Microsoft Entra External ID on Flask Mobile App

Question

I would like to know how to integrate Microsoft Entra External ID into my Flask-based mobile app. Currently, the app uses custom authentication through Flask, and user credentials are stored in a table in a SQL Server database. An admin authorizes each user stored in the table with a flag column (0 or 1). Each authorized user also has private IDs that allow the app to retrieve useful information. I would like to know if these app processes can be maintained with Microsoft Entra External ID, or if the code needs to be completely rewritten.

I tried to search for documentation and guides related to my problem in Python but without success.

Answer 1

You should be able to integrate your application with Microsoft Entra External ID. There are few important points that need clarification.

1. Microsoft Entra External ID is identity provider which uses standards (OpenID Connect and OAuth) for authentication process.
2. The recommended approach for integrating applications with Microsoft Entra is to use official libraries provided by Microsoft: Microsoft Authentication Library and Microsoft Identity Web. In your case you can use MSAL for Python. You can also check this sample.
3. Now when it comes to identifiers for the users. When user account is created in the Microsoft Entra External ID, there is unique Object ID value assigned to it. You can use this property to correlate data with the user profile. Example: you can store some additional details about the user in the SQL database and add Object ID column which will store unique identifier of the user. Then when you want to retrieve information about the user, you extract Object ID claim from the ID Token issued to your application and you use it in the database query.
4. I assume that you have some API that Mobile App is using to retrieve the data. In this case you can also secure API with Microsoft Entra External ID. Then, your application will use access token placed in the Authorization header during each HTTP request to your API. Your API then can validate access token, extract user ID from it and then retrieve user's data. You can also add authorization mechanism there and before returning any data, you can check the flag value set by admin. If it is 0, then you can return 401, unauthorized from your backend. Then your mobile application should render the proper information to the user. Here it is very important to understand the difference between authentication and authorization. User can authenticate using Microsoft Entra External ID and enter the application but decision about access to specific features should be handled by your API and authorization model.

To summarize, the changes you want to add when it comes to Microsoft Entra External ID are not only about the source code changes. This is also how you update your architecture and data in the existing database.