EntraID - Connect with Microsoft multi tenant and "Term of use" feature

Romain-C 30 Reputation points
2023-11-13T11:47:02.32+00:00

Hi everyone,

I'm bit embarrassed, I did not find any help for my issue, I hope you could help me!

My organization asked me to implement an external Microsoft EntraID (AAD) login for our web application (using OIDC) for us and our customers.

I have set up my application registration to use multitenancy, implemented the external EntraID multitenant login, everything worked fine.

Recently, our IT department added the "Term of use" feature on our EntraID tenant. Since, external login isn't working anymore on our tenant.

When I try to login through our web application :

  1. I reach the login.microsoft.com login webpage (as intended)
  2. Once logged in, instead of reaching our callback webpage I reach this uri (also intented due to IT department new policy) : https://tokenprovider.termsofuse.identitygovernance.azure.com/{tenantId}/{guid}/{anotherguid}/connect/authorize
  3. Their is no 3, it's stuck on previously given uri with an error message instead of the "Term of use" feature webpage. Here the following error detail :
error:invalid_client
error_description:Invalid redirect_uri https://login.microsoft.com/common/federation/OAuth2ClaimsProvider

I found which values were given for both parameters :

client_id: 00000000-0000-0000-0000-000000000001
redirect_uri: https://login.microsoft.com/common/federation/OAuth2ClaimsProvider

Obviously, these values are not the expected ones..

I tried to find a setting or a feature to enable on the application registration portal, but nothing pertinent.

When running login process, requests parameters are lost or altered during process.

Do you have any suggestion? Any idea? Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,450 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,961 Reputation points Microsoft Employee
    2023-11-17T04:51:02.1366667+00:00

    @Romain-C

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others Opens in new window or tab", I'll repost your solution in case you'd like to "Accept Opens in new window or tab" the answer.

    Issue: End users are not redirected to Terms of Use but getting error:

    error:invalid_client
    error_description:Invalid redirect_uri https://login.microsoft.com/common/federation/OAuth2ClaimsProvider
    

    Solution: The authority endpoint for TOU used was "login.microsoft.com/common" endpoint, once login.microsoftonline.com/common was used, users were redirected to TOU.

    If you have any other questions or are still running into more issues, please let me know.
    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,

    Akshay Kaushik

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Romain-C 30 Reputation points
    2023-11-14T16:35:08.59+00:00

    Finally I found the root cause, I used the wrong authority : login.microsoft.com/common instead of login.microsoftonline.com/common, now everything works fine.

    2 people found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.