Does Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!
Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?
Microsoft Teams Bot OAuth login shows blank screen and closes without signing in
I’m building a Microsoft Teams bot using Azure AD OAuth (SSO) with Bot Framework. When I click Sign in, the OAuth popup in Teams shows a blank screen for a moment, then closes automatically without signing me in. What I’ve Done Added redirect URI in Azure App Registration: https://token.botframework.com/.auth/web/redirect Enabled Access tokens and ID tokens in App Registration → Authentication. Configured OAuth connection in Bot Channels Registration (ConnectionName matches my bot code). Verified client ID, client secret, and tenant ID are correct. Code bot.js require("dotenv").config(); const { TeamsActivityHandler } = require("botbuilder"); const { Client } = require("@microsoft/microsoft-graph-client"); const { DialogSet, DialogTurnStatus, OAuthPrompt, WaterfallDialog } = require("botbuilder-dialogs"); require("isomorphic-fetch"); const OAUTH_PROMPT = "OAuthPrompt"; const MAIN_DIALOG = "MainDialog"; class BotActivityHandler extends TeamsActivityHandler { constructor(conversationState, userState) { super(); this.conversationState = conversationState; this.userState = userState; this.dialogState = this.conversationState.createProperty("DialogState"); this.dialogs = new DialogSet(this.dialogState); // OAuthPrompt for Teams SSO this.dialogs.add( new OAuthPrompt(OAUTH_PROMPT, { connectionName: process.env.CONNECTION_NAME, text: "Please sign in to continue", title: "Sign In", timeout: 300000, }) ); this.dialogs.add( new WaterfallDialog(MAIN_DIALOG, [ this.promptStep.bind(this), this.handleFileStep.bind(this), ]) ); this.onMessage(async (context, next) => { const text = (context.activity.text || "").trim().toLowerCase(); const dialogCtx = await this.dialogs.createContext(context); if (text.startsWith("/")) { // ...handle commands... } else { const results = await dialogCtx.continueDialog(); if (results.status === DialogTurnStatus.empty) { if (context.activity.attachments?.length > 0) { await dialogCtx.beginDialog(MAIN_DIALOG, { file: context.activity.attachments[0], }); } else { await context.sendActivity("Upload a file or type /help."); } } } await next(); }); } async promptStep(stepContext) { return await stepContext.beginDialog(OAUTH_PROMPT); } async handleFileStep(stepContext) { const tokenResponse = stepContext.result; if (!tokenResponse?.token) { await stepContext.context.sendActivity("Please sign in to access files."); return await stepContext.endDialog(); } const token = tokenResponse.token; // Use token with Microsoft Graph API // ... return await stepContext.endDialog(); } } module.exports.BotActivityHandler = BotActivityHandler; Problem OAuth popup appears, then closes without completing login. No token is returned to the bot. Questions Why does the OAuth popup in Teams close immediately without signing in? Where can I see detailed error logs for OAuth failures? Azure AD sign-in logs? Application Insights (do I need to configure Instrumentation Key in Bot Service)? Environment Bot Framework v4 (Node.js) Azure Bot Service Microsoft Teams channel Azure AD v2 OAuthEntra App Gallery required for Excel AddIn
Hi, We have an Excel Addin published to Microsoft AppSource: https://appsource.microsoft.com/en-us/product/office/WA200009029?tab=Overview The Excel Addin uses Entra ID to obtain an OIDC token to securely / seamlessly access MS 365 SharePoint on behalf of the user. In order to achive this the Entra ID subscription needs the TR4E application registered as an Enterprise Application / App Registration. My question is whether I need to submit the TR4E application separately to the Entra App Gallery, so it can be installed by the Entra ID admin - or will the registration in Entra ID happen automatically when a new user first tries using TR4E? I note that MS has suspended new application submissions for Entra App Gallery, which means our customers would need to manually create the Entra ID Enterprise Application (which is not a great experience). Cheers, AndrewEntra External Authentication Method giving AADSTS900144 missing externalAuthenticationMethodId
Hi All, Has anyone else noticed in the last couple of days if EAM (External Authentication Method) is configured for MFA end users are getting: AADSTS900144: The request body must contain the following parameter: 'externalAuthenticationMethodId' Its been working for us fine for months/years but the last couple of days we are seeing heaps of the error above. I have raised a support case but zero response so far Regards, Daniel
Problems configuring federation to SAML IdP
Hi. I'm trying to configure our Entra domain to federate to our existing IdP, following the guidance found https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp#supported-bindings and am having real problems when it comes to using the Microsoft Graph API in PowerShell. After eventually working out what permissions I needed to request (more than what is stated in the doc), I ran the New-MgDomainFederationConfiguration cmdlet, and received the following error: "FederatedIdpMfaBehavior cannot be empty" This parameter is not mentioned in the doc either. So, then I added that parameter, and got the following: "Domain already has Federation Configuration set." But when I run Get-MgDomainFederationConfiguration, I get: "Resource 'federationConfiguration' does not exist or one of its queried reference-property objects are not present." When I run Get-MgDomain, AuthenticationType shows as "Federated", but I still see a managed login when I check. So I seem to be stuck with it seemingly half-configured, with no way to view or remove the configuration. Any ideas? Thanks, Nick
MFA claim expired - Breaking web apps
Hi All, Testing: - Passwordless (Phone Sign-in baseline) - Sign in Frequency (Shorter than tenant setting) - Desktops are hybrid, receiving their PRT but no not use WH4B - Tenant still has Remember Trusted device for X Days enabled I'm seeing some strange behavior where Azure AD is showing the MFA claim has expired when trying to access web portals (Auth loops, webapp access issues (Outlook fine but not Teams), error messages). If I revoke the session completely and re-login to the native app pop-ups, things are fine again for a while. If the user closes the native auth window, the native apps limp along even with the MFA claim issue within the browser but the webapps are still broken. WebApps continue to SSO in with the token in this state. Research is pointing that it might be the tenant wide remember trusted device settings, although I am not in a position to disable this global setting until after the test deployment. Disabling the SIF, seems to resolve the MFA claim expiry immediately, i'll check in a few days to see if that is still the case as it'd be outside the trusted device setting interval too. I have a support request at the moment with the advice to enable persistent browser sessions which I'll test but don't think that is the core of the issue. Is their a way around this, have others had similar issues? Thanks!
How to test MSAL Android app with SSO across long periods (token expiry and silent sign-in)
Hi, I'm developing an Android application using MSAL and SSO for authentication and I am pretty new to using these tools. I want to ensure that SSO and token refresh mechanisms continue to work correctly over long periods especially after access and refresh tokens expire. My goal is to simulate and test the following scenarios: Behavior after access token expiration Behavior after refresh token expiration If silent token acquisition via acquireTokenSilent() continues to work as expected over time If user needs to re-authenticate interactively after refresh token expiry and if this re-authentication work How to simulate token expiry effectively for testing (e.g., adjusting system clock, clearing token cache, or using custom Azure AD token lifetimes) What is the best approach to simulate long-term usage and token expiration within an Android environment using MSAL? I have come across this ressource: https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes But I don't have access to "Conditional Access" and policies in my Entra Admin center. Does anybody have any recommendations, sample code, or official tools to test these scenarios without using policies? It would be greatly appreciated. Thanks!
