Edit

Set up site authentication

Deciding how users authenticate when they visit is a core customization in any Power Pages site. If you enforce authentication, users authenticate through an identity provider.

Power Pages includes several built-in OAuth 2.0 identity providers, so users can authenticate with a Microsoft, LinkedIn, Facebook, Google, or Twitter account. A website can have only one instance of an OAuth 2.0 identity provider at a time.

You can add SAML 2.0, OpenID Connect, and WS Federation identity providers if you need them.

Power Pages lets makers and admins set up user authentication easily. After you select an identity provider, prompts in the app guide you through the remaining settings.

To set up user authentication for your site:

  1. Select general authentication settings.
  2. Enter the settings for a specific identity provider.

Note

Changes to your site's authentication settings can take a few minutes to be reflected on the site. To see the changes immediately, restart the site in the admin center.

Tip

These steps apply to both standard and GCC environments. The navigation and settings are the same in both environment types.

Select general authentication settings

Some authentication settings don't depend on the identity provider you choose. They apply generally to your website's authentication method.

  1. Sign in to Power Pages.

  2. Create a site or edit an existing site.

  3. In the left panel, select Security.

  4. Under Manage, select Identity providers.

  5. Select Authentication settings.

  6. Select the general authentication settings you need, then select Save.

Next, enter the specific settings for your identity provider.

General settings

Select the following general authentication settings:

  • External login: External authentication is provided by the ASP.NET Identity API. Third-party identity providers manage account credentials and passwords.

    • On: To sign up for access, users select an external identity to register with the website. After it's registered, an external identity has access to the same features as a local account. Learn how to manage external accounts.
    • Off: Users can't register or sign in with an external account.

  • Open registration: Controls the sign-up form for creating a local user account.

    • On: The sign-up form allows any anonymous user to visit the website and create a user account. Users don't need an invitation code to register.
    • Off: The sign-up form is disabled and hidden. To require invitation codes for registration, turn off open registration and configure invitation settings.

    Important

    If open registration is On, any user can create an account without an invitation code. If your site requires controlled access, turn off open registration and use the Authentication/Registration/RequiresInvitation site setting to require invitation codes.

  • Require unique email: Specifies if users must provide a unique email address when signing up.

    • On: A sign-up attempt might fail if a user provides an email address that already exists in a contact record, including deactivated contacts. If users see an "email already in use" error, check for deactivated contact records that share the same email address.
    • Off: A new user can sign up with a duplicated email address.

Set up specific identity providers

Each identity provider has specific settings that you need to enter.

Note

If you use or add a custom domain name or change your site's base URL, you must set up your identity provider to use the correct reply URL.

  1. On your Power Pages site, select Security > Identity providers.

    The list shows all available identity providers.

    Screenshot of the identity providers list in a Power Pages site.

  2. To set up an identity provider that appears in the list, select Configure.

    If the provider you want isn't listed, add it.

  3. Keep the provider name as it is or change it if needed.

    The provider name appears on the button users select for their identity provider on the sign-in page.

  4. Select Next.

  5. For the remaining steps, find the provider in the common identity providers table and select the documentation link.

Add an identity provider

If the identity provider you want to use doesn't appear in the list, you can add it.

  1. In your Power Pages site, select Security > Identity providers.

  2. Select + New provider.

  3. In the Select login provider list, select Other.

  4. In the Protocol list, select the authentication protocol the provider uses.

  5. Enter the provider name as it appears on your site's sign-in page.

  6. Select Next.

  7. For the remaining steps, select Learn more on the configuration page to open the relevant documentation link:

  8. Select Confirm.

Edit an identity provider

  1. In your Power Pages site, select Security > Identity providers.

  2. Next to the identity provider name, select More Commands () > Edit configuration.

  3. Change the settings based on the provider's documentation:

  4. Select Save.

Note

You can't change the configuration of the Local sign in and Microsoft Entra providers here. Use site settings instead.

Delete an identity provider

When you delete an identity provider, only its configuration is deleted. The provider is still available for future use with a new configuration. For example, if you delete the LinkedIn identity provider, your LinkedIn app and app configuration stay intact. Similarly, if you delete a Microsoft Entra External ID provider, only the configuration is deleted, and the Azure tenant configuration for this provider doesn't change.

  1. In your Power Pages site, select Security > Identity providers.

  2. To the right of the identity provider name, select More Commands () > Delete.

Set a default identity provider

Set any configured identity provider as the default. When you set an identity provider as the default, users who sign in to the website aren't redirected to the sign-in page. Instead, they sign in using the selected provider.

You can only set a configured identity provider as the default.

Important

When you set an identity provider as the default, users can't choose any other identity provider.

  1. In your Power Pages site, select Security > Identity providers.

  2. To the right of the identity provider name, select More Commands () > Set as default.

To remove the default and let users select a configured identity provider when they sign in, select Remove as default.

Troubleshoot common authentication issues

The following table lists common authentication issues and guidance on how to resolve them.

Issue Resolution
Users bypass invitation codes If open registration is turned on, users can register without an invitation code. Turn off open registration and set the Authentication/Registration/RequiresInvitation site setting to true. Learn more: Invitation settings
"Email already in use" error This error occurs when a contact record with the same email already exists, including deactivated records. Search for and resolve duplicate contact records in Microsoft Dataverse.
AADSTS700016: Application not found This error typically appears when the application registration in Microsoft Entra ID doesn't match your site's configuration, or when a site is deleted and recreated without updating the identity provider. Verify the Client ID and Authority URL match your app registration, and reconfigure the identity provider after recreating a site.
"Invalid sign-in attempt" error This error can occur when user credentials are incorrect, the account is locked due to too many failed attempts, or the contact record is deactivated. Verify the user's contact record status and account lockout settings.
Local sign-in shows Microsoft login screen If a default identity provider is set, users are redirected directly to that provider instead of the local sign-in page. To restore the local sign-in page, remove the default identity provider. Alternatively, check the Authentication/Registration/LoginButtonAuthenticationType site setting.
Pages render differently for anonymous vs authenticated users Authenticated pages are always served from the application server. Anonymous pages may be served from a CDN cache. Verify your page permissions and CDN settings are configured correctly for the intended audience.
Password rotation for local authentication Local authentication doesn't natively support automatic password rotation policies. Consider migrating to Microsoft Entra ID or Azure AD B2C for advanced password policies. For local accounts, use the password reset flow to manually trigger password changes.

Related content

  • Last updated on