Azure AD B2B Direct Connect - giving access to Enterprise Apps / App Registrations
Greetings, my company is looking to manage identity access for our webapp through Azure AD B2B. Currently we are doing B2B collaboration (inviting guest users), but now we are looking into using B2B Direct Connect by setting up cross-tenant communication with our client/partner. My question: Is it possible to give access to the webapp's Enterprise App in our directory to the client's accounts in their directory through B2B Direct Connect? Specifically, without inviting their users into our directory as guests but using the cross-tenant communication of B2B Direct Connect. Thanks in advance!
Microsoft Edge Dev - Azure Active Directory Seamless Single Sign-On
Microsoft Edge Dev build Version 76.0.182.6. We have implemented Azure Active Directory Seamless Single Sign-on (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso) and confirmed that it works both in Google Chrome (build 75.0.3770.90) and Internet Explorer v11 on Windows 10 v1903 build 18362.175. On Chrome and IE when accessing an Office 365 URL, after entering the username a redirect occurs that shows that the account is trying to sign-in without the need for the password to be entered before being prompted to confirm sign-in using MFA. On Microsoft Edge Dev this does not occur and the normal login procedure is followed of username => password => MFA. Is there a setting in the browser that needs to be enabled in the current build for the SSO to work or will it be a feature added to a later build? Thanks.
Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?Entra External Authentication Method giving AADSTS900144 missing externalAuthenticationMethodId
Hi All, Has anyone else noticed in the last couple of days if EAM (External Authentication Method) is configured for MFA end users are getting: AADSTS900144: The request body must contain the following parameter: 'externalAuthenticationMethodId' Its been working for us fine for months/years but the last couple of days we are seeing heaps of the error above. I have raised a support case but zero response so far Regards, Daniel
Login page of Microsoft blocked in iFrame
I've created an Enterprise App and App Registration in Microsoft Entra ID for the authentication of users into a thrid-party web application (Qlik Sense) via OIDC. This works as designed. When I access the website of Qlik Sense directly in my browser, I'm redirected to login.microsoftonline.com, where I can pick an existing account or sign-in with a new account. Now, I want to create a custom web application where the website of Qlik Sense is embedded on a page with an iFrame. Unfortunately, this doesn't work, because the login page of Microsoft is blocked by the browser when opened inside an iFrame. The browser console indicates that this is because of a HTTP response header 'X-Frame-Options' that is coming from Microsoft Entra ID. Is there a way to prevent this behaviour by changing the configuration in Entra ID?
New Blog | Coming Soon – Platform SSO for macOS
Earlier this year we took a big step towards improving customers’ experience with Apple devices by providing companies with the Microsoft Enterprise SSO plug-in for Apple devices. This plug-in enables Microsoft Entra ID users to have device-wide single sign-on (SSO) for all apps and websites in a consistent, secure, and seamless way. Best of all, it always stays up to date with the latest Microsoft technologies as they evolve. Today we're announcing a powerful enhancement to these capabilities - Platform SSO for macOS. This enhancement is designed to make using your macOS devices more seamless and secure than ever. Read the full update here: Coming Soon – Platform SSO for macOS - Microsoft Community HubCould not find SSO computer account with name AZUREADSSOACC - Solution
Hi all, I wanted to provide the solution regarding the errors: [INFORMATIONAL] Creating computer account in .... Exception Data (Raw): System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred. [WARNING] DeleteComputerAccount: Could not find SSO computer account with name 'AZUREADSSOACC'. Enable-AzureADSSOForest : A constraint violation occurred. Solution: Open Powershell as Admin and run these commands: cd 'c:\program files\Microsoft Azure Active Directory Connect\' Import-Module .\AzureADSSO.psd1 New-AzureADSSOAuthenticationContext Get-AzureADSSOStatus | ConvertFrom-Json $creds = Get-Credential Disable-AzureADSSOForest -OnPremCredentials $creds Enable-AzureADSSOForest Enable-AzureADSSO -Enable $trueAndroid : SSO Application Protection Policy - Edge
When a user launches our Play Store Application, authenticates (SSO, SAML2) on the app, they are presented with the form, enter the username and password, click sign in, and then the user is presented with "You can't get there from here" and a link to "Launch in Edge". When "Launch in Edge is clicked the user receives "ERR_UNKNOWN_URL_SCHEME" in the application. Outside of the application, Edge is launched, and is directed to login.microsoftonline.com:443, then is redirected to our home page/user control panel of our browser based application, not the application running on the device. It seems like Intune has defined our application as being browser based. Is this due to the application not interpreting the URL 'https-intunemam://login.microso.....' ? Would an exception be needed for our application to use the native browser? Any direction would be helpful.
