How to fix Passkey authentication?

Manuel T 221 Reputation points
2024-11-14T17:54:19.24+00:00

Recently, our CIAM login started showing additional sign-in options.

User's image

When I click on it, I can choose "Face, fingerprint, PIN or security key".

User's image Clicking on it, causes the following error:

AADSTS135004: Invalid postBackUrl parameter.User's image When I use the default {tenant name}.ciamlogin.com URL, it doesn't show.

User's image

How can I disable the options or make them work?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,955 questions
{count} votes

Accepted answer
  1. Raja Pothuraju 9,445 Reputation points Microsoft Vendor
    2024-11-28T21:09:04.7633333+00:00

    Hello @Manuel T,

    Apologies for the delay.

    Based on your description, I understand that you are experiencing inconsistent behavior with the CIAM login screen. When using the default domain name (e.g., .onmicrosoft.com), the login screen displays as expected. However, when accessing via a custom domain (e.g., contoso.com), the login screen includes the "Sign-in options" feature.

    This issue is unrelated to whether a default or custom domain is being used. It stems from changes made on Microsoft's end and is affecting all CIAM tenants. I reached out to the product engineering team about this behavior. They have identified the root cause and confirmed that a fix has been developed. The complete fix is scheduled to be rolled out to all tenants next month. Until then, this behavior will persist when isSignUpAllowed: false is configured for user flows.

    In the meantime, you can apply the following workaround to prevent the "Sign-in options" feature from appearing on the CIAM login page:

    1. Log in to Graph Explorer using your CIAM tenant credentials.
    2. Send a GET request to:
    https://graph.microsoft.com/v1.0/identity/authenticationEventsFlows
    

    Ensure you have granted consent to the permission EventListener.ReadWrite.All.

    User's image

    1. Once you run the query, you’ll receive details of all user flows, including their IDs. Copy the flow ID associated with your custom domain login.
    2. Send a PATCH request to the following endpoint, replacing b6a0f740-2916-40a1-8c27-xxxxxxxxxxx with your flow ID:
    https://graph.microsoft.com/v1.0/identity/authenticationEventsFlows/b6a0f740-2916-40a1-8c27-xxxxxxxxxxx
    

    Use the following payload in the request body:

    {
        "@odata.type": "#microsoft.graph.externalUsersSelfServiceSignUpEventsFlow",
        "onInteractiveAuthFlowStart": {
            "@odata.type": "#microsoft.graph.onInteractiveAuthFlowStartExternalUsersSelfServiceSignUp",
            "isSignUpAllowed": false
        }
    }
    

    User's image

    This will enable isSignUpAllowed: true for the custom domain user flow, preventing the "Sign-in options" feature from appearing on the login page. Please use this workaround temporarily until the rollout is complete.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.