Share via

User Enumeration issue Entra External ID

Aleksandr Matiev 0 Reputation points
2026-04-09T07:41:35.8766667+00:00

Hello Everyone.

I have an "User Enumeration" issue with new Entra External ID (CIAM).
Previously with EntraID (B2C) we were able to customize sign in page with XML.
So we were able to create a one page with login and password field. Like fields:
Email
Password
And in the case of incorrect password or no existing email we always got the same message: "Incorrect user ID or password. Type the correct user ID and password, and try again."

But now, with Entra External ID we have 2 page sign in flow: First page is asking for user email, and if this email exists in the tenant - we will be redirected to the password page.
In case if user doesn't exist - message "user not found".
So such behavior creates a critical security vulnerability, dangerous contender and opportunity for attackers to verify if a specific person is a patient or user of that system, violating privacy.

What is the current approach/plan/settings which allows us to avoid such behavior?

Thanks for responses,
Regards

Screen2026-04-03 165119

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments
Answer accepted by question author
  1. Q&A Assist
    2026-04-09T07:41:54.12+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In Microsoft Entra External ID for customers, the new sign-in experience is based on home realm discovery and a two-step flow where the identifier (email/username) is collected first and then the credential. This behavior is part of the platform’s design to support multiple authentication methods and improved error messaging.

    The provided documentation describes how, during sign-in, Microsoft Entra ID now performs a username lookup and returns clearer errors when the username or domain is not found, or when a consumer domain is used. This lookup behavior is built into the service and is not configurable in External ID user flows to behave like the legacy B2C one-page, opaque error model.

    To avoid exposing different messages for existing vs. non‑existing users in External ID, the only supported option is to move away from the built‑in user flows and implement a fully custom experience, similar to what was done previously with B2C custom policies. With a custom front end and custom policies/HTML, the app can:

    1. Collect email and password on a single page.
    2. Call External ID (or a custom API) and always display a generic error message to the end user, regardless of whether the account exists.

    The platform’s default External ID sign-in pages do not currently provide a setting to suppress user‑not‑found messaging or revert to the legacy one‑page behavior; achieving that requires a custom sign‑in experience.

    References:

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.