This article explains how to resolve authentication failures that occur when using Microsoft Entra ID as an OpenID Connect (OIDC) Identity Provider. This issue is specifically triggered after enabling the Claims Sharing feature and is caused by an invalid issuer value in the access token returned by Entra ID.
- Identity Providers (IdP)
- OpenID Connect (OIDC)
- Microsoft Entra ID Integration
- Claims Sharing
The root cause of this issue is a mismatch in the issuer value provided by Microsoft Entra ID in the access token.
- By default, Okta validates the ID Token returned from an external OIDC Identity Provider to create a user session.
- When the Claims Sharing feature is enabled for the Entra ID IdP, Okta must also validate the Access Token, which contains the Authentication Methods Reference (AMR) claims.
- The Microsoft Entra ID v2.0 endpoints can return an Access Token with an
iss(issuer) claim that does not match theissuerURL published in Entra ID's OIDC.well-knownconfiguration endpoint. - This discrepancy causes Okta's security validation of the access token to fail, interrupting the authentication flow and preventing the user from signing in.
By using the older v1.0 endpoints, which include the necessary AMR claims in the ID Token, Okta does not need to evaluate the invalid access token. To switch to the v1.0 endpoints, do the following in Okta:
- In the Okta Admin Console, navigate to Security > Identity Providers.
- Select the configured Microsoft Entra ID provider.
- Click Edit for the General settings.
- Enter the v1.0 endpoint URLs for the Entra ID tenant. Replace
<tenant-id>with the specific Microsoft Entra ID Tenant ID.
-
- Authorize URL:
https://login.microsoftonline.com/<tenant-id>/oauth2/authorize - Token URL:
https://login.microsoftonline.com/<tenant-id>/oauth2/token - Issuer URL:
https://sts.windows.net/<tenant-id>/ - JWKS Endpoint:
https://login.microsoftonline.com/<tenant-id>/discovery/keys - Userinfo Endpoint:
https://login.microsoftonline.com/<tenant-id>/openid/userinfo
- Authorize URL:
-
Click Update Identity Provider. After updating, users should be able to authenticate successfully, as Okta will no longer need to parse the access token to create the session.
NOTE: In the EntraID Manifest, it is also necessary to set acceptMappedClaims : true (according to Microsoft Documentation). It may also be necessary to set api:requestedAccessTokenVersion : 2.
