Entra App Gallery required for Excel AddIn
Hi, We have an Excel Addin published to Microsoft AppSource: https://appsource.microsoft.com/en-us/product/office/WA200009029?tab=Overview The Excel Addin uses Entra ID to obtain an OIDC token to securely / seamlessly access MS 365 SharePoint on behalf of the user. In order to achive this the Entra ID subscription needs the TR4E application registered as an Enterprise Application / App Registration. My question is whether I need to submit the TR4E application separately to the Entra App Gallery, so it can be installed by the Entra ID admin - or will the registration in Entra ID happen automatically when a new user first tries using TR4E? I note that MS has suspended new application submissions for Entra App Gallery, which means our customers would need to manually create the Entra ID Enterprise Application (which is not a great experience). Cheers, Andrew
Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?Entra External Authentication Method giving AADSTS900144 missing externalAuthenticationMethodId
Hi All, Has anyone else noticed in the last couple of days if EAM (External Authentication Method) is configured for MFA end users are getting: AADSTS900144: The request body must contain the following parameter: 'externalAuthenticationMethodId' Its been working for us fine for months/years but the last couple of days we are seeing heaps of the error above. I have raised a support case but zero response so far Regards, Daniel
Problems configuring federation to SAML IdP
Hi. I'm trying to configure our Entra domain to federate to our existing IdP, following the guidance found https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp#supported-bindings and am having real problems when it comes to using the Microsoft Graph API in PowerShell. After eventually working out what permissions I needed to request (more than what is stated in the doc), I ran the New-MgDomainFederationConfiguration cmdlet, and received the following error: "FederatedIdpMfaBehavior cannot be empty" This parameter is not mentioned in the doc either. So, then I added that parameter, and got the following: "Domain already has Federation Configuration set." But when I run Get-MgDomainFederationConfiguration, I get: "Resource 'federationConfiguration' does not exist or one of its queried reference-property objects are not present." When I run Get-MgDomain, AuthenticationType shows as "Federated", but I still see a managed login when I check. So I seem to be stuck with it seemingly half-configured, with no way to view or remove the configuration. Any ideas? Thanks, Nick
MFA claim expired - Breaking web apps
Hi All, Testing: - Passwordless (Phone Sign-in baseline) - Sign in Frequency (Shorter than tenant setting) - Desktops are hybrid, receiving their PRT but no not use WH4B - Tenant still has Remember Trusted device for X Days enabled I'm seeing some strange behavior where Azure AD is showing the MFA claim has expired when trying to access web portals (Auth loops, webapp access issues (Outlook fine but not Teams), error messages). If I revoke the session completely and re-login to the native app pop-ups, things are fine again for a while. If the user closes the native auth window, the native apps limp along even with the MFA claim issue within the browser but the webapps are still broken. WebApps continue to SSO in with the token in this state. Research is pointing that it might be the tenant wide remember trusted device settings, although I am not in a position to disable this global setting until after the test deployment. Disabling the SIF, seems to resolve the MFA claim expiry immediately, i'll check in a few days to see if that is still the case as it'd be outside the trusted device setting interval too. I have a support request at the moment with the advice to enable persistent browser sessions which I'll test but don't think that is the core of the issue. Is their a way around this, have others had similar issues? Thanks!
How to test MSAL Android app with SSO across long periods (token expiry and silent sign-in)
Hi, I'm developing an Android application using MSAL and SSO for authentication and I am pretty new to using these tools. I want to ensure that SSO and token refresh mechanisms continue to work correctly over long periods especially after access and refresh tokens expire. My goal is to simulate and test the following scenarios: Behavior after access token expiration Behavior after refresh token expiration If silent token acquisition via acquireTokenSilent() continues to work as expected over time If user needs to re-authenticate interactively after refresh token expiry and if this re-authentication work How to simulate token expiry effectively for testing (e.g., adjusting system clock, clearing token cache, or using custom Azure AD token lifetimes) What is the best approach to simulate long-term usage and token expiration within an Android environment using MSAL? I have come across this ressource: https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes But I don't have access to "Conditional Access" and policies in my Entra Admin center. Does anybody have any recommendations, sample code, or official tools to test these scenarios without using policies? It would be greatly appreciated. Thanks!Access On Premise Apps Using Entra Identity
I plan to switch to using Microsoft 365 using a new domain from my on-premise email. There are several on-premise applications that are accessed using on-premise identity with the old domain. For one reason or another, I have not been able to change these applications to use the new domain. I am confused, will I still be able to access my on-premise applications using Identity Entra with the new domain.Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.Q: Restricting access to Business Web Application/Non-Enterprise Application
Hi all, We are in the middle of moving our on-prem infrastructure to Intune and more specifically, building out conditional access policies. All but one of our business applications have been straightforward with the process to limit access unless certain conditions are met from an authentication, device, or location compliance perspective. The one business application we are needing to find a solution for is a web-based application that we do not control outside of user administration and limited-customization. Typically this would be fine if SSO was leveraged, but this web application, unfortunately and not without several conversations with the developers due to the sensitive nature of the data being stored, does not have SSO on their roadmap. Users can access this application from any web browser using their username and password credentials and an application specific 2FA process using SMS code. There is no connection between our MS tenant and this web application. Due to the sensitive nature of the information stored within this application and the availability of this application from any device with a web browser has raised my antenna with security concerns. Especially in the case of a user downloading information from this site on their BYOD mobile device as they would may need to do in the course of their duties, but if they left the organization, we have no way of wiping that data through the removal of the work profile like we do with all other work data through Intune device compliance measures. We can limit what devices are allowed to connect to work resources (Complaint) and access work applications (all but one, and they need to be compliant to do so), but is there a way to not allow the personal profile of any BYOD device that is compliant, from accessing or logging into this specific URL in any browser from the personal profile web browser?Entra SSO with Google as IdP
I tried to configure SSO between Entra and Google IdP. Here is the documentation of the steps I followed: https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6363817%3Fhl%3Den&assistant_id=generic-unu&product_context=6363817&product_name=UnuFlow&trigger_context=a In step 3, namely Set up Office 365 as a SAML Service Provider (SP), where I was asked to execute the script on the M365 side, it failed. Here is the script I used (of course the value of each variable has been adjusted): $dom = "ourDomain.com" $BrandName = "Whatever you want it to be" $LogOnUrl = GoogleSSOURL $LogOffUrl = "https://accounts.google.com/logout" $ecpUrl = GoogleSSOURL $MyURI = GoogleEntityID $MySigningCert = CertFromGoogle $Protocol = "SAMLP" Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri $LogOnUrl -ActiveLogOnUri $ecpUrl -SigningCertificate $MySigningCert -IssuerUri $MyURI -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol The Result : I don't know why this is happening, please advise thank you.
