Security in Power Pages isn’t just about setting permissions—it’s about designing an access model that is secure, seamless, and scalable.

For external-facing portals, Azure AD B2C (Business-to-Consumer) authentication is the go-to solution for managing user access, ensuring a smooth sign-in experience while maintaining strong security controls.

But how do you configure B2C authentication effectively? And how do you ensure users have the right level of access once authenticated? Let’s break it down.

Step 1: Setting Up Azure AD B2C for Power Pages

Azure AD B2C allows organizations to manage external users separately from internal employees. Here’s how to integrate it with Power Pages:

🔹 Registering an Application in Azure AD B2C

1️⃣ Go to Azure AD B2C in the Azure Portal.

2️⃣ Under App registrations, create a new application.

3️⃣ Set the redirect URI to your Power Pages site (https://yourportal.powerappsportals.com/signin).

4️⃣ Enable ID tokens for authentication.

🔹 Configuring User Flows for Sign-in & Sign-up

User flows define how users sign in and register. To set them up:

✅ Under User flows, create a new one (e.g., “Sign up and sign in”).

✅ Choose identity providers (email, social logins, etc.).

✅ Define user attributes (name, email, etc.).

✅ Link the flow to your registered application.

Once done, Power Pages will delegate authentication to Azure AD B2C instead of managing credentials directly.

Step 2: Enabling B2C Authentication in Power Pages

Once Azure AD B2C is set up, you need to configure Power Pages authentication settings:

1️⃣ In Power Pages admin center, go to Set up Identity Providers.

2️⃣ Select Azure AD B2C and enter the B2C tenant details.

3️⃣ Specify the Authority (issuer URL), Client ID, and Redirect URI from Azure AD B2C.

4️⃣ Save and test authentication by signing in with a B2C user.

At this point, users can log in with B2C credentials, but they won’t have permissions yet—this is where access management comes in.

Step 3: Managing Access with Web Roles & Table Permissions

Power Pages doesn’t automatically grant permissions to authenticated users—you need to define who can access what.

🔹 Creating Web Roles for User Access

Web roles control what users can see and do in Power Pages. To configure:

✅ Go to Power Pages Management App > Security > Web Roles.

✅ Create roles like Registered User, Partner, Admin, etc.

✅ Assign roles to users automatically using Table Permissions.

🔹 Applying Table Permissions

Table permissions define which Dataverse records a user can access. Steps:

1️⃣ Go to Table Permissions in Power Pages.

2️⃣ Select the Dataverse table (e.g., Cases, Applications).

3️⃣ Set privileges (Read, Write, Create, Delete) and link them to Web Roles.

4️⃣ Apply scope:

• Global (all records)
• Account-based (records tied to their organization)
• User-based (only their own records)

✅ Example: A “Partner” role may only see their company’s data, while an “Admin” sees all records.

Step 4: Securing the Portal with Best Practices

Once authentication and permissions are in place, security hardening is key.

🔐 Limit Anonymous Access – Restrict unauthenticated users from accessing sensitive pages.

🔐 Use Multifactor Authentication (MFA) – Enforce MFA in B2C for additional security.

🔐 Monitor User Activity – Use Azure AD logs and Power Pages diagnostics to detect anomalies.

🔐 Apply Least Privilege – Only grant users the minimum access necessary.

Final Thoughts: Security That Scales

By combining Azure AD B2C authentication, web roles, and table permissions, Power Pages can provide secure, role-based access for external users without compromising usability.

Security isn’t just a one-time setup—it’s an ongoing process. As your portal scales, periodically review roles, permissions, and authentication settings to ensure everything remains aligned with business needs.

🔹 Are you currently using B2C authentication in Power Pages? What challenges have you faced? Let’s discuss! 👇