This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 40%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIK%3C/text%3E%3C/svg%3E)
Hi,
We've setup a new Enterprise Application (in a new External Tenancy) that uses OIDC to authenticate external users and log them into our application. Via CIAM (using https://<TENNANTGUID>.ciamlogin.com), along with using Azure Entra External as the External User Authentication Store works great, no issue and the user can login successfully. However, when we then try to use Microsoft Live.com as the External Authentication Provider using a personal email addresses, we get the following error being produced as part of the OIDC flow and from page "https://login.live.com/oauth20_authorize.srf".
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
This Relationship Flow is between the Azure CIAM Service and Live.com so we see no activity in our logs (either in azure or in our application) - we do not manage this relationship (this is managed by CIAM) so there is no ability for us to see/configure this redirect URL.
This is the redirect login that has all personal information substituted ;
Question: How can we continue to debug this, is it a (pretty big) bug With External Customer Authentication?
Note: When we use Google as the Authentication Provider, a similar error is given by Google (redirect url not correct).
Update1: We created the app again in a non external tenancy and the application now works as intended - the issue seems somewhere in CIAMLOGIN/External Tenancy - we are now exploring not using external tenancy/ciamlogin
Thanks.
Thanks Rukmini for the explanation - i won't spend any further time on Entra External (CIAM) now as we found a simpler, more concise approach using another platform- FYI, we never wanted to use live.com as an IDP as we simply wanted the 'sign in via email' option for all non Extra 'aware' accounts except Entra External (CIAM) enforces live.com to be used as an external IDP but it does not enforce the other supported IDPs (meta/apple/google etx)- why does it enforce all MSA to be authenticated against microsofts live.com and not allow for that option to be disabled?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello Ian K, You're right, Entra External (CIAM) automatically routes Microsoft personal accounts (MSAs) through live.com, and this behavior is currently enforced by design. Unlike other identity providers (Google, Apple, Meta), which are optional, MSAs are treated as first-party and cannot be disabled or overridden in the CIAM sign-in flow.
Thanks for your time Rukmini - i'll mark your initial answer as the solution. For feedback, We did not progress with using Entra External and reverted to *Entra Workspace (*with a new tenancy) as this does not have the added step of having to setup/configure and maintain a new application on the live.com platform
Hello The personal-Microsoft-account (MSA) and Google flows fail because their apps don’t recognise the CIAM-tenant redirect URI. In an External (CIAM) tenant you must create your own app at each IdP and register the CIAM URLs Microsoft expects.
Refer:
Add MSA for customer sign-in - Microsoft Entra External ID | Microsoft Learn
Add Google as an identity provider - Microsoft Entra External ID | Microsoft Learn
Register them in the Live.com and Google developer portals, then paste the resulting client ID/secret back into External Identities → Identity providers.
You're right, Entra External (CIAM) automatically routes Microsoft personal accounts (MSAs) through live.com, and this behavior is currently enforced by design. Unlike other identity providers (Google, Apple, Meta), which are optional, MSAs are treated as first-party and cannot be disabled or overridden in the CIAM sign-in flow.
If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.
If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.