Domain should match the passive sign in uri

Question

I am trying to configure an external identity provider in Entra. When I try to do it I get the error "domain should match the passive sign in uri" I tried editing in the DNS of the domain exactly as its shown in the error:

TXT Record:

Domain_name "DirectFedAuthUrl=passiveauthenticationURL"

Also tried with DirectFedPassiveSignInUri instead of DirectFedAuthUrl. Still getting the same error, any ideas ?

Answer 1

Hi @mohamed assem , this error occurs when the domain name in the TXT record does not match the domain name in the passive sign-in URI. To resolve this issue, you need to ensure that the domain name in the TXT record matches the domain name in the passive sign-in URI.

Here are the steps to follow:

1. Check the passive sign-in URI of your external identity provider to see if the domain matches the target domain or a host within the target domain.
2. If the passive sign-in URI is a host within the same domain, then no DNS changes are needed.
3. If the passive sign-in URI is not within the same domain, then you need to add a TXT record to your domain's DNS records.
4. The TXT record should have the following format: Domain_name IN TXT DirectFedAuthUrl=passiveauthenticationURL Replace Domain_name with your domain name and passiveauthenticationURL with the passive sign-in URI of your external identity provider.
5. Wait for the DNS changes to propagate. This can take up to 24 hours.
6. After the DNS changes have propagated, try configuring your external identity provider again.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Answer 2

I am also hitting this but I do have the TXT entry in my domain and I have verified it matches the passive URI. Can anyone point me to a reason why this is happening?