Identity & Access Management

Why Service Principals Break on Third-Party Connectors in Power Automate – and What to Do Instead

If you’ve spent any time building Power Automate flows in a Microsoft 365 environment, you’ve probably learned to reach for service principals as the default identity for unattended automation. They don’t expire like passwords, they’re not tied to a human user who might leave the firm, and they fit cleanly into a zero-trust security model. For Microsoft-native services – SharePoint, Teams, Exchange via Graph API, Azure resources… they work exactly as advertised.

Then you connect a third-party service and everything stops working.

No helpful error message explaining the architectural mismatch. Just an authentication failure, a connector that won’t authorize, or a flow that runs fine in testing under your own credentials and silently breaks the moment you try to run it unattended under a service principal. If you haven’t hit this yet, you will. And when you do, the problem isn’t your configuration… it’s the fundamental way most third-party Power Automate connectors handle authentication.

This article explains why it happens, what your options are when it does, and how to make the right call for your environment – particularly in a law firm context where unattended flows touch sensitive matter data and auditability isn’t optional.

Why Service Principals Exist and Where They Excel

A service principal is an identity in Entra ID that represents an application or automated process rather than a human user. Where a user account authenticates with a username and password and carries with it all the lifecycle complexity that implies, a service principal authenticates using a client secret or certificate and operates with only the permissions it has been explicitly granted.

For unattended automation, this model is nearly ideal. Service principals don’t have passwords that expire and lock out a critical flow at 2am. They don’t get disabled when someone leaves the firm. They’re not subject to MFA prompts that block a non-interactive process. And because their permissions are granted explicitly through app registrations and API permission scopes, they’re auditable; you can see exactly what a service principal can access and why.

In a Microsoft 365 environment, service principals shine. Power Automate flows calling SharePoint via Graph API, reading Exchange mailboxes, writing to Azure Storage, or interacting with Dataverse all support app-only authentication. You register an app in Entra ID, grant it the appropriate Microsoft Graph or resource-specific permissions, and your flow runs cleanly without any human credential in the chain. This is the architecture Microsoft recommends for enterprise automation, and in the Microsoft ecosystem it delivers on that promise.

The assumption that follows – reasonably, but incorrectly – is that this model extends to everything you connect to Power Automate. It doesn’t. And the reason why gets to the heart of how third-party connectors are built.

The Third-Party Connector Problem

Power Automate connectors are not all built the same way. Microsoft-native connectors are built with app-only authentication in mind – they’re designed to accept a service principal’s token and act on its behalf without a human user in the loop. Most third-party connectors are not.

The reason is architectural. The majority of third-party Power Automate connectors are built on top of OAuth 2.0 delegated authorization flows. In a delegated flow, the application acts on behalf of a signed-in user – the connector authenticates as a specific human identity, inherits that user’s permissions, and performs actions as that person. The entire model assumes there is a user behind the connection. When you try to substitute a service principal – which has no user context, no delegated permissions, and no interactive sign-in – the connector has no framework to handle it. Authentication fails not because something is misconfigured, but because the connector was never designed to support that identity type.

This is not a gap that Microsoft can patch on behalf of third-party connector publishers. Each connector’s authentication model is determined by the publisher who built it and the API it wraps. If the underlying API only supports delegated OAuth flows, the connector will only support delegated OAuth flows. A service principal simply has no place in that handshake.

The practical consequence in Power Automate is significant. A flow that mixes Microsoft-native actions and third-party connector actions cannot use a single unified identity. The Microsoft actions can run under a service principal. The third-party actions cannot. Every third-party connector in the flow requires a connection – and that connection requires a human identity behind it, whether you want one there or not.

In a law firm context, this creates real operational and governance problems. Flows that touch matter data, trigger document actions, initiate signature requests, or interact with practice management systems are often built on exactly the connectors most likely to have this limitation. The workaround you choose has direct implications for security, auditability, and what happens when that human identity is no longer available.

The Workarounds and When to Use Each

There is no single fix for this problem. The right approach depends on the connector, the underlying API, and what your firm’s security and governance posture will tolerate. Here are the patterns that come up most often in practice.

Service Account with Delegated Credentials

The most common workaround is the simplest: create a dedicated service account – a licensed Microsoft 365 user account purpose-built for automation – and use its credentials to authorize the third-party connector connection. The flow runs under this account’s delegated identity, the connector sees a human user, and authentication succeeds.

This works reliably and is broadly compatible with virtually every third-party connector. It is also the approach that carries the most operational risk if it isn’t governed carefully.

The service account needs to be licensed appropriately for both Power Automate and any third-party service the connector touches. It needs MFA configured in a way that doesn’t block non-interactive flows – typically via a Conditional Access policy that excludes it from interactive MFA requirements, which itself requires careful scoping to avoid creating a broad security exception. Its credentials need to be stored securely, rotated on a defined schedule, and owned by a named team rather than an individual. And critically, the account needs to be monitored – if it gets disabled, has its password reset, or triggers a risk event in Entra ID, every flow depending on it will break simultaneously.

Use this approach when the third-party service has no API key or alternative authentication option, when the connector is a standard published connector with no customization path, and when you can put the governance controls in place to manage it properly.

Custom Connector with API Key or Client Credentials

Many third-party services that publish a Power Automate connector also expose a REST API that supports API key authentication or OAuth 2.0 client credentials – the app-only flow that service principals are built for. If that’s the case, you can bypass the published connector entirely and build a custom connector that authenticates using the API key or client credentials directly.

This approach eliminates the human identity from the connection entirely. The custom connector authenticates as the application, not as a user, which means no service account to govern, no delegated permission to manage, and no risk of a flow breaking because a user account was disabled.

The tradeoff is build and maintenance overhead. Custom connectors require someone to build and maintain the connector definition, manage API key rotation, and keep pace with any changes to the underlying API. In a law firm environment where IT teams are often lean, that ongoing maintenance commitment is a real cost to weigh against the governance benefit.

Use this approach when the third-party API supports app-only authentication, when the published connector’s limitations are blocking you beyond just the service principal issue, and when your team has the capacity to build and maintain a custom connector over time.

Direct HTTP Actions in Power Automate

If the third-party service exposes a REST API, Power Automate’s built-in HTTP action can call it directly using an API key or OAuth client credentials – bypassing the published connector entirely without building a full custom connector. This is the fastest path to eliminating a delegated identity from a specific API call, and it requires no additional infrastructure.

The limitation is maintainability. Direct HTTP actions are harder to reuse across flows, lack the discoverability of a proper connector, and put the burden of API construction – headers, authentication tokens, request bodies – directly in the flow definition. For simple, infrequent API calls this is a reasonable tradeoff. For complex integrations or calls made across many flows, a custom connector is the better long-term investment.

Use this approach for straightforward, low-volume API calls where speed of implementation matters more than long-term maintainability.

Azure Functions as Middleware

Azure Functions is a serverless compute service that lets you write lightweight code – in Python, C#, JavaScript, or other languages – that runs on demand in response to a trigger. As a middleware option, you write a Function that handles authentication to the third-party service and exposes a simple HTTP endpoint. Your Power Automate flow calls the Function, the Function handles the third-party authentication and API call, and returns the result. The flow never authenticates directly to the third-party service.

This gives you the credential isolation of a middleware approach without the full overhead of Azure API Management. Azure Functions is lower cost, faster to set up, and sufficient for many integration scenarios. The tradeoff compared to APIM is that you’re writing and maintaining code rather than configuration, and you don’t get the broader API gateway capabilities – centralized policy enforcement, rate limiting, developer portal, and detailed analytics – that APIM provides.

Use this approach when you need middleware for a specific integration and don’t need a full API gateway, and when your team is comfortable writing and maintaining code in an Azure Functions environment.

Azure API Management as Middleware

Azure API Management (APIM) is a Microsoft Azure service that acts as a gateway between your applications and the APIs they call. Rather than having each flow authenticate directly to a third-party service, APIM sits in the middle – managing authentication, logging calls, enforcing policies, and presenting a consistent interface to the flows calling through it.

In this model, your Power Automate flow calls an APIM endpoint using a service principal or API key. APIM handles the translation and manages authentication to the third-party service on the back end. The flow never authenticates directly to the third-party connector at all. Credentials for third-party services live in APIM, not in Power Automate connections, giving you centralized credential management and a single audit point for all calls passing through.

For law firms with multiple flows touching the same third-party services, APIM as a middleware layer consolidates what would otherwise be a sprawl of individual connector connections each carrying their own credentials. You also gain the ability to swap out the underlying third-party service without changing the flows that call through it.

The cost is complexity and infrastructure overhead. APIM is not the right answer for a single flow with one third-party connection. It becomes increasingly attractive as the number of flows, connectors, and third-party services grows and centralized governance becomes a priority.

Use this approach when you have multiple flows connecting to the same third-party services, when centralized credential management and auditability are firm requirements, and when your team has the Azure architecture capability to build and maintain the middleware layer.

Azure Logic Apps

Logic Apps is Microsoft’s developer-oriented workflow automation platform that sits alongside Power Automate in the Azure ecosystem. While Power Automate is optimized for citizen developers and business users, Logic Apps is built for engineering teams and supports managed identities natively – meaning it can authenticate to supported services using an Entra ID-managed identity without any stored credential at all.

In some cases, a flow that hits a service principal limitation in Power Automate can be rebuilt in Logic Apps and the authentication problem disappears entirely, because the Logic Apps connector for the same service supports app-only auth where the Power Automate connector does not. It is worth checking connector parity before committing to a more complex middleware approach.

The tradeoff is that Logic Apps requires engineering capability to build and maintain, sits outside the Power Platform governance model your firm may have established, and adds Azure infrastructure to manage. It is not a fit for citizen-developer-built flows, but for IT-owned automation touching sensitive matter processes it may be the cleaner long-term solution.

Use this approach when the equivalent Logic Apps connector supports managed identity or app-only auth, and when the flow is IT-owned and complex enough to justify moving off the Power Platform stack.

Choosing the Right Approach

No single workaround is universally correct. A useful way to work through the decision:

Start by checking whether the third-party service’s API supports app-only authentication. If it does, a custom connector, direct HTTP action, or Logic Apps managed identity may solve the problem cleanly without any service account. If it doesn’t, a service account with delegated credentials is likely your most practical path – with the governance controls to match.

If you have multiple flows hitting the same third-party services and credential sprawl is becoming a management problem, Azure Functions or APIM as middleware starts to make sense. If your firm already has an integration platform – MuleSoft, Boomi, Workato, or similar – in its environment for other purposes, routing Power Automate flows through that existing infrastructure may be simpler than standing up new Azure middleware.

The goal in every case is the same: minimize the number of human identities embedded in automated flows, govern the ones you can’t eliminate, and make sure every connection is owned, documented, and monitored.

Law Firm Considerations

The technical workarounds described above are available to any organization running Power Automate. In a law firm, the choice between them carries additional weight because the flows most likely to hit this problem are also the flows most likely to touch sensitive matter data, client information, or regulated processes. A few considerations specific to the legal environment are worth calling out explicitly.

Auditability is not optional. In a law firm, knowing what acted on a document, when, and under what identity is not just an IT concern – it can be a professional responsibility concern. When a flow runs under a service account with delegated credentials, the audit trail in the third-party system shows that service account’s identity, not the attorney or staff member who triggered the flow. Before committing to a workaround, map out what the audit record looks like end to end across every system the flow touches – Power Automate, the third-party service, your DMS, and any intermediate layer. Make sure that record satisfies both your internal governance requirements and any obligations to clients about how their matter data is handled.

Service account ownership needs to be explicit and documented. A service account that isn’t clearly owned by a named team is a governance liability. In law firms where IT turnover happens and matters span years, a service account created by someone who has since left – with credentials known only to that person – is a ticking clock. Every service account used in automation should have a named owner, credentials stored in a firm-managed secrets store, a documented rotation schedule, and a formal offboarding process that ensures the account doesn’t become an orphan when personnel change.

Licensing costs add up at scale. Service accounts require Microsoft 365 licenses, and depending on the third-party services involved, may require additional per-seat licensing from the connector publisher. In a large firm with many flows and many service accounts, this becomes a meaningful budget line. It is also an argument for pursuing the custom connector, HTTP action, or middleware approaches where the third-party API supports them – eliminating the delegated identity eliminates the licensing dependency entirely.

Flow failure at the wrong moment has matter-level consequences. In most industries a broken automation flow creates an IT ticket. In a law firm it can halt a time-sensitive matter process – signature requests don’t go out, documents don’t get filed, deadline-driven workflows stop mid-execution. Flows that touch matter processes need to be treated as operational dependencies, not background utilities. Build monitoring and alerting around service account health and flow run history, define a clear on-call response process for critical flow failures, and test your recovery procedure before you need it.

Power Automate connections are easy to create and easy to forget. Connections – the stored credentials that sit behind a connector – accumulate quickly in environments where both IT professionals and citizen developers are building flows. In a law firm, a connection created by a paralegal using their personal credentials to automate a matter workflow is a governance problem waiting to surface. Establish a process that inventories active connections across your Power Platform environment, maps each connection to its owning team, and reviews them on a regular cadence. Connections using personal user credentials rather than purpose-built service accounts should be flagged and migrated.

The citizen developer dynamic requires guardrails, not just guidance. Law firms increasingly encourage attorneys and legal operations staff to build their own automations in Power Automate. That’s a legitimate and valuable capability; but it creates a real risk of ungoverned service principal workarounds proliferating across the environment. A paralegal who discovers that their personal credentials work where a service principal doesn’t will use their personal credentials, and that connection will run unattended long after they’ve forgotten about it. Your Power Platform governance program needs to address this explicitly – not by restricting citizen development, but by providing approved, pre-built connection templates that use properly governed service accounts, so the path of least resistance is also the governed path.

Governance Recommendations

The workarounds in this article solve the technical problem. Governance is what keeps those workarounds from becoming the next problem. The following recommendations apply regardless of which approach your firm chooses, but are particularly important when service accounts or stored credentials are involved.

Maintain a connection inventory. Every Power Automate connection in your environment, the stored credential behind every connector, should be catalogued. At minimum, the inventory should capture the connection owner, the identity it authenticates as, the connectors and flows using it, and the date it was last reviewed. This doesn’t need to be complex, but it does need to exist. Without it, you have no reliable way to assess the blast radius when a service account is disabled or a credential is compromised.

Treat service accounts like infrastructure, not like user accounts. Service accounts purpose-built for automation should be provisioned, managed, and decommissioned through a formal process – the same way you would manage a server or an application registration. That means named ownership, documented purpose, credential storage in a secrets management solution such as Azure Key Vault, a defined rotation schedule, and a decommissioning process that ensures the account is disabled and its connections are migrated when it is no longer needed.

Store credentials in Azure Key Vault, not in flow definitions. It is technically possible to embed API keys and credentials directly in Power Automate flow definitions or environment variables. Don’t. Azure Key Vault provides centralized, auditable secrets management with access controls, rotation support, and logging. Flows and custom connectors should retrieve credentials from Key Vault at runtime rather than carrying them as static values. This applies to API keys, client secrets, and any other credential used in an integration.

Build flow ownership into your Power Platform governance model. Every flow that runs unattended in a production environment should have a named owner – a team, not an individual – responsible for its health, its connections, and its behavior. Flows without clear ownership are the ones that break silently and go unnoticed until a matter deadline surfaces the failure. Include flow ownership in your broader Power Platform Center of Excellence governance model, and build a regular review cadence that checks for orphaned flows, expired connections, and flows still running under personal user credentials.

Test failure scenarios before they happen in production. For every critical flow, define what happens when its connection breaks. Disable the service account in a test environment and observe the failure mode. Is there an alert? Does the flow fail gracefully or silently? Is there a notification to the flow owner? Is there a documented recovery procedure? In a law firm where flows touch matter processes, the answer to these questions should be known before a failure occurs in production, not discovered during one.

Align your Power Platform governance with your broader security program. Service accounts created for Power Automate connections should be visible to your security team, included in your privileged identity reviews, and subject to the same monitoring as other non-human identities in your environment. A service account that bypasses MFA via a Conditional Access exclusion is a potential attack vector – it should be treated as one, with compensating controls including sign-in monitoring, geographic restrictions, and regular access reviews.

Document the why, not just the what. For every non-standard authentication workaround – every service account, every custom connector, every middleware integration – document why that approach was chosen over the alternatives. Six months from now, the person inheriting the environment needs to understand not just what is running, but why it was built that way. In a law firm context where systems need to be defensible to clients, auditors, and firm leadership, that documentation is part of the governance record.

Conclusion

Service principals are the right default identity for unattended automation in Microsoft 365. They are more secure than service accounts, easier to govern than delegated user credentials, and purpose-built for the kind of non-interactive flows that modern law firm operations increasingly depend on. The problem is not with service principals – it is with the assumption that they work everywhere.

Most third-party Power Automate connectors were built around delegated user authentication. That is not a bug or an oversight – it reflects how OAuth 2.0 delegated flows work and how most connector publishers have chosen to implement them. Understanding that constraint is the first step to architecting around it deliberately rather than discovering it the hard way when a production flow fails.

The workarounds available to you – service accounts with delegated credentials, custom connectors, direct HTTP actions, Azure Functions, APIM, and Logic Apps – each make different tradeoffs between implementation complexity, governance overhead, and long-term maintainability. None of them is universally correct. The right choice depends on what the third-party API supports, how many flows are involved, and what your firm’s security and operational posture requires.

In a law firm, those choices carry more weight than in most environments. Flows that touch matter data, trigger document actions, or drive deadline-sensitive processes are not background utilities – they are operational dependencies. The identity behind them, the audit trail they produce, and the governance controls around them are not just IT concerns. They are part of how your firm demonstrates to clients, regulators, and firm leadership that sensitive matter processes are running under appropriate controls.

The firms that get this right are the ones that treat the service principal limitation not as a one-time technical problem to solve and move on from, but as a prompt to build a durable governance model for how non-human identities are provisioned, managed, and monitored across their entire automation environment. That model pays dividends well beyond Power Automate – it becomes the foundation for governing every automated process that touches matter data, regardless of what platform it runs on.

Entra ID B2B vs. Third-Party IdP: Choosing the Right SSO Architecture for External Client SharePoint Access

When you’re building SharePoint-based client portals or external collaboration sites on Microsoft 365, one of the earliest architecture decisions you’ll face is how to handle authentication for users outside your tenant. It sounds straightforward until you’re three conversations deep with a client’s IT team and realize their requirements don’t fit the pattern you assumed.

Law firms have been building SharePoint-based client extranets for years; secure spaces where clients can access matter documents, collaborate with attorneys, and exchange files without resorting to email. What has changed is the identity landscape. Clients arrive with their own IdPs, their own MFA requirements, and their own expectations about how they’ll log in. The decision about how to authenticate them is no longer just a technical configuration – it shapes your entire external collaboration architecture.

Two architectures come up repeatedly in this space: Entra ID B2B with Cross-Tenant Access and Access Packages, and a dedicated external Azure tenant fronted by a third-party identity provider. Both can get external users authenticated and into a SharePoint site. But they serve different needs, carry different operational costs, and make different assumptions about your clients’ environments.

This article focuses on the architectural reasoning behind each pattern – the tradeoffs that should drive your decision, not the implementation steps.

Understanding the Stack: SharePoint as a Collaboration Surface

Before evaluating SSO patterns, it is worth being precise about what role SharePoint actually plays in a law firm’s document architecture – because this shapes everything else.

In most law firms, SharePoint is not the system of record for matter documents. That role belongs to the Document Management System – iManage, NetDocuments, or a similar platform purpose-built for legal document governance. The DMS is where documents are filed, versioned, access-controlled, and retained. It is also where ethical walls are enforced.

SharePoint, in this context, serves as a collaboration surface. Attorneys use it to share selected documents with clients, exchange drafts, and collaborate on work product in a structured, secure space. A sync layer – a tool that selectively bridges the DMS and SharePoint – surfaces specific documents from the DMS into client-facing SharePoint collaboration spaces. Documents flow from the DMS into SharePoint for collaboration purposes; the DMS remains authoritative.

This architectural reality has a direct bearing on how you think about SSO and governance. The ethical wall enforcement that prevents one client from seeing another’s documents is primarily enforced at the DMS layer – not at SharePoint, and not at the identity layer. A client successfully authenticating into a SharePoint collaboration space does not give them access to documents that the DMS and sync layer have not explicitly made available to that space.

This does not diminish the importance of SSO architecture. It means you need to evaluate your SSO pattern in the context of this full stack — understanding which governance controls live at the identity layer, which live at the SharePoint layer, and which live at the DMS layer — rather than expecting any single layer to carry the full governance burden.

The Core Constraint: SharePoint Only Speaks Entra ID

With that context established, here is the platform constraint that drives the SSO architectural decision.

SharePoint Online has exactly one supported authentication provider: Entra ID. There is no native way to plug Okta, Ping Identity, Auth0, or any other third-party IdP directly into SharePoint. Every user who accesses a SharePoint site – internal or external – must be represented as an identity in an Entra ID tenant. Full stop.

This constraint is what makes external client authentication non-trivial. If your clients use non-Microsoft identity platforms, you cannot simply point SharePoint at their IdP and call it done. You have to architect around the limitation. The two patterns in this article are, at their core, two different answers to the same question: how do you get clients with diverse identity platforms into a SharePoint site when SharePoint only understands Entra ID?

Pattern 1 answers it by bringing external identities into your existing Entra ID tenant as B2B guests – Entra federates with the client’s IdP and issues a guest principal that SharePoint recognizes.

Pattern 2 answers it by standing up a dedicated Entra ID tenant for external use and placing a third-party IdP in front of it. The third-party IdP handles the identity brokering and authentication flexibility; Entra ID still does the SharePoint authentication on the back end. The client never needs to know or care that Entra is involved – they authenticate through whichever method their organization supports, and the IdP translates that into an Entra-compatible session.

Understanding this constraint also explains why you cannot simply choose your preferred IdP and wire it directly to SharePoint. The architecture decisions that follow are all shaped by working within – or around – this boundary.

The Two Patterns

Pattern 1: Entra ID B2B with Cross-Tenant Access and Access Packages

In this model, external users are invited into your internal Microsoft 365 production tenant as B2B guest accounts. With Cross-Tenant Access Settings, you can establish trust relationships with specific external tenants, controlling which of their users can authenticate and what claims you’ll accept from their IdP. Access Packages (part of Entra ID Governance) layer on top, giving you a structured way to bundle SharePoint site access, group memberships, and other resources into a requestable, time-limited entitlement.

Authentication flows through Entra ID. The external user signs in with their home tenant credentials, Entra ID federates the trust, and your tenant issues the session. From a SharePoint Online perspective, these users land as standard guest principals – fully supported by the modern SharePoint Online permission model.

This pattern works well when your clients are also Microsoft 365 shops with their own Entra ID tenants. The cross-tenant trust is clean, MFA claims can be honored across the boundary, and the overall experience for the end user is seamless.

Pattern 2: Dedicated External Tenant with a Third-Party IdP

In this model, a firm operates a second, separate Azure tenant – purpose-built for external client collaboration. This tenant has no trust relationship with the internal production tenant. Matter data, internal systems, and firm resources live in the production tenant; client-facing collaboration lives in the external tenant. The boundary between them is architectural, not policy-based.

A third-party identity provider – such as Okta, Ping Identity, Auth0, or others – sits in front of the external tenant. Clients authenticate through whichever method their organization supports: federated SSO from their own IdP, SAML2 assertions, OIDC, social identity, or direct credential management through the IdP itself. The third-party IdP handles the authentication flexibility that SharePoint cannot provide natively; Entra ID in the external tenant remains the authentication provider SharePoint requires, but the IdP abstracts that complexity away from the client entirely. You are not locked into requiring clients to have an Entra ID tenant. If a client uses any SAML2 or OIDC-capable IdP, it can federate directly. If they have no enterprise IdP at all, the third-party IdP can manage their credentials directly.

The core architectural decision here is the separation of tenants. Client users operate entirely within the external tenant and have no path – even accidentally – into the internal production environment.

When to Use Entra ID B2B (Pattern 1)

Your client is a Microsoft 365 shop – Cross-tenant B2B trust works cleanest when both sides are on Entra ID. The client’s users authenticate with credentials they already use every day, MFA is honored across the trust boundary, and there’s no separate identity lifecycle to manage on your end.

You need a rich, integrated collaboration experience – B2B guests in your tenant can access SharePoint Online with the full modern experience, participate in Teams channels, and interact with other Microsoft 365 services. If the use case demands more than basic document exchange – co-authoring, real-time collaboration, integrated workflows – B2B is better positioned to support it natively.

You want Access Package-driven entitlement management tied to matter lifecycle – Access Packages let you define exactly what a guest can access, set expiration dates, require periodic access reviews, and build approval workflows. For law firms, this maps naturally to matter lifecycle: provision access when an engagement opens, expire the package when the matter closes. Governance is built into the model rather than bolted on.

Client volume is manageable and engagements are well-defined – B2B works well when you can clearly scope each client’s access and actively govern guest lifecycle. The model becomes harder to manage as client volume grows and guest populations accumulate across many concurrent engagements.

When to Use the Dedicated Tenant with a Third-Party IdP (Pattern 2)

Your clients use diverse or non-Microsoft identity platforms – If a client uses Okta, Ping, a legacy SAML2 IdP, or no enterprise IdP at all, B2B cross-tenant trust is either unavailable or requires significant workarounds. A third-party IdP in a dedicated tenant accommodates the full range of client identity scenarios from a single integration point, regardless of what each client brings to the table.

You require data isolation at the infrastructure level, not just the policy level – In a B2B model, client isolation is enforced through permissions, Access Packages, and Conditional Access policies. Those controls are effective when configured correctly – but they are policy-based, which means a misconfiguration can create exposure. In a dedicated external tenant with no trust relationship to your production environment, the isolation is architectural. No policy error in the external tenant can expose your internal production data because there is no connection between them. For law firms handling highly sensitive matters, this distinction matters.

You need to support clients regardless of their technical maturity – Not every law firm client has a sophisticated IT organization. Some have no enterprise IdP. Some manage credentials in a basic directory with no federation capability. A third-party IdP can act as a full identity provider for clients who need it, or as a federation broker for clients who have their own. A single external tenant with a capable IdP in front gives you one consistent front door that accommodates the full spectrum of client technical environments.

You want to keep external identities entirely out of your production tenant – Some firms draw a deliberate architectural line: no external user accounts in the internal tenant, ever. A dedicated external tenant enforces this cleanly. Your production Entra ID stays firm-only – no guest objects, no cross-tenant trust entries, no external identity lifecycle to govern alongside your internal user population.

The Decision Framework

Before choosing a pattern, work through these questions:

1. What IdP does the client use?

If Entra ID, Pattern 1 is available and typically the simpler path. If the client uses a non-Microsoft IdP or no enterprise IdP at all, Pattern 2 handles the full range of scenarios more gracefully through a third-party IdP’s broader federation capabilities.

2. What is the sensitivity of the matter?

High-sensitivity matters – litigation, M&A, regulatory investigations – may warrant the stronger architectural isolation of Pattern 2. Routine client collaboration with lower confidentiality stakes may be well-served by Pattern 1 with well-governed Access Packages.

3. How many clients, and how long are the engagements?

Short-term, well-scoped engagements with a small number of client users favor Pattern 1. High-volume environments with many concurrent client engagements and long-running matters may benefit from the operational clarity of Pattern 2, where external identity lifecycle never touches your production tenant.

4. What collaboration experience is required?

Rich, integrated Microsoft 365 collaboration points toward Pattern 1. Document exchange and secure access with clients who need a reliable login experience regardless of their tech stack points toward Pattern 2.

5. Can you enforce cross-client isolation through policy, or do you need it at the infrastructure level?

This is the most consequential question for law firms. If your risk posture requires that no policy misconfiguration can ever create a cross-client data exposure in your production tenant, Pattern 2 provides that guarantee structurally. Pattern 1 can achieve strong isolation, but it requires disciplined, ongoing governance of every Access Package, Conditional Access policy, and guest permission assignment.

SSO Architecture Is One Layer of a Broader Governance Stack

The SSO pattern you choose is not, by itself, a complete governance solution. Authentication architecture determines how users get in. What they can see and do once they’re in is governed by a separate – and equally important – set of controls that span multiple systems.

This is particularly true in law firms, where the governance stack is deeper than the Microsoft 365 layer alone.

Ethical walls are primarily a DMS concern, not an identity concern – Most law firms enforce ethical walls at the Document Management System layer – not at SharePoint and not at the identity provider. DMS platforms purpose-built for legal use have their own ethical wall engines, often with dedicated third-party integrations designed specifically for legal conflict enforcement. These tools operate independently of your Microsoft 365 SSO architecture and are typically the authoritative enforcement point for matter confidentiality. When evaluating your SSO pattern, understand where your firm’s ethical wall enforcement actually lives and ensure your collaboration architecture is compatible with it – do not assume that Microsoft-layer controls replace or replicate what your DMS is doing.

The sync layer is a governance boundary – If your firm uses a sync tool to selectively surface DMS documents into SharePoint collaboration spaces, that sync layer is itself a governance control. Documents reach SharePoint only because they were explicitly published there. The access controls and ethical wall policies enforced at the DMS layer determine what ever reaches the SharePoint surface in the first place. Your SSO architecture governs who can access the SharePoint space; the DMS and sync layer govern what is in it.

Conditional Access policies – Beyond authentication, Conditional Access governs what conditions must be met for a session to proceed – device compliance, network location, MFA strength, session risk level. These policies apply to guest users as well as internal users and need to be explicitly scoped and tested for each external access pattern.

Data Loss Prevention (DLP) – DLP policies enforce rules about what data can be shared, downloaded, or transmitted – and by whom. For external client access scenarios, DLP is a complementary control that operates independently of your SSO pattern. A user who can authenticate is not necessarily a user who should be able to download or forward matter documents.

Access reviews and audit logging – Periodic access reviews ensure that entitlements remain appropriate as matters evolve and client relationships change. Audit logging provides the evidentiary record that access was governed correctly – important both for internal governance and for demonstrating compliance to clients or regulators.

Matter-level SharePoint permission governance – Regardless of SSO pattern, the permissions controlling which client users can access which SharePoint collaboration spaces must be provisioned consistently and reviewed regularly. This is where cross-client data exposure most commonly occurs at the Microsoft 365 layer; not at authentication, but at the resource permission layer.

The SSO architecture you choose shapes what Microsoft-layer governance tools are available to you and how easy they are to operate. But recognize that it is one layer in a governance stack that extends well beyond Microsoft 365. Plan it in the context of your full environment – DMS, sync layer, and identity – not in isolation.

Architecture Tradeoffs and Gotchas

Policy-based isolation requires sustained governance discipline – Pattern 1’s client isolation model is only as strong as the policies enforcing it. Access Packages, Conditional Access, and SharePoint permissions must all be consistently configured and regularly reviewed. In a law firm, this is not a set-it-and-forget-it operation – it is an ongoing governance commitment that needs clear ownership.

The 150-group cap in SAML token responses – Entra ID caps SAML token group claims at 150 groups. If a user is a member of more than 150 groups, Entra ID emits a groups overage claim instead of the full group list, and your application must query the Graph API to resolve group membership. In law firms where users may belong to many practice group, office, and matter-specific security groups, this limit surfaces more readily than in other industries. Design your group strategy with this ceiling in mind.

B2B guest lifecycle is an ongoing operational commitment, not a one-time task – Provisioning B2B guests is straightforward. Governing them over the lifespan of a client engagement – and cleaning them up when a matter closes or a contact departs – is the operational challenge. Without active lifecycle management, closed matters leave stale guest accounts in your production tenant. Access Packages with expiration dates and access reviews are the right tool, but they require a defined process and someone who owns it.

Third-party IdP federation requires coordination with the client’s IT team – Federating a client’s identity system with a third-party IdP involves configuring SAML2 or OIDC on both sides. This is not something you can configure unilaterally – it requires the client’s IT organization to participate, provide metadata, map claims, and test the integration. Budget time for this coordination, especially with clients who have less mature IT organizations or slower change management processes.

A dedicated external tenant doubles your operational surface area. Pattern 2 provides strong isolation, but operating two Azure tenants means two sets of Conditional Access policies, two audit log streams, two admin surfaces, and two environments to patch, monitor, and govern. The architectural benefit is real – so is the operational cost. Evaluate whether your team has the capacity to maintain both environments before committing to this model.

Cross-client data isolation is your responsibility at every layer – Neither SSO pattern automatically prevents one client’s users from accessing another client’s SharePoint collaboration spaces. That isolation is enforced through SharePoint permissions, security groups, and access entitlements – and those require deliberate, consistent provisioning for every engagement. And as noted above, your DMS ethical wall configuration is the upstream control that governs what documents are ever surfaced into those spaces. Both layers need to be right.

Conclusion

There is no universally correct answer between these two patterns. The right choice depends on your clients’ identity infrastructure, your firm’s risk posture, the sensitivity of the matters involved, and your team’s operational capacity.

What is clear is that the choice carries real professional responsibility implications. In a law firm, SSO architecture is not a purely technical decision – it is a governance decision. The pattern you choose determines how your firm controls access to client collaboration spaces, how well it integrates with your broader document governance infrastructure, and how confidently you can demonstrate to clients that their information is protected.

Pattern 1 – Entra ID B2B – is the right choice when your clients are on Microsoft 365, you need a rich integrated collaboration experience, and you have the governance discipline to manage guest lifecycle and Access Packages rigorously over the life of each engagement.

Pattern 2 – a dedicated external tenant with a third-party IdP – is the right choice when your clients use diverse identity platforms, when architectural data isolation is a firm requirement, and when you want external identities kept entirely out of your production tenant by design rather than by policy.

Large law firms may find themselves running both patterns simultaneously – B2B for enterprise clients already on Microsoft 365, and a dedicated external tenant for everyone else. If you go that route, invest in clear internal documentation that maps each client to their pattern, and ensure your governance controls cover both environments consistently.

Most importantly, evaluate your SSO architecture in the context of your full governance stack – not just the Microsoft 365 layer. Your DMS, your ethical wall infrastructure, your sync layer, and your identity architecture all need to work together. The firms that get external client collaboration right are the ones that treat it as a cross-system governance problem, not a single-platform configuration task.