Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
Encountering 400 - Invalid Request error during the Microsoft Entra External ID user flow because of Entra incorrectly passing an unsupported username parameter to Google's OAuth 2.0 endpoint
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 28.999999999999996%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUD%3C/text%3E%3C/svg%3E)
Uday Devarakonda
30
Reputation points
I am currently facing an authentication issue while integrating Google login via Microsoft Entra External ID (SignInSignUp user flow) for my application, and I would appreciate your guidance in resolving it.
Issue Summary:
When users select “Sign in with Google” directly from my application, the authentication flow works as expected and login is successful.
However, when users attempt to log in via the Microsoft Entra SignInSignUp user flow, the authentication fails with a 400 – Invalid Request error.
Observed Error:
The Google authentication screen displays the following error:
Access blocked: Authorization Error
Error 400: invalid_request
Parameter not allowed for this message type: username
Request details: flowName=GeneralOAuthFlow
Expected Behavior:
Users should be able to authenticate successfully using Google accounts through the Entra SignInSignUp user flow, similar to the direct “Sign in with Google” experience in the application.
Additional Context
- Google identity provider is configured under External Identities → Identity Providers in Entra.
- Client ID and Client Secret are configured.
- The issue seems to arise specifically during the Entra-orchestrated Google authentication flow, not during direct Google OAuth login.
Your guidance would be greatly appreciated, as resolving this is critical for us to enable smooth onboarding of Gmail-based external users.
Thanks in advance for your support.
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 26%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Jussi Palo 21 Reputation points2026-02-12T14:34:27.3166667+00:00 Same problem, no workaround or fix available.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 44%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENF%3C/text%3E%3C/svg%3E)
Nikolaos Fragos 0 Reputation points2026-02-14T17:23:57.1866667+00:00 I am also encountering a persistent Error 400: invalid_request with flowName=GeneralOAuthFlow when trying to use Google as an External Identity Provider via Microsoft Entra External ID (CIAM). My application is built with ASP.NET Core 9 and uses Microsoft.Identity.Web to connect to my CIAM tenant (pafame.ciamlogin.com). I have already verified that the Authorized Redirect URIs in the Google Cloud Console exactly match the Azure CIAM endpoint (https://pafame.ciamlogin.com/common/oauth2/nativeclient), and the Client ID/Secret are correctly configured in the Azure Portal. The error occurs during the redirect from Azure to Google's OAuth 2.0 endpoint. Since flowName=GeneralOAuthFlow is part of Google's newer identity flow, is there a known issue with how CIAM constructs the initial authorization request (e.g., missing mandatory parameters like nonce or state, or an unsupported prompt value) that would cause Google to reject it as an invalid request?"
// This line initializes the standard OIDC flow to Azure Entra
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration) .EnableTokenAcquisitionToCallDownstreamApi(allScopes) .AddDistributedTokenCaches(); ```// This section ensures the app handles callbacks correctly builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options => { ```typescript options.TokenValidationParameters.RoleClaimType = "roles"; // Standard error handling for OIDC options.Events ??= new OpenIdConnectEvents(); options.Events.OnRemoteFailure = context => { /* ... handling logic ... */ }; ```}); -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shubham Sharma 11,185 Reputation points Microsoft External Staff Moderator2026-02-19T14:06:43.44+00:00 Following up to check if the resolution provided was helpful. Please let us know if you need any further assistance.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 18%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
Marko Vodopija 0 Reputation points2026-02-21T17:37:32.7233333+00:00 What resolution? There is no resolution for this. I've raised the support ticket but there is no answer for last 3 weeks.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Thanmayi Godithi 7,110 Reputation points Microsoft External Staff Moderator2026-02-26T11:40:24.02+00:00 Hi @Uday Devarakonda,
Just checking in to see if you had a chance to see the previous response posted by @Nikolaos Fragos. Please "Accept the answer" if the information helped you. This will help us and others in the community as well. If you have any further questions do let us know.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 89%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMY%3C/text%3E%3C/svg%3E)
Matthew Young 0 Reputation points2026-03-02T21:14:23.4066667+00:00 This issue is still happening today and there is no fix or workaround!!
-
Sign in to comment
Sign in to answer