<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Microsoft Entra ID External Authentication Methods - eam_amr_unsatisfiable
Sep 15, 2025
Single Sign-On
Okta Identity Engine
Overview

After configuring Okta with Microsoft External Authentication Methods (EAM), end users are getting redirected to Okta successfully, but then routed straight back to Entra with an error code similar to the one below:  

 

AADSTS50012620: Cannot complete external authentication: provider returned ‘access_denied’ error.

 

Error message

In the Okta System Logs, the following events can be observed during the flow. 

System log

Applies To
  • Okta Identity Engine (OIE)
  • Microsoft External Authentication Methods
  • EAM
  • eam_amr_unsatisfiable
Cause

One potential cause is that the end user going through the flow is not enrolled with any authenticator methods on the Okta side, which are expected by the authentication sign-on policy (ASOP) for the Microsoft External Authentication Methods application.

 

Solution

Ensure that the end user(s) are enrolled with Okta MFA. Once the End User is enrolled and attempts the flow once more, they should be prompted to complete Okta MFA. Once Okta MFA is completed, Okta will send the AMR claim to Microsoft. 

 

NOTE: Inline enrollment is not supported for EAM. Users will have to enroll before attempting the flow.

Recommended content

Still looking for help?
Loading
Microsoft Entra ID External Authentication Methods - eam_amr_unsatisfiable