CIAM sign in issue with .mil domain

BRIAN HOANG 20 Reputation points
2024-12-02T16:21:16.58+00:00

We are using Entra External ID for our application. We have added users with .mil domain (e.g. example@us.af.mil) as external local members users. Per documentation, local accounts should only need a local user name (identity) / password to sign in. However, what we have found is when these .mil users try to sign in through CIAM, they are getting an error "us.af.mil isn't in our system. Make sure you typed it correctly." - it looks like Entra was trying to federate the .mil domain, even though the users are set up as local members. Has anyone experienced the same issue? Is this a bug with Entra External ID or it's by design, as agreed by the DoD?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,985 questions
{count} votes

Accepted answer
  1. Raja Pothuraju 10,935 Reputation points Microsoft Vendor
    2024-12-10T19:06:04.5666667+00:00

    Hello @BRIAN HOANG,

    Thank you for sharing the details here.

    I was initially unable to fully understand the scenario due to the lack of a screenshot, but based on the details you have provided, I now have a clear overview of the issue.

    Yes, this behavior has been reported by several customers regarding changes to the Entra External ID login page. Specifically:

    When the flow is set to isSignUpAllowed: false, the CIAM login page behaves as follows:User's image

    When the flow is set to isSignUpAllowed: true, the CIAM login page changes to:

    User's image

    We have informed the product engineering team about this behavior. They have identified the root cause and confirmed that a fix has been developed. The complete fix is scheduled to be rolled out to all tenants next month. Until then, this behavior will persist when isSignUpAllowed: false is configured for user flows.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


1 additional answer

Sort by: Most helpful
  1. BRIAN HOANG 20 Reputation points
    2024-12-10T05:31:07.9733333+00:00

    Well, just an update, upon further testing, it looks like the root cause of this issue is the "isSignUpAllowed" flag in the UserFlow (https://learn.microsoft.com/en-us/answers/questions/1611622/external-identity-user-flows-disabling-sign-up-in) If we turned off this flag then this behavior occurs. If we turned it back on then things are back to normal, except now users can self-create accounts in our tenant, which we don't want. I've seen a number of online complaints about change in behavior of this flag since that last Entra External ID release as well. Seems to me like a bug.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.