Microsoft Entra ID · Developer & Technical
Authentication Extensibility Password Administrator
Triggers password submit events for custom authentication extensions. Works alongside Authentication Extensibility Administrator to enable password-based custom authentication flows.
Scope: Manage password submit events within custom authentication extension flows
Permissions
- Trigger password submit events for custom authentication extensions
- Invoke custom authentication extension password flows
- Read basic directory information
- Read basic properties on policies
Common use cases
- Custom password validation during sign-in
- External password store integration
- Legacy system password migration flows
- Custom password policy enforcement during authentication
Best practices
- Use only with tested and validated custom extensions
- Ensure password data is never logged or exposed
- Monitor extension invocations for anomalies
- Keep extension endpoints highly available
- Implement rate limiting on password submit endpoints
Security considerations
- Handles password data in authentication flows — treat as highly sensitive
- Compromised extension could intercept passwords
- Extension endpoints must use TLS and be secured
- Should be limited to service accounts or automation identities
- Monitor all password submit event invocations