Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?Change User Sign In method from Password hash Synchronization to ADFS Authentication
Hi All, We have a requirement, users in the environment is currently using the primary Authentication method as Password hash synchronization, which has to be changed to ADFS authentication. In the current environment we have existing ADFS infrastructure in place, We wanted to have the federation between on premises active directory and Azure AD, then we want the users primary authentication method to be changed from Password hash synchronization to ADFS authentication. In addition, there are multiple custom domains added as verified domains in Azure AD, which are currently set as with the domain type as "Managed" Below is the plan we have Created to change the Authentication Mechanism 1. Convert all the domains type from Managed to federated using the commands Convert-MsolDomainToFederated -DomainName abc.com -SupportMultipleDomain Followed by the above command, We will execute the below commands for all other domains. Convert-MsolDomainToFederated -DomainName xyz.com Convert-MsolDomainToFederated -DomainName test.com 2. Then change the user sign in method present in Azure AD connect server from Password hash synchronization to Federation with ADFS We would like to clarify the following queries Is there a way to go with the staged approach, Say for example, change any single domain at a time from Managed to Federated, then change user sign in on the Azure AD connect server from Password hash synchronization to Federation ? If your answer is yes, the other managed domains would continue to use Password Hash synchronization as the primary authentication method ? What would be the end user experience and Impact , when we convert the domain type from managed to federated and set the primary authentication method as ADFS ? Should users need to sign out and sign in back to office 365 services ? What would be the default time taken configured by Microsoft to switch all the users authentication completely from PHS to ADFS authentication ? Any other important considerations which is not captured and that has to be taken care for this activity ? Appreciate your view and inputs on this query.