Skip to main content
Talk to an expert
Microsoft Entra ID logo

Microsoft Entra ID integration for ecommerce identity and access

Secure storefront access with identity and role governance tied to Entra ID. iWeb connects Microsoft Entra ID with your storefront so that corporate and trade users log in with their company identity, see account-specific context, and lose access immediately when they leave. Works with Adobe Commerce, Magento Open Source, Shopify Plus, BigCommerce and other storefronts.

Also searched as: SSO, single sign on, identity provider, SAML, OAuth, LDAP, customer accounts.

Microsoft Entra IDiWeb integration layeryour storefront
Works with - Adobe Commerce · Magento Open Source · Shopify Plus · BigCommerce · Other storefronts
01 · What you get

What a Microsoft Entra ID integration gives you.

Trade users log in once, access all channels

Corporate and trade accounts use Entra ID credentials to access the storefront, mobile app, trade portal and order-history pages without re-entering passwords. Role and account context is inherited from Entra ID so buying restrictions and pricing are consistent.

Access is revoked immediately when users leave

When a user is deleted or moved to a different role in Entra ID, access to storefronts, customer accounts, OMS and sensitive portals is cut within minutes. No orphaned accounts or stale permissions.

Corporate hierarchy and delegation rules are respected

Group membership and manager relationships in Entra ID flow to trade-account permissions, approval workflows and delegation so that buying authority and visibility rules stay aligned with organisational structure.

MFA and conditional access protect sensitive workflows

Entra ID policies enforce MFA on high-value transactions, account changes and sensitive data access so that fraud, credential drift and account takeover risk is reduced without friction.

Staff and administrators see role-based tool access

Internal teams access admin dashboards, reporting tools and operational portals with role-based permissions tied to Entra ID groups so that access governance is consistent and audit trails are clear.

02 · When it's worth it

Where a Microsoft Entra ID integration earns its place.

If two or more of these are true, the integration usually pays for itself quickly.

Trade-account customers logging in with their corporate identity and seeing their account-specific pricing and order history
Staff and administrators accessing internal commerce tools with role-based permissions tied to Entra ID groups
Account linking between Entra ID directory and commerce customer records to keep identities in step across channels
Deprovisioning workflows that cut access immediately when users leave or change roles
B2B buyers using Entra ID to access punchout sessions and procurement portals with single sign-on
MFA and conditional access policies enforced on customer login and sensitive commerce workflows
03 · The limits

Where off-the-shelf connectors fall short.

Vendor connectors are fine for simple cases. Here's where the real ones need more.

No built-in account linking to commerce customers

Entra ID manages identity and authentication but does not understand commerce customer records, account hierarchies or trade-account structures. The mapping between Entra ID users and commerce accounts must be built and maintained separately.

Limited visibility into role-based permissions on storefronts

Entra ID passes group membership to applications but does not manage storefront-specific roles, product visibility, pricing tiers or checkout restrictions. These rules must be configured in the commerce platform and kept in step with Entra ID groups.

No automated deprovisioning to downstream systems

When a user is deleted in Entra ID, the system does not automatically revoke access to commerce portals, OMS, ERP or customer-service systems. Each downstream system must be notified and updated separately.

Session and token lifetime not aligned with commerce SLAs

Token expiry, session timeout and MFA challenges are set in Entra ID but may not match commerce workflows, checkout timelines or trade-portal usage patterns. Misalignment can cause unexpected logouts during sensitive transactions.

B2B punchout and procurement workflows require custom integration

Entra ID can secure access to punchout portals but does not handle cXML/OCI handshakes, session tokens or buyer-specific catalogue provisioning. These must be built as separate workflows.

04 · The real work

Access-control drift happens silently when Entra ID groups change and the mapping to storefront permissions is not monitored; the user thinks they have access, the platform denies them, and the integration team hears about it late.

05 · Where it sits

Where this integration sits in your estate.

Microsoft Entra ID holds the commercial record. The iWeb integration layer manages the rules, mappings, monitoring and exceptions. The commerce platform presents the customer-facing experience. The estate map helps agree ownership before anything is built.

Storefront independent. Microsoft Entra ID feeds stock, pricing, orders and customer data into your chosen platform.

System of record
Source / owner
Microsoft Entra ID
Identity provider and access-control system for storefronts and trade portals
  • User credentials and authentication
  • Group membership and role definitions
  • SAML / OpenID Connect protocol and certificate lifecycle
  • Session tokens and MFA policy
  • User attribute mapping (email, department, manager)
iWeb integration layer
Customer-facing commerce
Commerce platform
Adobe CommerceMagento Open SourceShopify PlusBigCommerceOther storefronts
  • Customer account records and account linking
  • Storefront-specific permissions and visibility rules
  • Trade-account hierarchy and approval workflows
  • Product and pricing visibility by role
  • Session and cookie management on storefronts
Connected neighbours
Integration layer
ERP
Receives organisation and customer account data; commerce handoff may require Entra ID group context for approvals and cost-centre rules.
Integration layer
OMS and order management
Receives trade-account and approval-authority context from Entra ID; deprovisioning events must revoke access to order visibility and delegation.
Integration layer
Customer service and helpdesk
Uses Entra ID for staff login and role-based access to customer records, order history and refund workflows.
Integration layer
Procurement and punchout portals
Uses Entra ID to authenticate B2B buyers; punchout session and cXML handshake handled separately.
Integration layer
Business intelligence and reporting
BI tools may use Entra ID for staff login; user attributes inform row-level security and dashboard access controls.
Two-way sync where relevant
06 · Surrounding systems

Systems this integration usually sits next to.

Examples, not a closed list. iWeb is platform-agnostic on both sides: we wire this integration into whatever ecommerce platform and surrounding systems your estate already runs.

Ecommerce platforms (examples)
  • Adobe Commerce
  • Magento Open Source
  • Shopify Plus
  • BigCommerce
  • Other storefronts
Surrounding systems (examples)
  • ERP (Microsoft Dynamics, SAP, NetSuite)
  • OMS (OrderCloud, Brightpearl, Kibo)
  • Customer data platform (Segment, mParticle)
  • Trade-account and B2B portal systems
  • Procurement and punchout workflows
  • Customer service and helpdesk systems
  • Business intelligence and reporting (Power BI)
Not sure?

Not sure if this works with your stack?

Tell us what you’re using and what needs to connect. We’ll give you a straight view on what’s possible, what might be awkward, and the safest way to approach it.

07 · Data flows

The data flows we wire.

Each flow has a direction and an owner. We agree both before a line of code is written.

Into COMMERCE
From COMMERCE
BOTH WAYS
SSO assertions and tokens: Entra ID sends authentication assertions and session tokens to the storefront and commerce portals when users log in
iWeb handles SAML 2.0 or OpenID Connect protocol setup, token validation and session lifecycle so that users stay authenticated without repeated password entry.
Group and role provisioning: User group membership in Entra ID flows to commerce systems to set role-based permissions and account visibility
Changes to group membership propagate back to Entra ID so that access control stays aligned with organisational structure.
User and account data: Entra ID user records, email addresses and directory attributes sync to the commerce platform and customer database to link identities and personalise the storefront experience based on user attributes.
Deprovisioning and access events: When users are deleted or moved in Entra ID, access to commerce systems, trade portals and customer accounts is revoked
iWeb ensures that deprovisioning events are captured and acted upon without delay so that former users cannot access sensitive data.
Trade-account and corporate-account linking: Corporate accounts in Entra ID link to trade-account records in commerce so that buyers see account-specific pricing, shared baskets, delegation and approval workflows tied to their company identity.
08 · How we build it

How iWeb configures the integration around your business.

Same method on every integration. The decisions come before the code.

  1. 01
    SSO protocol design and certificate management

    iWeb chooses SAML 2.0 or OpenID Connect based on your storefront platform, sets up metadata and certificates, and monitors certificate expiry so that SSO does not break due to configuration drift.

  2. 02
    Group-to-role and permission mapping

    iWeb maps Entra ID security groups to commerce roles, product visibility, pricing tiers and approval workflows so that role changes in Entra ID propagate to storefront and portal access without manual synchronisation.

  3. 03
    Trade-account and corporate-account linking

    iWeb builds bidirectional sync between Entra ID users and commerce trade accounts so that users log in to their company context, see account-specific pricing and shared baskets, and maintain manager-to-buyer delegation rules.

  4. 04
    Deprovisioning and access-revocation workflows

    iWeb builds event-driven deprovisioning so that when a user is deleted in Entra ID, their sessions are terminated and access to storefronts, OMS, ERP and customer-service portals is revoked across all systems.

  5. 05
    Session and token lifecycle monitoring

    iWeb monitors token validity, session expiry and MFA policy compliance so that access-control failures, expired certificates and configuration drift are caught in monitoring before users are locked out.

09 · Ownership

Who owns what.

The single most important table in any integration. One system owns each field; everything else reads it.

Data
Source / owner
Maintained by
Notes
DataUser identity and authentication
Source / ownerMicrosoft Entra ID
Maintained byIdentity team / directory administrators
NotesEntra ID is the authoritative source for user credentials, MFA status, group membership and authentication events. Commerce platforms authenticate against Entra ID but do not modify user identity.
DataGroup membership and role definitions
Source / ownerMicrosoft Entra ID
Maintained byIdentity team / group owners
NotesEntra ID groups define access permissions and organisational roles. Commerce systems consume group membership to set storefront permissions and trade-account visibility. Group changes must propagate to commerce systems.
DataSSO protocol configuration and certificates
Source / ownerMicrosoft Entra ID and commerce platform (shared)
Maintained byIntegration team
NotesSAML metadata, certificates and federation settings are maintained in both systems. Certificate renewal and metadata updates must be coordinated so SSO does not break.
DataAccount linking and customer identity records
Source / ownerCommerce platform customer database
Maintained byiWeb integration and commerce operations
NotesCommerce platforms maintain the link between Entra ID users and storefront customer accounts. Sync bidirectional so that account attributes and permissions stay in step.
DataRole-based permissions and access control on storefronts
Source / ownerCommerce platform (rule engine)
Maintained byCommerce team / integration
NotesCommerce platforms enforce storefront-specific permissions, product visibility and checkout restrictions based on Entra ID group membership. Rules are owned and updated by commerce operations.
DataDeprovisioning and access-revocation events
Source / owneriWeb integration layer (event processor)
Maintained byIntegration team
NotesiWeb captures user deletion and group membership changes from Entra ID and ensures deprovisioning events reach all downstream systems (OMS, ERP, customer service). Failure handling and reconciliation owned by integration team.
DataSession and token lifecycle
Source / ownerMicrosoft Entra ID
Maintained byIdentity team
NotesEntra ID manages token expiry, session timeout and MFA challenge timing. Commerce platforms honour token lifetime and do not extend sessions beyond Entra ID policy.
10 · Experienced integrator

Built this before

iWeb has integrated Entra ID with multiple B2B and trade-account commerce estates. We understand how Entra ID sits alongside ERP, OMS, procurement portals and reporting systems, and how to handle SSO protocol setup, group mapping, account linking, deprovisioning and certificate lifecycle so that access governance stays reliable.

iWeb designs SAML 2.0 or OpenID Connect protocols and manages certificate and metadata lifecycle so SSO does not break due to expiry or configuration drift.
iWeb maps Entra ID groups to commerce roles and permissions so that access control propagates automatically when users change roles or leave the organisation.
iWeb builds account linking between Entra ID users and commerce customer records so that corporate buyers log in to their account context, see account-specific pricing and maintain approval authority.
iWeb instruments deprovisioning workflows so that when users are deleted in Entra ID, access is revoked from storefronts, OMS, ERP and customer-service systems within minutes, not days.
iWeb monitors token validity, session state, group sync and certificate expiry so that access-control failures are visible to the integration team before users are locked out.
11 · Before launch

What we test before launch.

Every one of these is rehearsed before a customer ever sees the integration.

Verify SAML metadata and certificates are valid and match both Entra ID and commerce platform configuration.
Test user deprovisioning by deleting a test user in Entra ID and confirming access is revoked from storefront, OMS and any downstream system within the SLA.
Confirm group membership changes propagate to commerce permissions within 5 minutes and that role-based pricing and visibility update on next user session.
Validate SSO fallback authentication works and is documented so that critical users can regain access if Entra ID is unavailable.
Monitor and alert on token expiry, certificate renewal, group sync failures and MFA policy changes so drift is caught before users are locked out.
Test MFA challenge frequency and grace periods on real commerce workflows (checkout, account change, order placement) to ensure friction is acceptable for trade users.
Perform account linking reconciliation across storefronts, trade portals and downstream systems to confirm no orphaned or duplicate user records remain.
12 · Failure points

Common risks and where they bite.

We name these on day one. A risk written down is a risk you can plan around.

Orphaned or duplicate user records after migration

If Entra ID is introduced or replaced, users may be created twice in the commerce platform or left unlinked to their Entra ID identity. Deduplication and account linking must be planned before launch.

Group-to-role mappings drift silently

If Entra ID groups are renamed, merged or deleted without updating the commerce platform, users lose permissions without warning. Role-based access is often not monitored until a user reports a failure.

Expired SSL certificates break SSO silently

SAML certificates and metadata can expire without warning. If not monitored, SSO fails suddenly and users are locked out of storefronts and portals until the certificate is renewed and redeployed.

Deprovisioning events are lost between systems

When a user is deleted in Entra ID, the deletion event may not reach OMS, ERP or customer-service systems. Access is revoked from the commerce platform but the user can still place orders via API or phone, creating audit and security risks.

MFA challenge breaks checkout or critical workflows

If MFA policies are too strict (e.g. challenge on every login), trade users may abandon checkout or workflow steps. If too lenient, fraud risk increases. The balance must be tested before peak trading.

Session timeout mismatches between Entra ID and commerce

If Entra ID sessions expire faster than the commerce platform expects, users are logged out unexpectedly during long checkout or quote workflows. Token lifetime and session renewal must be aligned.

14 · Questions

Common questions about Microsoft Entra ID integrations.

Should we use SAML 2.0 or OpenID Connect?

SAML 2.0 is better for B2B and trade accounts where corporate identity and group membership matter most. OpenID Connect is lighter for consumer login and integrates more easily with mobile apps. iWeb recommends SAML 2.0 if you have a B2B audience or trade portal, and OpenID Connect if you are primarily B2C or need mobile-first single sign-on.

How do we link Entra ID users to commerce customer accounts?

iWeb builds a sync process that matches Entra ID user email addresses (or a custom ID attribute) to commerce customer records on first login. Once linked, user attributes from Entra ID (company, department, manager) flow to the customer account and inform storefront permissions and pricing tiers.

What happens to trade-account permissions when a user moves to a different group in Entra ID?

iWeb monitors group membership changes in Entra ID and updates commerce permissions in real time. When a user moves from the 'Buyers' group to the 'Approvers' group, their storefront role and approval authority change automatically so that permissions always match their current role.

How quickly are users deprovisioned when they leave the company?

iWeb captures user deletion events from Entra ID and propagates them to all connected systems (commerce platform, OMS, ERP, customer service) within minutes. Access is revoked across all channels and archived orders remain visible for audit but new orders cannot be placed.

What if an Entra ID group is renamed or deleted?

iWeb monitors group changes and alerts the integration team if a mapped group is no longer available. Groups should not be deleted without updating the commerce platform role mapping. If this happens, affected users lose permissions; iWeb can rebuild the mapping and restore access within the SLA.

How do we handle MFA (multi-factor authentication) on storefronts and trade portals?

Entra ID enforces MFA policy based on user type, device and risk factors. iWeb configures MFA challenge frequency and grace periods so that trade users are not blocked during checkout but high-value transactions and account changes still require a second factor.

What happens if an SSL certificate in Entra ID expires?

Certificate expiry breaks SAML SSO. iWeb monitors certificate expiry dates in Entra ID metadata and alerts 60 days before renewal is due. If a certificate expires, SSO fails and users are locked out until the certificate is renewed and metadata is redeployed to the commerce platform.

How do we manage SSO if we have both Entra ID and a legacy identity system?

iWeb can run both systems in parallel for a transition period. Users are migrated to Entra ID in waves, and legacy identities are deactivated once all associated storefronts and portals are using Entra ID SSO. Fallback to legacy authentication is maintained until full cutover.

Can Entra ID handle B2B punchout (cXML) and procurement workflows?

Entra ID can secure the login and session for punchout portals but does not handle cXML handshakes or buyer-specific catalogue provisioning. iWeb builds the punchout workflow separately, using Entra ID to authenticate the buyer and then managing the OCI/cXML session independently.

What data is shared between Entra ID and the commerce platform?

User email, first and last name, department, manager ID and group membership flow from Entra ID to commerce to link accounts and set permissions. Entra ID does not receive commerce data; it is purely an inbound authentication and authorisation source.

How do we monitor SSO and access-control failures?

iWeb instruments token validation failures, session timeouts, group-sync errors and deprovisioning gaps so that alerts reach the integration team. Dashboards track login success rate, MFA challenge frequency and access-revocation latency so that problems are spotted before users notice.

What is the rollback plan if SSO fails?

iWeb maintains a fallback authentication method (local password reset or secondary IdP) so that critical users can regain access if Entra ID or the SSO connection fails. Fallback is tested monthly and documented so that security and commerce teams know when and how to use it.

How often should we audit Entra ID group membership and storefront permissions?

iWeb recommends a quarterly review where group membership in Entra ID is cross-checked against storefront permissions in commerce. Orphaned accounts, stale groups and drift between Entra ID and commerce are identified and reconciled so that access control stays accurate.

Can Entra ID handle customer consent and GDPR unsubscribe?

Entra ID is an identity and access system, not a marketing or consent platform. Consent and unsubscribe preferences are stored in the commerce platform or a dedicated CDP. iWeb can link consent records to Entra ID users so that marketing platforms see consent status on login, but the source of truth remains separate.

Next step

Have a Microsoft Entra ID integration brief?

Send the brief, or tell us what is breaking. You will get a written response from a senior expert: the integration boundary, the realistic shape, the risks worth naming, and what it takes to support after launch.
Talk to an expertOr browse all integrations →