Issue with EEID native authentication, sign up and "attributes required"

Question

Learn article:

https://learn.microsoft.com/en-us/entra/identity-platform/reference-native-authentication-api?source=recommendations&tabs=emailOtp#step-5-request-for-security-tokens

"If the request is successful, but no attributes were configured in Microsoft Entra admin center or all the required attributes were submitted via the /signup/v1.0/start endpoint, the app gets a continuation token without submitting any attributes. The app can use the continuation token to request for security tokens as shown in step 5. Otherwise, Microsoft Entra's response indicates that the app needs to submit required attributes. These attributes, built in or custom, were configured in the Microsoft Entra admin center by the tenant administrator."

I have configured the sign-up attributes in External ID / User flows / User attributes.

But when I work through the flow, I do not get the "error" message:

"error": "attributes_required",
    "error_description": "User attributes required",
    "error_codes": [
            55106
        ],

requiring the app. to collect and send the attributes.

Any ideas?

Answer 1

The attributes_required error is only returned when both of these conditions are true:

1. The tenant has one or more required user attributes configured for sign-up (built-in or custom) in Microsoft Entra admin center.
2. The app has not submitted all of those required attributes in the /signup/v1.0/start request.

If all required attributes are already submitted in /signup/v1.0/start, or if no attributes are configured as required, Microsoft Entra returns a success response with a continuation_token and does not send error = attributes_required.

From the native auth reference:

• If the app submits the password and all required attributes via /signup/v1.0/start, Microsoft Entra issues a continuation token and the app can proceed to request tokens.
• If the app submits the password but not all required attributes, Microsoft Entra returns an error with error = attributes_required and a required_attributes list, and the app must call /signup/v1.0/continue with those attributes.

Therefore, if attributes_required is never seen, typical causes are:

1. The attributes configured in the user flow are optional, not required, so the service never needs to block sign-up to ask for them.
2. The app is already sending all required attributes in the initial /signup/v1.0/start call, so there is no need for the service to request more.
3. No attributes are configured at all in the External ID user flow, so the service proceeds without any attribute checks.

To force the attributes_required behavior in a test:

1. In the External ID user flow, mark one or more attributes as required.
2. In the /signup/v1.0/start request, send only the username/password and omit at least one of those required attributes from the attributes JSON.
3. The response should then be 400 Bad Request with error = attributes_required and a required_attributes array indicating which attributes must be submitted via /signup/v1.0/continue.

Also note:

• Optional attributes are never explicitly requested; if all required attributes are present, additional optional attributes cannot be added later via /signup/v1.0/continue.
• Microsoft Entra ignores any attributes submitted that do not exist in the tenant configuration.

If the user flow is correctly configured with required attributes and the app is definitely not sending them in /signup/v1.0/start, but attributes_required still does not appear, capture the raw HTTP request/response and verify:

• The attributes parameter is present or absent as expected.
• The attribute keys match the programmable names (or extension_{appIdWithoutHyphens}_{attributeName} for custom attributes).

---

References:

• Context # Native authentication API reference
• Tutorial: Add sign-up in an iOS/macOS app using native authentication
• Tutorial: Add sign-up in an Android mobile app using native authentication