Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,553 questions
Entra App Passing Through Wrong Federated Endpoint
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 19%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
jbjahn
0
Reputation points
We are using Okta IDP and have a federation with M365. We have a service provider we are integrating with that uses Entra as their identity provider. When we attempt SP-initated SSO, we are prompted to enter our username into a login.microsoft.com prompt which then passes us through our IDP as expected. Unfortunately, we are passed through our M365 Okta federation rather than the service provider integration in Okta. It seems as though Entra is doing some sort of domain discovery and based on the domain entered with our username, Entra is looking up that domain and seeing there is an existing federation in place and it uses that rather than the correct service provider integration we have setup. The app doesn't appear to support IDP-initiated otherwise we would opt for this route. Anyone run into anything like this?
Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju 22,550 Reputation points Microsoft External Staff Moderator2025-05-08T22:22:25.3033333+00:00 Hello @jbjahn,
To better understand the behavior and assist you effectively, I’d like to continue the troubleshooting over a Teams call. Could you please share your email address and availability via a private message?
-
Raja Pothuraju 22,550 Reputation points Microsoft External Staff Moderator
2025-05-12T23:53:28.39+00:00 Hello @jbjahn,
I just wanted to check if you'd be interested in taking this offline to get this resolved. Please share the necessary details in private message so I can proceed with offline discussion.
-
Raja Pothuraju 22,550 Reputation points Microsoft External Staff Moderator
2025-05-14T21:19:09.9033333+00:00 Hello @jbjahn,
Based on my understanding, you’ve configured a SAML-based application under Enterprise Applications in Azure, which supports only SP-Initiated sign-in. In this setup, your application acts as the Service Provider (SP), and Microsoft Entra ID functions as the Identity Provider (IDP).
When you access the application via the SP login URL, you're redirected to login.microsoftonline.com, since Entra ID is configured as the IDP. After entering your username on the login screen, the page correctly redirects you to the federated login URL—this behavior is expected when the domain is federated.
However, I’m unclear on how the network traffic is flowing through the federated endpoint during this process. To investigate further, we’ll need to review a network trace log.
Please share your email address and your availability via private message, so we can proceed with the next steps.
Sign in to comment
Sign in to answer