Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Invited Gmail user with MicrosoftAccount identity bypasses OTP flow and fails with redirect_uri error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 46%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
Eugene Alexeev
0
Reputation points
I configured authentication in an Azure External Tenant (CIAM) with these requirements:
- No self-service signup
- Users are invited by an admin
- Users authenticate via Email OTP
- App uses MSAL
For most users the flow works:
- Admin sends invite
- User accepts
- User enters email
- Receives OTP
- Enters OTP
- Redirect back to the app
The flow works as expected, except one invited user cannot log in.
The email is Gmail, but it also has a Microsoft Account associated with it. After accepting the invitation the user shows:
Identities: MicrosoftAccount
When logging in:
- The OTP flow is skipped
The browser redirects to:
...ciamlogin.com/common/federation...
Then it fails with:
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid
Question
How should this scenario be handled?
- Can I force OTP authentication even if the email has a Microsoft Account?
- Or do I need to enable/configure Microsoft Account authentication in the tenant for these users?
Right now users with MicrosoftAccount identity cannot log in at all. I don't even mind right now for having additional auth route besides OTP, but it has to work.
NOTE: Sorry if I chose wrong "Child". Couldn't find Authentication or Tenant-related children :(
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
Eugene Alexeev 0 Reputation points
2026-03-06T15:57:52.47+00:00 BTW, what is interesting.
For now we have manual sign-up enabled, so I decided to try to do manual sign-up using the problematic email. If I go through manual sign-up, not an invitation, e-mail actually receives a correct Identity which is "mail". And then I can successfully login to the app using it, flow works exactly as I expect. So it seems like the issue happens during invitation - maybe some automatic identity validation kicks in that doesn't kick in during manual sign-up, because manual sign-up happens through the User flow which is OTP-only
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 30,115 Reputation points Microsoft External Staff Moderator2026-03-06T17:28:39.3433333+00:00 Hello Eugene Alexeev
The identity type defined for the user determines the authentication mechanism in Microsoft Entra External ID (CIAM). Since the invited user in this instance was created with Identity = MicrosoftAccount, the system attempts to authenticate using Microsoft Account federation rather than Email OTP, which results in the error and redirect. A user whose identity type is MicrosoftAccount cannot have their OTP forced.
To resolve the issue:
- The identity is created as emailAddress (Email OTP) by deleting the user and inviting them once more. The OTP login process will then function. Alternatively, to let users with MicrosoftAccount identities to log in using their Microsoft account, enable Microsoft Account as an identity provider in Microsoft Entra admin center.
-
Eugene Alexeev 0 Reputation points
2026-03-09T11:34:45.7566667+00:00 Hello! Thank you for your prompt response.
- When I delete this "problematic" user and add him once more - he again gets "MicrosoftAccount" Identity. So OTP won't be enforced unfortunately.
- Let users in with
MicrosoftAccount- honestly, at this point I don't mind that at all, but the problem is that it just doesn't work. Microsoft Account as an identity provider is enabled and it's done by default, I can't shut it down even if I want to. So it is enabled, but I still have major troubles logging in.
From what I see - when I test problematic user and see Microsoft page saying "invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.", I inspected the redirect_uri which is:
{https_protocol}://{tenant_name}.ciamlogin.com/common/federation/oauth2msa
Where do I need to register this redirect to make sure flow works? What is also interesting, in the URL I see client_id that do not match any of my Ids I have in Entra Admin Center. So I am kind of cornered.
-
Rukmini 30,115 Reputation points Microsoft External Staff Moderator
2026-03-09T17:45:38.1133333+00:00 Hello Eugene Alexeev
Microsoft Entra External ID uses the internal Microsoft federation endpoint https://{tenant}.ciamlogin.com/common/federation/oauth2msa to authenticate users using MicrosoftAccount identities. You shouldn't manually register this URI in your application.
The built-in Microsoft Account federation service, not your MSAL application, is initiating the authentication because the client_id in the request does not match your app registration. When the application registration does not have the proper redirect URI set up for the CIAM sign-in flow, the issue usually happens.
Please verify in Microsoft Entra admin center → App registrations → Your application → Authentication that the exact redirect URI used by your MSAL app (for example
https://yourapp/signin-oidcor your SPA redirect URL) is registered.The Microsoft Account sign-in process should be successful once the proper redirect URI has been set up for your client application.
Let me know if any further queries - feel free to reach out!
-
Rukmini 30,115 Reputation points Microsoft External Staff Moderator
2026-03-10T17:56:50.79+00:00 Hello Eugene Alexeev
Following up to see if the above provided information was helpful. If you have any further queries do let us know.
-
Eugene Alexeev 0 Reputation points
2026-03-11T19:15:48.9966667+00:00 Hello Rukmini!
"The built-in Microsoft Account federation service, not your MSAL application, is initiating the authentication because the client_id in the request does not match your app registration. When the application registration does not have the proper redirect URI set up for the CIAM sign-in flow, the issue usually happens."
But login works perfectly for all other users except this particular one. So I don't think the issue is client_id... by client_id you are referring to the client application, correct? If so, it's a constant in my code and doesn't get affected by email value.
And my MSAL redirect is configured properly, because as I said - login works perfectly for all other invited users.
I think the issue is that for users with "MicrosoftAccount" identities, my flow is never even reached out. I think Microsoft does authentication on his own before he lets users through, and that's where it's failing, because it can not redirect the user back to my Tenant.
BTW, the client_id is
client_id=51483342-085c-4d86-bf88-cf50c7252078. I see it in URL when problematic email gets an error page "redirect_uri is not valid". So I believe it is Microsoft entity doesn't know how to redirect my users to my Tenant kind of a problem -
Rukmini 30,115 Reputation points Microsoft External Staff Moderator
2026-03-11T19:39:49.7466667+00:00 Hello Eugene Alexeev
I agree with you. The problem is not related to your MSAL app setup or your application's client_id because other users are able to log in successfully.
Microsoft Account federation is used to authenticate users with the identity type Microsoft Account in Microsoft Entra External ID before your CIAM user flow or MSAL application is invoked. As a result, Microsoft's federation service handles the authentication instead of the Email OTP flow.
Not your app registration, but Microsoft's internal federation application owns the
client_idyou see (51483342-085c-4d86-bf88-cf50c7252078). Because of this, the redirect validation takes place inside Microsoft's federation service and is unsuccessful before the request is sent back to your tenancy.The problem is unique to this user being created with MicrosoftAccount identity because your flow functions for other users (probably created using emailAddress identity). If OTP authentication is necessary, it is advised to use the Email OTP user flow by deleting the user and re-creating them using their email address identity rather than their Microsoft account.
-
Rukmini 30,115 Reputation points Microsoft External Staff Moderator
2026-03-12T19:16:51.61+00:00 Hello Eugene Alexeev
Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Sign in to comment
Sign in to answer