macOS: SSO no longer fully functional on AVD (Win11 25H2)
Hello everyone, Since updating our Test Azure Virtual Desktop Session Hosts from Windows 11 23h2 to 25H2 (26200.7462) , we've been experiencing an SSO issue that exclusively affects macOS clients. Symptoms For macOS users (Windows App), the following issues occur: Example Teams Teams shows the user as "Unknown User" Chat and collaboration features fail to load Error message: "You need to sign in again. This may be a requirement from your IT department or Teams, or the result of a password update. - Sign in" After clicking "Sign in," only a window appears with "Continue with sign-in" (no PW/MFA prompt) After this, all other applications work without further authentication Technical Details macOS Device: AppleM4 Pro macOS Tahoe 26.2 Installed WindowsApp version: 11.3.2 (2848) dsregcmd /status: No errors detected PRT is active and was updated for sign-in Entra Sign-In Logs: Error code: 9002341 EventLog on Session Host (AAD-Operational): Event ID: 1098 Error: 0xCAA2000C The request requires user interaction. Code: interaction_required Description: AADSTS9002341: User is required to permit SSO. Event ID: 1097 Error: 0xCAA90056 Renew token by the primary refresh token failed. Logged at RefreshTokenRequest.cpp, line: 148, method: RefreshTokenRequest::AcquireToken. Observations Affects: Both managed (internal) and unmanaged (external) macOS devices Does NOT affect: Windows clients connecting via Windows App Interesting: If a macOS user starts the session (with the error) and then reconnects on a Windows device, authentication works automatically there Workaround The issue can be resolved for macOS clients by removing the "DE" flag from "Automatic app sign-in" in the following file: C:\Windows\System32\IntegratedServicesRegionPolicySet.json Questions Is this a known issue? Has anyone experienced similar issues with macOS clients after the 25H2 update? Why does this issue only occur with macOS clients? Why does SSO only work after removing the "DE" flag for macOS devices, and why are Windows devices not affected? I would appreciate any insights or confirmation of this issue! Thank you and greetings FT_1
AADSTS50105 error message is unreadable for end users — UX improvement suggestion
1. What’s wrong with the current error message a. It’s written for administrators, not users The message exposes: Internal system names (AADSTS50105) GUIDs (aaaabbbb-cccc-dddd-eeee-ffff01234567) Identity provider jargon (“direct member of a group with access”) None of this helps the person who sees the error decide what to do next. b. The actual problem is buried in a wall of text The real issue is simply: You don’t have permission to access this app. Instead, the message forces users to: Read a long paragraph Decode domain-specific language Guess which part matters Cognitively, this is high effort for low payoff. c. “Contact your administrator” is vague and unhelpful Users ask: Which administrator? IT? Security? App owner? Their manager? What should they say? Without context, users either: Ignore the error Forward screenshots randomly Open the wrong support ticket d. Error codes without guidance increase support load AADSTS50105 may be meaningful internally, but: Users don’t know whether to Google it Support teams receive unclear tickets (“it doesn’t work”) This paradoxically raises support cost instead of lowering it. 2. What a better error message should do A good error message answers four questions in order: What happened? Why did it happen (in plain language)? What can the user do next? Who specifically can help? And it does so in under 30 seconds of reading time. 3. Example of a much better error message You don’t have access to [APPLICATION] Your account (email address removed for privacy reasons) isn’t currently authorized to use [APPLICATION]. This usually means: You haven’t been added to the required security group, or Access hasn’t been requested or approved yet. What to do next If you believe you should have access, contact IT Service Desk or your [APPLICATION] owner and request access. Helpful details to include in your request Application name: [APPLICATION] Your email: email address removed for privacy reasons Error reference: Access not assigned (Error ID: AADSTS50105 — for IT use) 4. Optional but high-impact improvement: Add a “Request Access” button or link One-click takes users to: ServiceNow / Jira / internal form Auto-populates app name and user email Administrators configure support link when configuring the applicationDoes Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!
Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?
Microsoft Teams Bot OAuth login shows blank screen and closes without signing in
I’m building a Microsoft Teams bot using Azure AD OAuth (SSO) with Bot Framework. When I click Sign in, the OAuth popup in Teams shows a blank screen for a moment, then closes automatically without signing me in. What I’ve Done Added redirect URI in Azure App Registration: https://token.botframework.com/.auth/web/redirect Enabled Access tokens and ID tokens in App Registration → Authentication. Configured OAuth connection in Bot Channels Registration (ConnectionName matches my bot code). Verified client ID, client secret, and tenant ID are correct. Code bot.js require("dotenv").config(); const { TeamsActivityHandler } = require("botbuilder"); const { Client } = require("@microsoft/microsoft-graph-client"); const { DialogSet, DialogTurnStatus, OAuthPrompt, WaterfallDialog } = require("botbuilder-dialogs"); require("isomorphic-fetch"); const OAUTH_PROMPT = "OAuthPrompt"; const MAIN_DIALOG = "MainDialog"; class BotActivityHandler extends TeamsActivityHandler { constructor(conversationState, userState) { super(); this.conversationState = conversationState; this.userState = userState; this.dialogState = this.conversationState.createProperty("DialogState"); this.dialogs = new DialogSet(this.dialogState); // OAuthPrompt for Teams SSO this.dialogs.add( new OAuthPrompt(OAUTH_PROMPT, { connectionName: process.env.CONNECTION_NAME, text: "Please sign in to continue", title: "Sign In", timeout: 300000, }) ); this.dialogs.add( new WaterfallDialog(MAIN_DIALOG, [ this.promptStep.bind(this), this.handleFileStep.bind(this), ]) ); this.onMessage(async (context, next) => { const text = (context.activity.text || "").trim().toLowerCase(); const dialogCtx = await this.dialogs.createContext(context); if (text.startsWith("/")) { // ...handle commands... } else { const results = await dialogCtx.continueDialog(); if (results.status === DialogTurnStatus.empty) { if (context.activity.attachments?.length > 0) { await dialogCtx.beginDialog(MAIN_DIALOG, { file: context.activity.attachments[0], }); } else { await context.sendActivity("Upload a file or type /help."); } } } await next(); }); } async promptStep(stepContext) { return await stepContext.beginDialog(OAUTH_PROMPT); } async handleFileStep(stepContext) { const tokenResponse = stepContext.result; if (!tokenResponse?.token) { await stepContext.context.sendActivity("Please sign in to access files."); return await stepContext.endDialog(); } const token = tokenResponse.token; // Use token with Microsoft Graph API // ... return await stepContext.endDialog(); } } module.exports.BotActivityHandler = BotActivityHandler; Problem OAuth popup appears, then closes without completing login. No token is returned to the bot. Questions Why does the OAuth popup in Teams close immediately without signing in? Where can I see detailed error logs for OAuth failures? Azure AD sign-in logs? Application Insights (do I need to configure Instrumentation Key in Bot Service)? Environment Bot Framework v4 (Node.js) Azure Bot Service Microsoft Teams channel Azure AD v2 OAuthEntra App Gallery required for Excel AddIn
Hi, We have an Excel Addin published to Microsoft AppSource: https://appsource.microsoft.com/en-us/product/office/WA200009029?tab=Overview The Excel Addin uses Entra ID to obtain an OIDC token to securely / seamlessly access MS 365 SharePoint on behalf of the user. In order to achive this the Entra ID subscription needs the TR4E application registered as an Enterprise Application / App Registration. My question is whether I need to submit the TR4E application separately to the Entra App Gallery, so it can be installed by the Entra ID admin - or will the registration in Entra ID happen automatically when a new user first tries using TR4E? I note that MS has suspended new application submissions for Entra App Gallery, which means our customers would need to manually create the Entra ID Enterprise Application (which is not a great experience). Cheers, AndrewEntra External Authentication Method giving AADSTS900144 missing externalAuthenticationMethodId
Hi All, Has anyone else noticed in the last couple of days if EAM (External Authentication Method) is configured for MFA end users are getting: AADSTS900144: The request body must contain the following parameter: 'externalAuthenticationMethodId' Its been working for us fine for months/years but the last couple of days we are seeing heaps of the error above. I have raised a support case but zero response so far Regards, Daniel
Problems configuring federation to SAML IdP
Hi. I'm trying to configure our Entra domain to federate to our existing IdP, following the guidance found https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp#supported-bindings and am having real problems when it comes to using the Microsoft Graph API in PowerShell. After eventually working out what permissions I needed to request (more than what is stated in the doc), I ran the New-MgDomainFederationConfiguration cmdlet, and received the following error: "FederatedIdpMfaBehavior cannot be empty" This parameter is not mentioned in the doc either. So, then I added that parameter, and got the following: "Domain already has Federation Configuration set." But when I run Get-MgDomainFederationConfiguration, I get: "Resource 'federationConfiguration' does not exist or one of its queried reference-property objects are not present." When I run Get-MgDomain, AuthenticationType shows as "Federated", but I still see a managed login when I check. So I seem to be stuck with it seemingly half-configured, with no way to view or remove the configuration. Any ideas? Thanks, Nick
MFA claim expired - Breaking web apps
Hi All, Testing: - Passwordless (Phone Sign-in baseline) - Sign in Frequency (Shorter than tenant setting) - Desktops are hybrid, receiving their PRT but no not use WH4B - Tenant still has Remember Trusted device for X Days enabled I'm seeing some strange behavior where Azure AD is showing the MFA claim has expired when trying to access web portals (Auth loops, webapp access issues (Outlook fine but not Teams), error messages). If I revoke the session completely and re-login to the native app pop-ups, things are fine again for a while. If the user closes the native auth window, the native apps limp along even with the MFA claim issue within the browser but the webapps are still broken. WebApps continue to SSO in with the token in this state. Research is pointing that it might be the tenant wide remember trusted device settings, although I am not in a position to disable this global setting until after the test deployment. Disabling the SIF, seems to resolve the MFA claim expiry immediately, i'll check in a few days to see if that is still the case as it'd be outside the trusted device setting interval too. I have a support request at the moment with the advice to enable persistent browser sessions which I'll test but don't think that is the core of the issue. Is their a way around this, have others had similar issues? Thanks!
How to test MSAL Android app with SSO across long periods (token expiry and silent sign-in)
Hi, I'm developing an Android application using MSAL and SSO for authentication and I am pretty new to using these tools. I want to ensure that SSO and token refresh mechanisms continue to work correctly over long periods especially after access and refresh tokens expire. My goal is to simulate and test the following scenarios: Behavior after access token expiration Behavior after refresh token expiration If silent token acquisition via acquireTokenSilent() continues to work as expected over time If user needs to re-authenticate interactively after refresh token expiry and if this re-authentication work How to simulate token expiry effectively for testing (e.g., adjusting system clock, clearing token cache, or using custom Azure AD token lifetimes) What is the best approach to simulate long-term usage and token expiration within an Android environment using MSAL? I have come across this ressource: https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes But I don't have access to "Conditional Access" and policies in my Entra Admin center. Does anybody have any recommendations, sample code, or official tools to test these scenarios without using policies? It would be greatly appreciated. Thanks!
