When configuring or re-configuring Microsoft Entra ID External Authentication Methods (EAM) with Okta, administrators may encounter an integration failure during the OpenID Connect (OIDC) handshake, with a Microsoft error page showing the following message:

AADSTS5007413: Authentication with external provider cannot be completed due to invalid provider discovery response.

Microsoft is currently working on a solution, and affected customers can contact them with the following case reference: 2604030040004934.

• Okta Identity Engine (OIE)
• Microsoft Entra ID External Authentication Methods (EAM)
• OpenID Connect (OIDC)

This issue occurs due to a misalignment in how security metadata is exchanged: Microsoft EntraID requires a specific certificate chain (x5c claim) while also requiring that it be provided a Discovery Endpoint without any query parameters. Currently, Okta’s default metadata delivery requires a specific query parameter in the URL to return the desired certificate chain, which creates a configuration loop.

During setup or user authentication, the process may fail before the user is redirected to Okta. Microsoft will display a We couldn't complete your verification screen.

Depending on the configuration, two different issues can occur:

• If a query parameter (for example, ?client_id=...) is included in the discovery URL configured in the EntraID portal, Microsoft may reject the URL format immediately with an invalid URL notification, or it will return an error instead of redirecting users to Okta for verification:

• If the Discovery Endpoint provided to Microsoft does not include the query parameter (?client_id=0oaxxxxxxxxx), users will be redirected to Okta for verification, but Microsoft will not be able to validate the tokens due to the missing x5c value, causing Microsoft to reject the handshake.
  

• By checking the Network tab under web browser Developer Tools, the following error will be logged:

Currently, no solution or workaround is available. Microsoft and Okta are investigating solutions for this issue.

Related Resources

• Manage an external authentication method in Microsoft Entra ID | Microsoft Azure
• Configure Okta as an external authentication method for Microsoft Entra ID | Okta Docs