Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?
How to Skip Country Code Selection Screen in Azure AD B2C for US Users?
Hi all, We’re using Azure AD B2C for user sign-in and sign-up, and we’ve customized the process with custom HTML templates. Currently, the sign-in flow involves three steps: Users enter their phone number. Users select their country and phone number. Users enter the OTP sent via SMS. Since our users are all based in the USA (with country code +1), we’ve set the country code to +1 by default using custom HTML templates. However, we’d like to skip the screen where users manually select the country code to further streamline the process. Is there a way to fully bypass this step and automatically use the default country code (+1) without requiring users to interact with that screen? Thanks for your help!
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.Seamless Identity Integration: Azure API Management with Azure AD B2C (AADB2C)
Azure API Management (APIM) is a robust platform for managing and securing your APIs. In this blog post, we will guide you through integrating Azure API Management with Azure Active Directory B2C (AADB2C) for identity management. This integration enhances the security of your APIs by requiring user authentication before access is granted. We will break down the process into three key steps: setting up the Developer Portal to use AADB2C, configuring APIM to use OAuth 2.0 for authorization, and implementing token validation to ensure secure access.
angular-b2c-sample-app and iframes
I have a project that I based on this sample project: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-angular-v3-samples/angular-b2c-sample-app Currently I have the custom policies as intended. Button, redirects to a azure page, finishes w/e the custom policy is, redirects back to the web app. But now I need to using said custom policy as an iframe, basically the client requests that there is less one layer of buttons to pressed. Therefore I want the custom policy to be displayed as an iframe, making the web app feel more single page. I have looked around, but can't really find anything detailed enough. Any help is welcomed :)How to Automatically Pre-fill Phone Number in Azure AD B2C User Flow?
Hi all, We’re using Azure AD B2C for user sign-in and sign-up and have customized the process with custom HTML templates. The current sign-in flow involves three steps: Users enter their phone number. Users select their country and phone number. Users enter the OTP sent via SMS. We’d like to automatically pre-fill the phone number in the user flow, perhaps by passing it as a query parameter or using another method. Is this possible? If so, how can we achieve it? Thanks in advance!Connect to power pages using Azure AD B2C token
Hi, I am working on a scenario where user logins to the mobile app using username and password. The username and password are used to get ID and access token from azure AD B2C like: URL: https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token grant_type=password&client_id=<CLIENT_ID>&client_secret=<SECRET>&scope=openid&username=<USERNAME>&password=<PASSWORD> now after getting the id_token and access token, I tried passing it in header as bearer token and as well as in query params as well. After these steps, it still lands me to the sign-up page instead of the singed in page and not the page to where I should be directed as an authenticated user.Issue: Invitations from SharePoint and Teams Redirect to Incorrect Page
I hope you're doing well! I’m reaching out to seek some guidance regarding an issue we’ve encountered with guest invitations in SharePoint and Teams. When we send invitations to guests from SharePoint and Teams, they are redirected to the Entra ID "My Applications" page instead of directly to SharePoint or Teams. We do not want guests to be redirected to the "My Applications" page in the directory but rather directly to the respective service/application. Is this a configuration setting, and if so, where can this be adjusted? I have been unable to locate such a setting in Entra ID. Another notable issue is that invitations take 1 to 2 hours to reach the invited guest. Thank you in advance for your assistance.keep ui_locales param in custom policy sign in flow
Hi, I'm having some trouble with the language customization of our AD B2C based authentication pages. In my country (Greece) even though the local language is greek, it's very common to use english as the default language for web tools and specifically browsers. In our business we do want to show english translations but only when user needs it. There is a language switch added in a custom html template that changes the ui_locals param and refreshes the page. We have added LocalizedStrings to our custom policies and initially force the ui_locals=el param in order to override the default browser language and set it to greek. This works fine in the first screen where users are asked to add their email address but as long as they proceed to the next step, the ui_locals param is lost and the password screen is shown with strings in english. Is there a way to tell to a custom policy to respect the ui_locals param when moving from one screen to another?
Business User to manage an Application's users in Entra External ID
Hi all, In my company we are using Microsoft Entra External ID as CIAM for one of our applications. Users are external to the company (i.e. 'consumers'). Users are initially created by IT, as the app is not open for the general public. Everything works fine so far and, in addition to the authentication, we are using Entra External ID for authorization as well. For that, we are using regular Entra groups that travel to the app using OIDC claims, so once the user has successfully authenticated, the apps gets the group/s membership as well. Here comes the question: We now want to have a non-IT, Business user to manage authorizations, (i.e group memberships). The options we manage are: 1) Provide the business user access to the Entra External ID console, with a heavily restricted role that will only allow him to manage users of a certain app (in general, a limited collection of apps). 2) Create a (web) application that handles user authorization management. It would basically show the list of users and group membership for each, and allow making modification to them. For option 2) we would like to keep it "CIAM agnostic", meaning we don't want to have it solved via something like MS Graph API , for instance. Instead, we would like (if possible) a solution based on standards such as OIDC. We are open to use any other different standard protocol such as SAML. We don't know if any of the options are actually feasible, or if there is a better approach that should be considered. Ideas about how we can handle this? Thank you all in advance for you help.
