Problem Provisioning Login Flow Security Impact
▶ Play Demo Before Isolated Passwords, No MFA
External users had separate portal passwords with no MFA, no centralised identity, and no automated lifecycle — a security and operational nightmare.
No SSO
Separate passwords for the portal — forgotten, reused, shared. IT wastes time on resets.
No MFA
Password-only login. One compromised password = full account takeover. Regulators now require MFA.
No Central Identity
Accounts live in the portal's own database. No connection to the org's identity system. No audit trail.
Manual Provisioning
Admins manually create accounts, email credentials, hope users receive them. No lifecycle management.
Result: Security risk, compliance gaps, wasted admin time, and orphaned accounts.
Phase 1 Automated Provisioning
Admin creates a contact in the CRM — the system automatically provisions their cloud identity and sends a welcome email.
1
Contact Created in CRM
Admin sets the contact status to "Verified" in the backend system.
2
Cloud Identity Auto-Provisioned
A server-side plugin creates a secure account in the cloud identity platform automatically.
3
Welcome Email Sent
The user receives their portal link and instructions — no admin action needed.
Phase 2 SSO + MFA Login Flow
The user clicks "Sign In" — they're redirected to the cloud identity provider for SSO authentication, then challenged with MFA.
1
User Clicks "Sign In with SSO"
No portal-specific password form — a single SSO button redirects to the identity provider.
2
Branded Sign-In Page
User enters email + password on the organisation's branded identity page (hosted by the CIAM provider).
3
MFA Challenge
Second factor required: Email OTP, SMS OTP, or Authenticator app push notification.
4
Authenticated & Redirected
Success — user is redirected back to the portal, fully authenticated with an encrypted session.
Security Enterprise Hardening
Policy-driven security features enforced via the cloud identity platform — not custom code.
🔒
Single Logout
Logging out terminates all sessions — portal + identity provider. No ghost sessions.
🛡️
Account Lockout
5 failed attempts = 15-minute lockout. Brute force blocked automatically.
🔐
No Username Enumeration
Generic error messages prevent attackers from discovering valid accounts.
⚙️
Automated Lifecycle
Deactivate in CRM? Identity instantly disabled. No orphaned accounts.
📋
Conditional Access
MFA enforced via policy, not code. Works across every connected app.
Results Architecture & Impact
Enterprise-grade identity for external users — SSO, MFA, automated provisioning, and zero custom auth code.
Azure Entra External ID
Cloud identity platform for external users (CIAM)
OpenID Connect
Industry-standard SSO protocol integration
Conditional Access
Policy-driven MFA enforcement
Graph API
Automated user provisioning and lifecycle
C# Dataverse Plugin
CRM-to-identity automation bridge
PowerShell
Multi-environment deployment automation
0
Custom authentication code required
MFA
Policy-enforced on every login
SSO
Single identity across all connected apps
Auto
Provisioning + lifecycle from CRM
Enterprise Identity Without Custom Auth Code SSO, MFA, automated provisioning, and centralised lifecycle — works with any web app that supports OpenID Connect.