<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AH8B3KCQVOkta Classic EngineAuthenticationAnswered2024-10-31T17:01:59.000Z2024-10-28T16:09:28.000Z2024-10-31T17:01:59.000Z

User16444964735348161548 (Customer) asked a question.

October 28, 2024 at 4:09 PM
Error: The following required property is missing: 'email'.

Hello!

 

I've got an OIDC IdP set up with client ID and secret, pointing to an Azure org, and although I'm using only the openid, mail, and profile scopes (i.e. the OIDC standard defaults), I'm getting this response Error: The following required property is missing: 'email'.

 

Apparently I'm not the only one, since this issue was reported here https://support.okta.com/help/s/question/0D51Y00007l60v2SAA/unable-to-process-the-username-transform-a-required-property-is-missing-missing-field-email?language=en_US and here https://support.okta.com/help/s/question/0D51Y00006QQGovSAH/authenticate-user-via-idp-failure-unable-to-transform-email-to-username?language=en_US which together have > 5k views.

 

Any help would be greatly appreciated!

 

 

  • 3 answers
  • 525 views

  • User16444964735348161548 (Customer)

    Hello Mihai,

    In the meantime I found that the email was, by design, not provided by Azure OIDC apps unless the Azure organization is multi-tenant.

    In other words, the Entra OIDC implementation for single-tenant orgs seems not to be compliant to the OIDC spec.

     

    [REDACTED by moderator]

     

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @User16444964735348161548 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    The documented way of implementing Azure as an IDP , would be to leverage SAML 2.0 route.  

    That being said, my advice would be to reach out via devforum.okta.com to take advantage of their expertise if you are looking for an OIDC way to do it. 

    In the meantime, I found this older post that suggests a possible solution.  

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Ask Us Anything about Workflows now thru 10/31

    Expand Post

    • User16444964735348161548 (Customer)

      Hello Mihai,

      In the meantime I found that the email was, by design, not provided by Azure OIDC apps unless the Azure organization is multi-tenant.

      In other words, the Entra OIDC implementation for single-tenant orgs seems not to be compliant to the OIDC spec.

       

      [REDACTED by moderator]

       

      Expand Post
      Selected as Best
This question is closed.
Loading
Error: The following required property is missing: 'email'.