Troubleshoot password-based single sign-on

To use password-based single sign-on (SSO) in My Apps, the browser extension must be installed. The extension downloads automatically when you select an app configured for password-based SSO. To learn about using My Apps from an end-user perspective, see My Apps portal help.

My Apps browser extension not installed

Make sure the browser extension is installed. To learn more, see Plan a Microsoft Entra My Apps deployment.

Single sign-on not configured

Make sure password-based single sign-on is configured. To learn more, see Configure password-based single sign-on.

Users not assigned

Make sure the user is assigned to the app. To learn more, see Assign a user or group to an app.

Credentials are filled in, but the extension doesn't submit them

This problem typically happens if the application vendor has changed their sign-in page recently to add a field, changed an identifier used for detecting the username and password fields, or modified how the sign-in experience works for their application. Fortunately, in many instances, Microsoft can work with application vendors to rapidly resolve these issues.

While Microsoft has technologies to automatically detect when integrations break, it might not be possible to find the issues right away, or the issues take some time to fix. In the case when one of these integrations doesn't work correctly, open a support case so it can be fixed as quickly as possible.

If you are in contact with this application’s vendor, send them our way so Microsoft can work with them to natively integrate their application with Microsoft Entra ID. You can send the vendor to the Listing your application in the Microsoft Entra application gallery to get them started.

Credentials are filled in and submitted, but the page indicates the credentials are incorrect

To resolve this issue, first try these things:

Have the user first try to sign in to the application website directly with the credentials stored for them.
- If sign-in works, then have the user select the Update credentials button on the Application Tile in the Apps section of My Apps to update them to the latest known working username and password.
- If you, or another administrator assigned the credentials for this user, find the user or group’s application assignment by navigating to the Users & Groups tab of the application, selecting the assignment and clicking the Update Credentials button.
If the user assigned their own credentials, have the user check to be sure that their password has not expired in the application and if so, update their expired password by signing in to the application directly.
- After the password has been updated in the application, request the user to select the Update credentials button on the Application Tile in the Apps section of My Apps to update them to the latest known working username and password.
- If you, or another administrator assigned the credentials for this user, find the user or group’s application assignment by navigating to the Users & Groups tab of the application, selecting the assignment and clicking the Update Credentials button.
Ensure that the My Apps browser extension is running and enabled in your user’s browser.
Ensure that your users aren't trying to sign in to the application from My Apps while in incognito, inPrivate, or Private mode. The My Apps extension isn't supported in these modes.

In case the previous suggestions don't work, it could be the case that a change has occurred on the application side that has temporarily broken the application’s integration with Microsoft Entra ID. For example, this can occur when the application vendor introduces a script on their page, which behaves differently for manual vs automated input, which causes automated integration, like our own, to break. Fortunately, in many instances, Microsoft can work with application vendors to rapidly resolve these issues.

While Microsoft has technologies to automatically detect when application integrations break, it might not be possible to find the issues right away, or the issues might take some time to fix. When an integration doesn't work correctly, you can open a support case to get it fixed as quickly as possible.

In addition to this, if you are in contact with this application’s vendor, send them our way so we can work with them to natively integrate their application with Microsoft Entra ID. You can send the vendor to the Listing your application in the Microsoft Entra application gallery to get them started.

If the application’s sign-in page has changed drastically, sometimes this causes our integrations to break. An example of this is when an application vendor adds a sign-in field, a captcha, or multifactor authentication to their experiences. Fortunately, in many instances, Microsoft can work with application vendors to rapidly resolve these issues.

Sign-in field capture is supported only for HTML-enabled sign-in pages. It's not supported for non-standard sign-in pages, like those that use Adobe Flash or other non-HTML-enabled technologies. The following section shows how to capture sign-in fields for your custom apps.

To capture sign-in fields, you must have the My Apps browser extension installed. Also, your browser can't be running in inPrivate, incognito, or private mode.

To configure password-based SSO for an app, follow these steps:

Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Browse to Entra ID > Enterprise apps > All applications.
Select the app that you want to configure for SSO.
After the app loads, select Single sign-on in the navigation pane on the left side.
Select Password-based Sign-on mode.
Enter the Sign-on URL, which is the page where users enter their user name and password to sign in. Make sure that the sign-in fields are visible on the page for the URL that you provide.
Select Configure <appname> Password Single Sign-on Settings.
Select Capture sign-in fields.
Select Ok.
Select Save.
Follow the instructions to use My Apps.

Troubleshoot problems

I get an “Unable to save single sign-on configuration” error

Rarely, updating the SSO configuration fails. To resolve this problem, try saving the configuration again.

If you keep getting the error, open a support case. Include the information that's described in the View portal notification details and Send notification details to a support engineer to get help sections of this article.

You might observe the following behaviors when detection isn't working:

The capture process appeared to work, but the captured fields aren't correct.
The correct fields don’t get highlighted when the capture process runs.
The capture process takes you to the app’s sign-in page as expected, but nothing happens.
The detection happens, but SSO doesn’t happen when users navigate to the app from My Apps.

If you experience any of these problems, do the following things:

Make sure that you have the latest version of the My Apps browser extension installed and enabled.
Make sure that your browser isn't in incognito, inPrivate, or Private mode during the capture process. The My Apps extension isn't supported in these modes.
Make sure that your users aren't trying to sign in to the app from My Apps while in incognito, inPrivate, or Private mode.
Try the capture process again. Make sure that the red markers are over the correct fields.
If the capture process seems to stop responding or the sign-in page doesn’t respond, try the capture process again. But this time, after completing the process, press the F12 key to open your browser’s developer console. Select the console tab. Type window.location="<the sign-in URL that you specified when configuring the app>", and then press Enter. This forces a page redirect that ends the capture process and stores the fields that were captured.

I can't add another user to my password-based SSO app

A user can't have more than 48 credentials configured across all password SSO apps where the user is directly assigned.

If you want to add more apps with password-based SSO to a user, consider assigning the app to a group the user is a direct member of, and configuring the credential for the group. The credentials configured for the group will be available for all members of the group.

I can't add another group to my password-based SSO app

Each password-based SSO app has a limit of 48 groups, which are assigned and have had credentials configured for them. If you want to add extra groups, you can either:

Add extra instance of the app
Remove groups who are no longer using the app

Request support

If you get an error message when you set up SSO and assign users, open a support ticket. Include as much of the following information as possible:

Correlation error ID
UPN (user email address)
TenantID
Browser type
Time zone and time/time frame when the error occurred
Fiddler traces

View portal notification details

To see the details of any portal notification, follow these steps:

Select the Notifications icon (the bell) in the upper-right corner of the Microsoft Entra admin center.
Select any notification that shows an Error state. (They have a red "!".)

Note

You can't select notifications that are in the Successful or In Progress state.
The Notification Details pane opens. Read the information to learn about the problem.
If you still need help, share the information with a support engineer or the product group. Select the copy icon to the right of the Copy error box to copy the notification details to share.

Send notification details to a support engineer to get help

It's important that you share all the details that are listed in this section with support so that they can help you quickly. To record it, you can take a screenshot or select Copy error.

The following information explains what each notification item means and provides examples.

Essential notification items

Title: the descriptive title of the notification.

Example: Application proxy settings
Description: what occurred as a result of the operation.

Example: Internal URL entered is already being used by another application.
Notification ID: the unique ID of the notification.

Example: clientNotification-2adbfc06-2073-4678-a69f-7eb78d96b068
Client Request ID: the specific request ID that your browser made.

Example: 0000aaaa-11bb-cccc-dd22-eeeeee333333
Time Stamp UTC: the timestamp of when the notification occurred, in UTC.

Example: 2017-03-23T19:50:43.7583681Z
Internal Transaction ID: the internal ID that's used to look up the error in our systems.

Example: 71a2f329-ca29-402f-aa72-bc00a7aca603
UPN: The user who ran the operation.

Example: tperkins@f128.info
Tenant ID: the unique ID of the tenant that the user who ran the operation is a member of.

Example: aaaabbbb-0000-cccc-1111-dddd2222eeee
User object ID: The unique ID of the user who ran the operation.

Example: aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

Detailed notification items

Display Name: (can be empty) a more-detailed display name for the error.

Example: Application proxy settings
Status: the specific status of the notification.

Example: Failed
Object ID: (can be empty) the object ID against which the operation was run.

Example: aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
Details: the detailed description of what occurred as a result of the operation.

Example: Internal url 'https://bing.com/' is invalid since it is already in use.
Copy error: Enables you to select the copy icon to the right of the Copy error textbox to copy the notification details to help with support.

Example:

{"errorCode":"InternalUrl\_Duplicate","localizedErrorDetails":{"errorDetail":"Internal url 'https://google.com/' is invalid since it is already in use"},"operationResults":\[{"objectId":null,"displayName":null,"status":0,"details":"Internal url 'https://bing.com/' is invalid since it is already in use"}\],"timeStampUtc":"2017-03-23T19:50:26.465743Z","clientRequestId":"00aa00aa-bb11-cc22-dd33-44ee44ee44ee","internalTransactionId":"aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb","upn":"tperkins@f128.info","tenantId":"aaaabbbb-0000-cccc-1111-dddd2222eeee","userObjectId":"aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"}

Next steps

Feedback

Was this page helpful?

Last updated on 2025-09-15