What a Microsoft Entra ID integration gives you.
Corporate and trade accounts use Entra ID credentials to access the storefront, mobile app, trade portal and order-history pages without re-entering passwords. Role and account context is inherited from Entra ID so buying restrictions and pricing are consistent.
When a user is deleted or moved to a different role in Entra ID, access to storefronts, customer accounts, OMS and sensitive portals is cut within minutes. No orphaned accounts or stale permissions.
Group membership and manager relationships in Entra ID flow to trade-account permissions, approval workflows and delegation so that buying authority and visibility rules stay aligned with organisational structure.
Entra ID policies enforce MFA on high-value transactions, account changes and sensitive data access so that fraud, credential drift and account takeover risk is reduced without friction.
Internal teams access admin dashboards, reporting tools and operational portals with role-based permissions tied to Entra ID groups so that access governance is consistent and audit trails are clear.
Where a Microsoft Entra ID integration earns its place.
If two or more of these are true, the integration usually pays for itself quickly.
Where off-the-shelf connectors fall short.
Vendor connectors are fine for simple cases. Here's where the real ones need more.
Entra ID manages identity and authentication but does not understand commerce customer records, account hierarchies or trade-account structures. The mapping between Entra ID users and commerce accounts must be built and maintained separately.
Entra ID passes group membership to applications but does not manage storefront-specific roles, product visibility, pricing tiers or checkout restrictions. These rules must be configured in the commerce platform and kept in step with Entra ID groups.
When a user is deleted in Entra ID, the system does not automatically revoke access to commerce portals, OMS, ERP or customer-service systems. Each downstream system must be notified and updated separately.
Token expiry, session timeout and MFA challenges are set in Entra ID but may not match commerce workflows, checkout timelines or trade-portal usage patterns. Misalignment can cause unexpected logouts during sensitive transactions.
Entra ID can secure access to punchout portals but does not handle cXML/OCI handshakes, session tokens or buyer-specific catalogue provisioning. These must be built as separate workflows.
Access-control drift happens silently when Entra ID groups change and the mapping to storefront permissions is not monitored; the user thinks they have access, the platform denies them, and the integration team hears about it late.
Where this integration sits in your estate.
Microsoft Entra ID holds the commercial record. The iWeb integration layer manages the rules, mappings, monitoring and exceptions. The commerce platform presents the customer-facing experience. The estate map helps agree ownership before anything is built.
Storefront independent. Microsoft Entra ID feeds stock, pricing, orders and customer data into your chosen platform.
- User credentials and authentication
- Group membership and role definitions
- SAML / OpenID Connect protocol and certificate lifecycle
- Session tokens and MFA policy
- User attribute mapping (email, department, manager)
- Customer account records and account linking
- Storefront-specific permissions and visibility rules
- Trade-account hierarchy and approval workflows
- Product and pricing visibility by role
- Session and cookie management on storefronts
Systems this integration usually sits next to.
Examples, not a closed list. iWeb is platform-agnostic on both sides: we wire this integration into whatever ecommerce platform and surrounding systems your estate already runs.
- Adobe Commerce
- Magento Open Source
- Shopify Plus
- BigCommerce
- Other storefronts
- ERP (Microsoft Dynamics, SAP, NetSuite)
- OMS (OrderCloud, Brightpearl, Kibo)
- Customer data platform (Segment, mParticle)
- Trade-account and B2B portal systems
- Procurement and punchout workflows
- Customer service and helpdesk systems
- Business intelligence and reporting (Power BI)
Not sure if this works with your stack?
Tell us what you’re using and what needs to connect. We’ll give you a straight view on what’s possible, what might be awkward, and the safest way to approach it.
The data flows we wire.
Each flow has a direction and an owner. We agree both before a line of code is written.
How iWeb configures the integration around your business.
Same method on every integration. The decisions come before the code.
- 01SSO protocol design and certificate management
iWeb chooses SAML 2.0 or OpenID Connect based on your storefront platform, sets up metadata and certificates, and monitors certificate expiry so that SSO does not break due to configuration drift.
- 02Group-to-role and permission mapping
iWeb maps Entra ID security groups to commerce roles, product visibility, pricing tiers and approval workflows so that role changes in Entra ID propagate to storefront and portal access without manual synchronisation.
- 03Trade-account and corporate-account linking
iWeb builds bidirectional sync between Entra ID users and commerce trade accounts so that users log in to their company context, see account-specific pricing and shared baskets, and maintain manager-to-buyer delegation rules.
- 04Deprovisioning and access-revocation workflows
iWeb builds event-driven deprovisioning so that when a user is deleted in Entra ID, their sessions are terminated and access to storefronts, OMS, ERP and customer-service portals is revoked across all systems.
- 05Session and token lifecycle monitoring
iWeb monitors token validity, session expiry and MFA policy compliance so that access-control failures, expired certificates and configuration drift are caught in monitoring before users are locked out.
Who owns what.
The single most important table in any integration. One system owns each field; everything else reads it.
Built this before
iWeb has integrated Entra ID with multiple B2B and trade-account commerce estates. We understand how Entra ID sits alongside ERP, OMS, procurement portals and reporting systems, and how to handle SSO protocol setup, group mapping, account linking, deprovisioning and certificate lifecycle so that access governance stays reliable.
What we test before launch.
Every one of these is rehearsed before a customer ever sees the integration.
Common risks and where they bite.
We name these on day one. A risk written down is a risk you can plan around.
If Entra ID is introduced or replaced, users may be created twice in the commerce platform or left unlinked to their Entra ID identity. Deduplication and account linking must be planned before launch.
If Entra ID groups are renamed, merged or deleted without updating the commerce platform, users lose permissions without warning. Role-based access is often not monitored until a user reports a failure.
SAML certificates and metadata can expire without warning. If not monitored, SSO fails suddenly and users are locked out of storefronts and portals until the certificate is renewed and redeployed.
When a user is deleted in Entra ID, the deletion event may not reach OMS, ERP or customer-service systems. Access is revoked from the commerce platform but the user can still place orders via API or phone, creating audit and security risks.
If MFA policies are too strict (e.g. challenge on every login), trade users may abandon checkout or workflow steps. If too lenient, fraud risk increases. The balance must be tested before peak trading.
If Entra ID sessions expire faster than the commerce platform expects, users are logged out unexpectedly during long checkout or quote workflows. Token lifetime and session renewal must be aligned.
Relevant services and sectors.
Common questions about Microsoft Entra ID integrations.
Should we use SAML 2.0 or OpenID Connect?
SAML 2.0 is better for B2B and trade accounts where corporate identity and group membership matter most. OpenID Connect is lighter for consumer login and integrates more easily with mobile apps. iWeb recommends SAML 2.0 if you have a B2B audience or trade portal, and OpenID Connect if you are primarily B2C or need mobile-first single sign-on.
How do we link Entra ID users to commerce customer accounts?
iWeb builds a sync process that matches Entra ID user email addresses (or a custom ID attribute) to commerce customer records on first login. Once linked, user attributes from Entra ID (company, department, manager) flow to the customer account and inform storefront permissions and pricing tiers.
What happens to trade-account permissions when a user moves to a different group in Entra ID?
iWeb monitors group membership changes in Entra ID and updates commerce permissions in real time. When a user moves from the 'Buyers' group to the 'Approvers' group, their storefront role and approval authority change automatically so that permissions always match their current role.
How quickly are users deprovisioned when they leave the company?
iWeb captures user deletion events from Entra ID and propagates them to all connected systems (commerce platform, OMS, ERP, customer service) within minutes. Access is revoked across all channels and archived orders remain visible for audit but new orders cannot be placed.
What if an Entra ID group is renamed or deleted?
iWeb monitors group changes and alerts the integration team if a mapped group is no longer available. Groups should not be deleted without updating the commerce platform role mapping. If this happens, affected users lose permissions; iWeb can rebuild the mapping and restore access within the SLA.
How do we handle MFA (multi-factor authentication) on storefronts and trade portals?
Entra ID enforces MFA policy based on user type, device and risk factors. iWeb configures MFA challenge frequency and grace periods so that trade users are not blocked during checkout but high-value transactions and account changes still require a second factor.
What happens if an SSL certificate in Entra ID expires?
Certificate expiry breaks SAML SSO. iWeb monitors certificate expiry dates in Entra ID metadata and alerts 60 days before renewal is due. If a certificate expires, SSO fails and users are locked out until the certificate is renewed and metadata is redeployed to the commerce platform.
How do we manage SSO if we have both Entra ID and a legacy identity system?
iWeb can run both systems in parallel for a transition period. Users are migrated to Entra ID in waves, and legacy identities are deactivated once all associated storefronts and portals are using Entra ID SSO. Fallback to legacy authentication is maintained until full cutover.
Can Entra ID handle B2B punchout (cXML) and procurement workflows?
Entra ID can secure the login and session for punchout portals but does not handle cXML handshakes or buyer-specific catalogue provisioning. iWeb builds the punchout workflow separately, using Entra ID to authenticate the buyer and then managing the OCI/cXML session independently.
What data is shared between Entra ID and the commerce platform?
User email, first and last name, department, manager ID and group membership flow from Entra ID to commerce to link accounts and set permissions. Entra ID does not receive commerce data; it is purely an inbound authentication and authorisation source.
How do we monitor SSO and access-control failures?
iWeb instruments token validation failures, session timeouts, group-sync errors and deprovisioning gaps so that alerts reach the integration team. Dashboards track login success rate, MFA challenge frequency and access-revocation latency so that problems are spotted before users notice.
What is the rollback plan if SSO fails?
iWeb maintains a fallback authentication method (local password reset or secondary IdP) so that critical users can regain access if Entra ID or the SSO connection fails. Fallback is tested monthly and documented so that security and commerce teams know when and how to use it.
How often should we audit Entra ID group membership and storefront permissions?
iWeb recommends a quarterly review where group membership in Entra ID is cross-checked against storefront permissions in commerce. Orphaned accounts, stale groups and drift between Entra ID and commerce are identified and reconciled so that access control stays accurate.
Can Entra ID handle customer consent and GDPR unsubscribe?
Entra ID is an identity and access system, not a marketing or consent platform. Consent and unsubscribe preferences are stored in the commerce platform or a dedicated CDP. iWeb can link consent records to Entra ID users so that marketing platforms see consent status on login, but the source of truth remains separate.



