Logins failing for some external tenants in our Blazor/ASP Identity app

Question

Logins failing for some external tenants in our Blazor/ASP Identity app

Colin Wade 0

Our company develops a Blazor app which uses the ASP Identity framework authentication middleware. Identity framework helps us support SSO so that users can sign in to our app with Microsoft 365 or Google work accounts. It was working fine for the year or so that we've been using Blazor as well as the 3 years we had it on Razor pages before that. As far as we can tell our setup is very basic and straightforward.

Within the past few months, two of our clients have been struggling to log in to our app. They are redirected to Microsoft sign-in, and then their browser 404's when they are redirected to our app. It's the default IIS 404 page, not one returned by our code or even Blazor itself. Application Insights isn't even logging the attempt to reach the page.

I must stress that this started happening relatively recently given the total timeframe our app has been set up this way and it's limited to just 2 clients. Everyone else seems to be able to log in just fine. I can't think of a way these problem clients would get redirected to a different callback endpoint. I don't even know how I could set it up to do such a thing on purpose.

All clients get redirected to the same login callback after logging into their identity provider. We do not have separate configurations for separate clients.

VEMULA SRISAI 7,130 Reputation points Microsoft External Staff Moderator

2026-01-27T20:11:01.5633333+00:00
Hello Colin Wade,

This issue happens because Microsoft Entra ID is redirecting the user back to a callback URL that is either:

not configured in the App Registration,

mismatched with your app’s real domain,

or blocked by the hosting environment (App Service / proxy / WAF).

When the callback URL and the actual app URL don’t match exactly, the sign‑in POST to /signin-oidc never reaches your application, and the browser shows an IIS 404 page.

How to fix

Verify Reply URL (Redirect URI) In Microsoft Entra admin center → App registrations → Your app → Authentication, ensure the following URL exists exactly as used during login:
https://<your-domain>/signin-oidc

Check www vs non-www

Check HTTPS vs HTTP

Check spelling or path changes

Any mismatch will cause the OIDC callback to fail.

2.Make the callback path explicit in your app Ensure your Blazor/ASP.NET Core authentication setup specifies the callback:

C#

options.CallbackPath = "/signin-oidc";

3.Confirm the domain used by affected users The 2 impacted clients may be signing in from a different hostname (old bookmark, internal portal, or missing custom domain binding). The domain they use must also be added as a redirect URI:

Example:

https://app.company.com/signin-oidc

4.Check if any proxy/firewall blocks the OIDC POST Some corporate networks block the POST that carries the id_token. Ask the client to try:

different browser

different network

disabling corporate VPN/proxy

If it works outside their network → it’s a filtering issue. For your reference: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-oidc?view=aspnetcore-10.0&pivots=with-yarp-and-aspire
Colin Wade 0 Reputation points

2026-01-27T20:45:53.5133333+00:00

I'm not sure if OIDC is actually being used here - if it is it's hidden behind the identity framework middleware.

We set up an ASP MVC controller which uses MVC Core's Challenge() method to issue the redirect to the identity provider. We set the properties on the AuthenticationProperties parameter that establishes the redirect URI back to our application. The only thing that can change about this callback url are the query parameters we use to redirect them back to the subpath they were originally trying to access, kind of like the built in Identity pages do by default (we aren't using Identity's Razor/MVC pages, for what it's worth). We have specified this path to be <ourapp>/Authentication/ExternalLoginCallback, similar to Identity pages.

The page that is actually getting 404'd on is <ourapp>/signin-microsoft, which is not an endpoint that I specify or control. I'm guessing that's provided behind the scenes by Identity and sets the necessary cookies and whatever else is necessary to complete the handshake. Normally, the response at this address is a 302 and it redirects to our ExternalLoginCallback above.

Calls to signin-microsoft have three query parameters, in both success and failure cases: code, state and session_state. All three are specified in both successes and failures, the only potentially meaningful difference that I can tell is that the values for code and state are slightly different lengths (as in 1800~ characters on failures instead of 1400~ on successes for code, and 520~ vs 500~ for state).
VEMULA SRISAI 7,130 Reputation points Microsoft External Staff Moderator

2026-01-28T00:37:53.9766667+00:00

Colin Wade Thanks for informing and getting back to us. and we’ll review this further and provide the required information shortly.
Colin Wade 0 Reputation points

2026-01-28T20:31:03.0366667+00:00

How do I change IIS settings in a Blazor app? I don't deploy a web.config

OR

How do I change IIS settings on a web app on the Azure portal side?

EDIT: Figured it out, nevermind

1 answer

Your answer

VEMULA SRISAI 7,130 Reputation points Microsoft External Staff Moderator

2026-01-27T20:11:01.5633333+00:00

Hello Colin Wade,

This issue happens because Microsoft Entra ID is redirecting the user back to a callback URL that is either:

not configured in the App Registration,

mismatched with your app’s real domain,

or blocked by the hosting environment (App Service / proxy / WAF).

When the callback URL and the actual app URL don’t match exactly, the sign‑in POST to /signin-oidc never reaches your application, and the browser shows an IIS 404 page.

How to fix

Verify Reply URL (Redirect URI) In Microsoft Entra admin center → App registrations → Your app → Authentication, ensure the following URL exists exactly as used during login:
https://<your-domain>/signin-oidc

Check www vs non-www

Check HTTPS vs HTTP

Check spelling or path changes

Any mismatch will cause the OIDC callback to fail.

2.Make the callback path explicit in your app Ensure your Blazor/ASP.NET Core authentication setup specifies the callback:

C#

options.CallbackPath = "/signin-oidc";

3.Confirm the domain used by affected users The 2 impacted clients may be signing in from a different hostname (old bookmark, internal portal, or missing custom domain binding). The domain they use must also be added as a redirect URI:

Example:

https://app.company.com/signin-oidc

4.Check if any proxy/firewall blocks the OIDC POST Some corporate networks block the POST that carries the id_token. Ask the client to try:

different browser

different network

disabling corporate VPN/proxy

If it works outside their network → it’s a filtering issue. For your reference: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-oidc?view=aspnetcore-10.0&pivots=with-yarp-and-aspire
Colin Wade 0 Reputation points

2026-01-27T20:45:53.5133333+00:00

I'm not sure if OIDC is actually being used here - if it is it's hidden behind the identity framework middleware.

We set up an ASP MVC controller which uses MVC Core's Challenge() method to issue the redirect to the identity provider. We set the properties on the AuthenticationProperties parameter that establishes the redirect URI back to our application. The only thing that can change about this callback url are the query parameters we use to redirect them back to the subpath they were originally trying to access, kind of like the built in Identity pages do by default (we aren't using Identity's Razor/MVC pages, for what it's worth). We have specified this path to be <ourapp>/Authentication/ExternalLoginCallback, similar to Identity pages.

The page that is actually getting 404'd on is <ourapp>/signin-microsoft, which is not an endpoint that I specify or control. I'm guessing that's provided behind the scenes by Identity and sets the necessary cookies and whatever else is necessary to complete the handshake. Normally, the response at this address is a 302 and it redirects to our ExternalLoginCallback above.

Calls to signin-microsoft have three query parameters, in both success and failure cases: code, state and session_state. All three are specified in both successes and failures, the only potentially meaningful difference that I can tell is that the values for code and state are slightly different lengths (as in 1800~ characters on failures instead of 1400~ on successes for code, and 520~ vs 500~ for state).
VEMULA SRISAI 7,130 Reputation points Microsoft External Staff Moderator

2026-01-28T00:37:53.9766667+00:00

Colin Wade Thanks for informing and getting back to us. and we’ll review this further and provide the required information shortly.
Colin Wade 0 Reputation points

2026-01-28T20:31:03.0366667+00:00

How do I change IIS settings in a Blazor app? I don't deploy a web.config

OR

How do I change IIS settings on a web app on the Azure portal side?

EDIT: Figured it out, nevermind

Answer 1

Colin Wade Thank you for the detailed clarification. That helps narrow this down significantly.

Even though OpenID Connect is not something you configure directly, ASP.NET Core Identity uses OIDC internally when Challenge() is invoked with the Microsoft provider. The /signin-microsoft endpoint you’re seeing is the internal callback endpoint registered by the authentication middleware, and its responsibility is to process the authorization response (code, state, session_state), establish the authentication session, and then issue a 302 redirect to your configured ExternalLoginCallback.

Given that:

The request reaches /signin-microsoft

The response is a default IIS 404

Application Insights does not log the request

The failure occurs before your callback controller is reached

The only observable difference is larger code and state values in failing cases

This strongly indicates that the request is being rejected at the IIS or infrastructure layer before the ASP.NET Core middleware pipeline executes, rather than failing inside Identity or your application logic.

A common cause of this behavior is IIS request filtering limits, particularly:

Maximum query string length

Maximum URL length

When these limits are exceeded, IIS returns a 404 immediately and does not forward the request to the application, which matches the behavior you’re observing exactly. This also explains why:

The issue affects only certain external tenants

It began recently

Successful and failing requests differ only in parameter size

Some tenants (for example, those with Conditional Access, MFA, or additional claims) can generate larger authorization payloads, increasing the size of the code and state parameters.

Recommended next steps

Review IIS logs for the failing requests to confirm rejection at the web server level.

Verify or temporarily increase request limits in IIS, for example:

<system.webServer>
  <security>
    <requestFiltering>
      <requestLimits maxUrl="8192" maxQueryString="8192" />
    </requestFiltering>
  </security>
</system.webServer>

If applicable, also check any reverse proxy, WAF, or load balancer in front of IIS for similar request size limits.

Colin Wade 0 Reputation points

2026-01-28T21:45:45.2166667+00:00

As per comments from @VEMULA SRISAI , the solution is to increase the request url/querystring limits in IIS:

<system.webServer> <security> <requestFiltering> <requestLimits maxUrl="8192" maxQueryString="8192" /> </requestFiltering> </security> </system.webServer>
Sridevi Machavarapu 18,540 Reputation points Microsoft External Staff Moderator

2026-01-29T16:40:29.9066667+00:00

Hello Colin Wade,

If issue resolved, please click on under the answer to close this question.

Share via

Logins failing for some external tenants in our Blazor/ASP Identity app

1 answer

Recommended next steps

Your answer