Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
OnAttributeCollectionStart custom authentication extension intermittently not invoked
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 95%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
ayoub seddiki
0
Reputation points
We have configured a custom authentication extension for the AttributeCollectionStart event on a Microsoft Entra External ID (CIAM) sign-up and sign-in user flow. The extension and REST API are correctly configured and verified, but OnAttributeCollectionStart triggers intermittently — most sign-up attempts never invoke our API. In contrast, OnAttributeCollectionSubmit, configured the same way on the same user flow, triggers reliably on every attempt.
Tenant: emailvalidationtest2.onmicrosoft.com
Tenant ID: bfb25a53-b5d9-4e2d-b7f6-a91880777a6b
This tenant was created fresh specifically to rule out any pre-existing configuration issue, and the same intermittent behavior was reproduced on it from a clean setup, following the official documentation:
What we verified:
- The REST API endpoint (ASP.NET Core 8 minimal API on Azure App Service) is publicly reachable and returns correct responses, verified via direct curl tests with the correct onAttributeCollectionStartResponseData schema and continueWithDefaultBehavior / showBlockPage actions.
- The custom authentication extension configuration was verified directly via Microsoft Graph API, not just the portal UI: GET /v1.0/identity/authenticationEventsFlows/{flowId} confirms onAttributeCollectionStart is correctly populated with our customExtension, correct targetUrl, and correct resourceId.
- Admin consent was granted on CustomAuthenticationExtension.Receive.Payload for the extension's app registration.
- Application Insights on the API backend shows no incoming request at all for most sign-up attempts at the time AttributeCollectionStart should fire, meaning Entra never sends the HTTP call rather than the call failing on our end.
- We ruled out App Service cold start as the root cause by keeping the app continuously warm via a polling loop during testing — Start still failed to trigger on most attempts.
- The extension worked correctly exactly once during testing, with a request payload matching the documented schema perfectly (tenantId, authenticationEventListenerId, customAuthenticationExtensionId, and a correlationId matching the subsequent Submit call for the same session), confirming the integration itself is built correctly but invocation is unreliable.
- OnAttributeCollectionSubmit, configured identically (same user flow, same API, same app registration pattern), triggers on 100% of attempts on this tenant.
Question: Is there a known reliability issue with OnAttributeCollectionStart invocation on External ID tenants? Is a backend reprovisioning of the Custom Authentication Extensions service needed for this tenant? We are currently using OnAttributeCollectionSubmit as a working fallback, so this isn't a full blocker, but it prevents us from delivering the intended pre-OTP blocking behavior that Start is designed for.
Any guidance would be greatly appreciated.w
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Sign in to answer