Share via

CIAM Login Email passcord not working for all the flows.

Rafael Soares Oliveira 0 Reputation points
2025-10-07T14:54:15.6466667+00:00

I'm using Microsoft Entra External ID (CIAM) to handle external logins in my application. I created a new external tenant linked to my corporate tenant and configured it to use Email Passcode (OTP) as the sign-in method.

However, for some users (e.g., ******@company1.com, ******@company1.com), the login flow redirects to their corporate Microsoft Entra login instead of using the email passcode.

My goal is to prevent users’ corporate or Microsoft logins from being triggered, unless a specific client has explicitly requested an integration with their Entra tenant.

Configuration Details

Microsoft Entra ID → External Identities → All Identity Providers:

Email Passcode is configured.

  *Microsoft* and *Microsoft Entra ID* are also shown as configured, but there doesn’t seem to be an option to remove or disable them completely.
  
  **Application Settings:**
  
     Access tokens (used for implicit flows) ✅
     
        ID tokens (used for implicit and hybrid flows) ✅
        
           Supported account types: *Accounts in this organizational directory only (Legal Resources External only – Single tenant)*
           
           **User Flow:**
           
              Created with the *Email passcode* option.
              
                 No “Create Account” flow — all users are pre-created as **Guest users**.

Behavior Observed

Email passcode sign-in works correctly for:

Personal email addresses (e.g., Gmail, Outlook.com)

  Invited Guest users
  
  When I create a user that has to **set a password**, the system **stops using the email passcode flow** and instead triggers a password-based Microsoft login.
  
  Additionally, a **Consent dialog box** appears during the first login, even though the users are already registered — which doesn’t make sense in this scenario.

Question

How can I ensure that:

Only the Email Passcode (OTP) login method is used for all users, regardless of their domain (so @company1.com users don’t get redirected to their corporate login)?

  1. The Consent dialog does not appear for pre-created Guest users who already exist in the directory?I'm using Microsoft Entra External ID (CIAM) to handle external logins in my application. I created a new external tenant linked to my corporate tenant and configured it to use Email Passcode (OTP) as the sign-in method. However, for some users (e.g., ******@company1.com, ******@company1.com), the login flow redirects to their corporate Microsoft Entra login instead of using the email passcode. My goal is to prevent users’ corporate or Microsoft logins from being triggered, unless a specific client has explicitly requested an integration with their Entra tenant. Configuration Details
    • Microsoft Entra ID → External Identities → All Identity Providers:
    • Email Passcode is configured.
    • Microsoft and Microsoft Entra ID are also shown as configured, but there doesn’t seem to be an option to remove or disable them completely.
    • Application Settings:
    • Access tokens (used for implicit flows) ✅
    • ID tokens (used for implicit and hybrid flows) ✅
    • Supported account types: Accounts in this organizational directory only (Legal Resources External only – Single tenant)
    • User Flow:
    • Created with the Email passcode option.
    • No “Create Account” flow — all users are pre-created as Guest users.
    Behavior Observed
    • Email passcode sign-in works correctly for:
    • Personal email addresses (e.g., Gmail, Outlook.com)
    • Invited Guest users
    • When I create a user that has to set a password, the system stops using the email passcode flow and instead triggers a password-based Microsoft login.
    • Additionally, a Consent dialog box appears during the first login, even though the users are already registered — which doesn’t make sense in this scenario.
    Question How can I ensure that:
    1. Only the Email Passcode (OTP) login method is used for all users, regardless of their domain (so @company1.com users don’t get redirected to their corporate login)?
    2. The Consent dialog does not appear for pre-created Guest users who already exist in the directory?
Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Monalisha Jena 3,680 Reputation points Microsoft External Staff Moderator
    2025-10-09T10:20:06.3+00:00

    Hello Rafael Soares Oliveira,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I will try give you some solutions and clarify your doubts.
    1.To ensure that only Email Passcode (OTP) is used for all users, including those with corporate domains like @company1.com, you need to override the default Home Realm Discovery (HRD) behavior and restrict other identity providers. You can prevent Entra ID from redirecting users to their corporate login by explicitly telling the authentication system to only use a local domain, which forces it to stay within your CIAM user flow and present the local sign-in options (Email Passcode).

    Configuration Check: First, ensure your CIAM User Flow is configured to only allow the Email Passcode as the local identity method.

    Go to Microsoft Entra ID > External Identities > User Flows >> Select your sign-up and sign-in user flow >> Go to Identity providers >> Under Local accounts, ensure that only Email one-time passcode is checked. Email with password and any external/social IdPs should be unchecked here if you want to completely enforce OTP.

    Implementation: You need to append the domain_hint query parameter to your application's sign-in request URL. Parameter: domain_hint and Value: Use a non-existent domain name (like no_federation or your tenant's default domain) to prevent HRD from matching a federated corporate domain.

    By sending this parameter, you signal that the user should be treated as a local account user within your tenant's policies, bypassing the automatic redirection to their external corporate IdP.

    more understanding at: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/home-realm-discovery-policy

    https://learn.microsoft.com/en-us/entra/external-id/one-time-passcode

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/direct-signin?pivots=b2c-user-flow

    2.To ensure the consent dialog does not appear for any user, you need to grant Admin Consent for all the permissions the application requires. When an administrator grants consent, the user is never prompted.

    Identify the Required Permissions: you need to know what permissions (scopes) your application is requesting. These are usually configured in two places, one The Application Registration- The "API permissions" section lists the permissions the app declares it needs. and another The Authentication Request- The scope parameter in the OAuth 2.0 authorization request specifies the permissions the application is asking for in that specific flow (e.g., openid, profile, offline_access, or custom scopes).

    Grant Admin Consent in the Azure Portal: You must have the Application Administrator or Cloud Application Administrator role (or higher) to perform this action.

    Navigate to your App Registration: Go to the Microsoft Entra admin center >> Navigate to Applications > App registrations >> Select the application registration that is integrated with your CIAM User Flow.

    Review and Grant Permissions: In the left navigation pane, select API permissions > Review the list of permissions under "Configured permissions." > For any permission that shows "Not granted for <Your Tenant Name>" in the Status column, you need to grant consent > Click the "Grant admin consent for <Your Tenant Name>" button > Confirm the dialog box.

    Once admin consent is granted, the Status column for those permissions will change to "Granted for <Your Tenant Name>." For pre-created guest users who already exist in the directory, this action bypasses the need for them to see and click the consent dialog during their first sign-in.
    more understanding at: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis
    https://docs.azure.cn/en-us/entra/identity-platform/application-consent-experience

    Hope this helps! If it answered your question, please consider clicking Accept Answer and Upvote. This will help us and others in the community as well.

    If you need more info or if the above did not work for you, feel free to reach out in the comments with the clarification points I have asked for. Happy to help!
    Regards,

    Monalisha

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.