Error adding external identity provider for Azure portal

Question

I am trying to add an external identity provider for access to the Azure Portal. The IdP passive sign in Uri is on a different domain from what I would like to use in Azure.

From the following documentation it says that I need to add the passive authentication endpoint via a TXT record to my domain

https://learn.microsoft.com/en-us/entra/external-id/direct-federation

I added the TXT record, and when I go to add the external identity, Azure displays an error saying the TXT record does not exist. However, I have verified that it does exist. Is there anything else that needs to be done beyond adding that TXT record for the external identity to work?

Answer 1

Hello @Shayan Sarkar,

Thanks for using Q and A forum.

1. TXT record name must be correct (most common issue)

The TXT record must be created on the root of the domain, not a subdomain.

Do not add extra prefixes like:

_msauth

_federation

_domain

2. TXT value must match exactly (no quotes, no spaces)

Azure expects a value like:

MS=ms12345678

Common mistakes:

Including quotes ("MS=ms12345678")

Adding spaces

Adding multiple TXT values in one record

Using the wrong MS value (copied from another tenant)

3. DNS propagation & TTL really matter

Even if you can see the record:

Azure uses public recursive DNS

It does not query your authoritative DNS directly

Cached NXDOMAIN responses can persist

What to do

Wait 30–60 minutes minimum

If TTL is high (e.g. 3600), wait the full TTL

Use this to validate:

nslookup -type=TXT example.com 8.8.8.8

4. What Azure does not require (yet)

You do not need:

Certificates uploaded

IdP metadata reachable

The IdP to be online

Firewall changes

TXT verification is a pure DNS ownership check.

---

If the Answer is helpful, please click Accept Answer and Up-Vote 👍, so that this can be beneficial to other community members.