Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
Disable Email Self-Sign Up, but Allow Self-Sign Up on External IdPs
Carl Schroedl
0
Reputation points
I only want users to be able to create accounts via an external identity provider in my Microsoft Entra External ID Tenant. I want to disallow the creation of accounts via the default email method. So far, I cannot do this.
I cannot delete email sign up via the Azure Portal - I can only switch between password and OTP.
I also cannot delete email sign up via the Graph API. I tried the following in the Graph API Explorer.
GET https://graph.microsoft.com/v1.0/identity/authenticationEventsFlows/REDACTED-ID/microsoft.graph.externalUsersSelfServiceSignUpEventsFlow/onAuthenticationMethodLoadStart/microsoft.graph.onAuthenticationMethodLoadStartExternalUsersSelfServiceSignUp/identityProviders/
...
"value": [
{
"@odata.type": "#microsoft.graph.builtInIdentityProvider",
"id": "EmailPassword-OAUTH",
"displayName": "Email with password",
"identityProviderType": "EmailPassword"
}
]
...
I extracted the id property from this response value and tried to use it in a DELETE call.
DELETE /identity/authenticationEventsFlows/REDACTED-ID/microsoft.graph.externalUsersSelfServiceSignUpEventsFlow/onAuthenticationMethodLoadStart/microsoft.graph.onAuthenticationMethodLoadStartExternalUsersSelfServiceSignUp/EmailPassword-OAUTH/$ref
{
"error": {
"code": "BadRequest",
"message": "Resource not found for the segment 'EmailPassword-OAUTH'.",
"innerError": {
"date": "2025-12-01T16:37:15",
"request-id": "4c5e5295-94a9-40b1-892b-83bab936f3ca",
"client-request-id": "042a326c-1197-6f83-2c83-e90097f9df7a"
}
}
}
Did I make a mistake in the Graph API call?
Is there a different way I can remove email self-service account creation while preserving self-service account creation in the external identity provider?
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 8,600 Reputation points Microsoft External Staff Moderator2025-12-01T18:10:58.3+00:00 Hello Carl Schroedl,
This is by design, that prevents you from disabling just email/password self-service sign-up while maintaining external IdP sign-up. Disabling sign-up via the portal or Graph (
isSignUpAllowed = false) prevents all new accounts, including federated logins. Because the built-in email provider cannot be partially removed, the DELETE call fails.- You must build a custom workflow (such as backend account creation or invite-only provisioning) while permitting external IdP login in order to achieve your scenario.
Let me know if any further queries - feel free to reach out!
-
Rukmini 8,600 Reputation points Microsoft External Staff Moderator
2025-12-02T17:21:06.8766667+00:00 Hello Carl Schroedl, Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Sign in to comment
Sign in to answer