Commands (...) > Edit configuration.
3. Change the settings in accordance with the documentation for the provider: Set up an OAuth 2.0 provider. Set up an OpenID Connect provider. Set up a SAML 2.0 provider. Set up a WS-Federation provider.
4. Select Save.

Deleting an Identity Provider

To delete an identity provider, follow these steps: ?

1. In your Power Pages site, select Security > Identity providers.
2. To the right of the identity provider name, select More Commands (...) > Delete.

Setting a Default Identity Provider

To set a default identity provider, follow these steps: ?

1. In your Power Pages site, select Security > Identity providers.
2. To the right of the identity provider name, select More Commands (...) > Set as default.

If you set an identity provider as the default, users can't choose any other identity provider. To remove the default and allow users to select a configured identity provider when they sign in, select Remove as default.

Customizing the Authentication Experience

You can customize the authentication experience in Power Pages to align with your branding and user experience requirements. Here are some ways to achieve this: ?

• Modify the sign-in page: You can modify the default sign-in page by using content snippets, CSS, and HTML. For example, you can hide the "Local" authentication option if you only want to use Azure AD for authentication. You can also add JavaScript to further customize the behavior of the sign-in page, such as redirecting users directly to the Azure AD login page. ?
• Use content snippets: Content snippets allow you to manage and update small pieces of content on your website, including text, images, and code. You can use content snippets to customize the labels, messages, and other elements on the sign-in page. ?
• Apply CSS and HTML: You can use CSS to style the appearance of the sign-in page and HTML to modify the structure and layout of the page elements. This allows you to create a visually appealing and user-friendly sign-in experience. ?

Troubleshooting Authentication Issues

This section provides guidance on troubleshooting common authentication issues in Power Pages. ?

Renewing the Authentication Key

Power Pages uses an authentication key to connect to the Dataverse environment. This key must be renewed once every year to ensure that your website remains accessible to your end users. ?

To renew the key, follow these steps: ?

1. Open the Power Platform admin center.
2. In the Resources section, select Power Pages sites.
3. Select the site for which you want to manage the website authentication key.
4. In the site details page, select Website Authentication Key in the Security section.
5. Select Update key.
6. Select OK in the message. The update process starts, and a message is displayed.

Checking Authentication Key Details

The details of an authentication key are displayed on the Power Platform admin center and the website. ?

Power Platform admin center

1. Open the Power Platform admin center.
2. In the Resources section, select Power Pages sites.
3. Select the site for which you want to manage the website authentication key.
4. In the site details page, select Website Authentication Key in the Security section.

Website

1. Sign in to the website with a user that is assigned the administrator web role.
2. Navigate to the URL <website_path>/_services/about. The authentication key expiration date is displayed.

Troubleshooting Renewal of Authentication Key

If the key update fails, an error message is displayed along with the following action: ?

• Retry Authentication Key Update: This action allows you to restart the website authentication key update process. If the update fails multiple times, contact Microsoft support.