Answered

Entra external id and microsoft personal emails

(0) Share

Report

Posted on by CN-06091549-0

I have a power page where I've setup entra external auth with a b2b tenant with user flow and a registered app. The external auth is working for most Gmail, and other companies emails but I can't get it to work with anything affiliated with a Microsoft personal email like outlook.com, live.com etc... I am using the ciam auth. Ms personal emails give a redirect error. The redirect is the same in power pages and the registered app and as mentioned does work for a lot of emails. Not sure where to go from here on this one

Categories:

I have the same question (0)

All responses (6)

Answers (1)

Sort by

Suggested answer

oliver.rodrigues 9,455 Most Valuable Professional on at

Like (0)

Report
Copy link

Link copied!
That sounds strange

So just to recap here:

You setup Entra External tenant

in you App Registration, you have setup the Redirect URL (I normally setup 2 of them):

<Portal url>

<Portal url>/signin-openid_1

You are registering as a new user

This works correctly only for non-outlook e-mails?

Have you tried in private?

Are you sure the user doesn't already exist in Entra or Dataverse (as a contact with that e-mail address)?

Was this reply helpful? Yes No
CN-06091549-0 18 on at

Like (0)

Report
Copy link

Link copied!

Hey Oliver, thank you so much for your response!! Here are a few more details but to answer your question.
yes have tried it in private mode/incognito
We're using a b2b entra portal so the users do get entered into there and are there but upon authentication in power pages that's where it dies.
affirmative, this works for gmail, yahoo, most company accounts we've tested so far (a costco company account failed but made it into the user flow). The MS personal related emails don't seem to make it into the user flow since there's no sign in logs there.

The error that the personal accounts get is, which again I just can't get my head around because if the redirect was invalid I would think this would happen to all users.
We're unable to complete your request

invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.

Here is a rundown of what I have going

Entra b2b tenant/ App registration:
redirects: https://<my-domain>/,  https://<my-doman>/signin-entraexternalid_1/
supported accounts: Any Entra ID tenant + Personal Microsoft accounts
settings: checked access tokens and ID tokens (which this says for SPA's but doesn't seem to make a difference checked or unchecked)
Endpoints: (this seems a little weird and I'm not sure the endpoints the registered app is giving me are correct)
authority url :  https://<my-domain>.ciamlogin.com/common
open ID metadata url:  https://<my-domain>.ciamlogin.com/common/v2.0/.well-known/openid-configuration

NOTE: notice the 'common' in the authority and the open id. If I use both of those in power pages I get a server error so I have to change the metadata url at the very least to https://<my-domain>.ciamlogin.com/<My tenant ID>/.well-known/openid-configuration

OK here are the power pages settings I have:
authority url:  https://<my-domain>.ciamlogin.com/<My tenant ID>/v2.0/ (this seems to work the same if it has the tenant id or just uses the /common
reidrect url: https://<my-domain>/signin-entraexternalid_1/
open ID metadata url:  https://<my-domain>.ciamlogin.com/<My tenant ID>/v2.0/.well-known/openid-configuration <== if I use the /common that is provided from the app registration I get a server error

if there is anything you can think of suggestions/advice I am beyond grateful, this one has got me good!

Was this reply helpful? Yes No
Suggested answer

oliver.rodrigues 9,455 Most Valuable Professional on at

Like (0)

Report
Copy link

Link copied!
Oh please don't post here your actual URLs for security and data privacy reasons.

I a bit confused when you mentioned about the B2B tenant - how exactly was that setup? Entra tenant are divided into Work (internal / traditional Azure AD) and External (traditional B2C).

My settings when using Entra External (B2C) are:

Authority:https://<tenant name>.ciamlogin.com/<tenant ID>

Redirect uri: https://coldist.powerappsportals.com/signin-openid_1
open ID

MetadataAddress: https://<tenant name>.ciamlogin.com/<tenant ID>/v2.0/.well-known/openid-configuration

Can you check to ensure yours matches

Was this reply helpful? Yes No
CN-06091549-0 18 on at

Like (0)

Report
Copy link

Link copied!

apologies, yeah my infra just named it B2B lol, but yes it's the external tenant and not the workforce tenant.

Yes my settings are the same as you mention there. I did notice in entra the users that have Identity: MicrosoftAccount are the ones that don't work. Identity: mail, onmicrosoft.com, and ExternalAzureAD all work as expected.

Was this reply helpful? Yes No
Verified answer

CN-06091549-0 18 on at

Like (1)

Report
Copy link

Link copied!

So I figured out the issue. The users need to ‘self-register’ in order for all email types to work. We had requirements where we would send the invite from Entra to the user. If you send the invite, then Entra chooses the identity type and that’s not ideal. If the user registers on their own their identity gets set to their email and not a provider. Invites will work for some types of email accounts but for a broad stroke using the self register aspect of the external tenant is probably the best polciy. (ie...how it was designed to be used lol)

thank you for your help!!

Was this reply helpful? Yes No
Lucas001 2,538 Super User 2026 Season 1 on at

Like (0)

Report
Copy link

Link copied!

Closing this one as it solved.

Was this reply helpful? Yes No