Skip to main content
Skip table of contents

FAQ & Troubleshooting - Microsoft Entra ID

This page provides quick answers to common questions and issues related to the integration of TrustBuilder MFA as an External Authentication method (EAM) in Entra ID.

FAQ

Microsoft requires MFA for all Microsoft administration portals as of October 15.

  • What is the impact on my current TrustBuilder MFA integration with Entra ID?

    • For users: There will be no impact.

    • For admins: Microsoft Admin portals will no longer be accessible using the current setup.

  • What are my options to maintain access to Microsoft Admin portals?
    The main options are:

    • Migrate your current TrustBuilder MFA integration to EAM: If you want to use TrustBuilder MFA exclusively, you need to replace the legacy Custom Control with the External Authentication Method (EAM). This will ensure compatibility with Microsoft’s MFA requirement.

    • Use another authentication method: You can allow admins to access the portals using a different authentication method. To do this, enable this method in the Entra ID admin portal and configure it for admin accounts. Refer to Microsoft documentation.

    • What should I do to use TrustBuilder MFA as an External Authentication Method (EAM)?

      Refer to TrustBuilder documentation to know more about how to set up TrustBuilder MFA as an EAM for Microsoft administration portals.

Can Custom Controls and External Authentication Method (EAM) be used simultaneously during migration?

Yes, both Custom Controls and EAM can be used together during the migration period. This allows administrators to gradually transition to EAM while continuing to use Custom Controls. The Entra ID Conditional Access feature allows you to manage the relationship between users, target applications and authentication methods.

What is the recommended process for migrating from Conditional Access to the External Authentication Method (EAM)?

To migrate smoothly, we recommend the following steps.

  1. Setting up a dedicated EAM configuration:

    1. Create a new OIDC Azure AD connector in TrustBuilder.

    2. Register an application in Entra ID and link it to TrustBuilder.

    3. Set TrustBuilder MFA as the External Authentication Method (EAM).

    4. Configure a Conditional Access policy for a small group of users (or a single test user).

  2. Testing the configuration:
    As you included a small group of users in the Conditional Access policy, the test will be done only for those users.

  3. After testing:

    • If successful for that group of users, you can then include all desired users into the Conditional Access EAM policy. Then you can disable Custom controls policy or exclude users from it.
      Note: If users are included in both the EAM and Custom Controls policies, Microsoft prioritizes the EAM policy.

    • If not successful, perform troubleshooting to identify and resolve any issues.

Should I create a new connector in TrustBuilder for EAM integration?

Yes, it is recommended to create a new connector in TrustBuilder for the External Authentication Method (EAM) integration. By setting up a dedicated connector, you can test and configure the EAM without impacting the existing configurations or causing any disruptions in your production environment.

Also, note that this integration requires an OIDC Azure AD connector created on or after June 20, 2024, to ensure compatibility with the latest updates (see Release notes).

Should I create a user group in TrustBuilder for EAM integration?

No, it is not necessary to create user groups in TrustBuilder. The authentication mechanism and user access are determined based on Entra ID user groups. TrustBuilder groups do not influence this process.

How do I configure TrustBuilder MFA as an EAM for Microsoft Entra ID?

For detailed setup, refer to “Microsoft Entra ID integration with EAM”.

Troubleshooting

AADSTS5001258: Failed to validate external id_token: 'acr' claim has unexpected value.
This may occur in two cases:

  1. Connector or external authentication method has been modified: The modification might take 20 minutes to be fully processed. Solution: Wait for 20 minutes and retry. The error should disappear.

  2. Incorrect connector type: make sure you are using an OIDC Azure AD connector (not just OIDC). If not, create an OIDC Azure AD connector and use it instead.

AADST550166: Request to External OIDC endpoint failed
Make sure to:

  1. Select "Accounts in any organizational directory (Any Entra ID directory - Multitenant)".

  2. Ensure the necessary permissions for Microsoft Graph API are granted.

  3. Allow time for the configuration to propagate in Entra ID, which may take up to 20 minutes.

I have an "Unauthorized Client" error after implementing EAM in EntraID
This error may indicate a problem with your client ID or client secret in your TrustBuilder configuration.
In TrustBuilder MFA Admin console, verify the Azure AD connector. Check that both the client ID and client secret are entered in lowercase and do not contain any spaces.

I have an invalid_request error during authentication
The "invalid_request" error suggests that there may be an issue with the parameters being sent to the authentication server.

  • Review your configuration for any typographical errors or omissions.

  • Ensure that the URL and endpoints are correctly set up according to the documentation.

Errors persist after configuration changes
If issues continue after making adjustments, consider deleting the existing EAM connector and associated configurations, then re-create the connector following a step-by-step guide.

After configuration, EAM appears as not activated in Entra ID
The propagation of the configuration within Entra ID can take up to 20 minutes to apply fully. Allow for up to 20 minutes before testing to ensure that changes have taken effect.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close