Microsoft IdP Login Fails: Missing given_name Causes Validation Error
Hello, I'm setting up Microsoft as an Identity Provider for my app using Zitadel. I followed all the documentation, and login is successful, but right after that, I run into this error:
[invalid_argument] invalid AddHumanUserRequest.Profile: embedded message failed validation | caused by: invalid SetHumanProfile.GivenName: value length must be between 1 and 200 runes, inclusive
Even though I have added given_name as a claim in the token configuration of my Azure App Registration, It seems like it might be missing or empty in the token being returned.
Can anyone help me identify why this might be happening or suggest a workaround? maybe creating an action to map name to given_name can fix this (not sure if possible)?
Thanks so much in advance! 🙏
53 Replies
Azure app token configuations:
hey @Nadine good morning and welcome to the server, can you pls share the jwt (if its not anything sensitive) here so I can check it ?. Also which doc did you followed to setup the idp?.
Thanks
Helloo @Rajat , thank you soo much for answering!
This is the doc I followed https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc#entra-id-configuration and as for the token, I believe that I dont have any visibility over it (checked the network tab and console.. nothing)
ZITADEL Docs
Open the Microsoft Identity Provider Template
hey @Nadine yiu can catch the raw jwt token, from browser's Network tab, look for
id_token in the response after login, or soemthing like that field, it should have the raw token that is being rejected , also, I am hoping that all the field that you are sending in the claims are pre filled too because if they'd be empty, that could also lead to error like above@Rajat There is nothing :/
Yes they are prefilled in azure AD
hey @Nadine I just notices, have you followed all the steps?
https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc or just the config part?
can you pls filter with just
token, it should be generated , I tested it on idps/password logins, it will show the claims and why is it failing
I dont see a token call like the one you are mentioning, when I search for token the only call I get is this one:
And it s the one returning the success page, witht he error that I am seeing
All of it 🙂
We are having the same issue.
The token received from the tenant comes in the query param of the url and is opque, so no chance to extract information from it.
our-domain.zitadel.cloud/ui/v2/login/idp/azure/success?id=331293367411442365&requestId=oidc_V2_331293362361481420&token=TWAYBDxsNT....
We also checked our AD and all the required data and scopes are applied.
We followed all the steps from: https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc
Are there any news regarding this?
Thanks 🙂
ZITADEL Docs
Open the Microsoft Identity Provider Template
I configured it too, and is missing the id_token coming in, but is visible on browser network tab, what exactly is the end goal you want @oldjazjef ?. Maybe a bit more clarity would help me
I am having the same issue with microsoft provider, it seems entraID is sending a JWT as user and zitadel cannot parse it, looking through the events microsoft is sending idpUser as a JWT, decoded here is what my it looks like:
I redacted sensitive information
did you get this info on the console tab under id_token?
in events , event type: EventTypes.idpintent.succeeded , under the field
idpUser
like the others filtering for token in the network tab only gives me the success url iwth no id_token anywhere in sight
yes same happening for me, but that means azure is not sending the id_token to zitadel I think or else it could be a bug tooo
So the goal is:
We have an angular app which uses Zitadel cloud for auth.
In zitadel we added our organizations tenant (microsoft) as external identity provider.
So the idea is to use either the zitadel users (manually added) or the external identity providers users through the oidc workflow.
I managed to make it work by not checking "refresh token" and by not using the new Login UI.
I will do further testing and send what I can find out
it printed id_token in network tab for me
ill try again
nop still only 1 token, with the error OP posted above
I spent the whole day today on this, and apart from id_token being wirtten on metadat, it works pretty well, when I try with different IDP, id_token is being added as metadata, but not sure why this is not the case woth azure
I also enabled this under auththeication(preview) in masft azure, I dnt have much idea about how things work in azure, but after readimg a bit, I foudn this option
do you have msft provider working , or are you saying other providers work but not microsoft ?, what are you settings in the zitadel IDP configuration ?
the above was tested on the msft idp
mine is identical to that
check your manifest file
manifest file ?
I think?
i dont have access to azure, our parent company has access to it, i have to write to my contact give me a sec
ah okay, all these issues are on aziure side, the idToken is generated as metadata on google IDP but fails on azure
but both works in inpect element
I gave him the docs from zitadel so the token configuration and api permissions should be as stated in docs, i need to add something that isnt in docs then i have to tell him
suree
another thing is the callback url zitadel gave me, azure wouldnt take it, it gave me this error:
AADSTS50011: The redirect URI 'https://users-di4rcj.us1.zitadel.cloud/idps/callback' specified in the request does not match the redirect URIs configured for the application '1e928936-3ba6-4433-b5ac-21bc1d49248f'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
so we changed the callback url to the one in the error message
Error AADSTS50011 the redirect URI does not match the redirect URIs...
Describes error AADSTS50011 that occurs when you sign in to an OIDC-based SSO application in Microsoft Entra ID.
it would have been something like
https://<your- domain>/ui/login/login/externalidp/callback
pls check your "Add Provider" Zitadel Callback URLyes it was that, but azure gave me the error above when we configured it to that
do you have a screenshot?
of ?
where the redirect URI was set
for me this is how it looks liek and it works
like I said i dont have access to azure i sent the docs to my contact and he configured it exactly like the docs said
until we got the rror
then we changed the callback
and then we got the error from OP
okay, maybe they made a mistake or need to take a closer look with exact error and setup, I did setup on azure for the first time and it worked
perhaps the OP made the same assumption I did with the callback, and it is not a good callback to get the id token
yes, I am still very confused on that note, but the setup should work if followed correctly and IDP just works
also before the callback error we got this error :
Request Id: df84388e-b0a0-4e6e-ba56-c9e02a9f4400
Correlation Id: 961f6dfe-be9d-470e-a33b-06beb8553901
Timestamp: 2025-07-31T12:32:09Z
Message: AADSTS50194: Application '1e928936-3ba6-4433-b5ac-21bc1d49248f'(ZITADEL BCA) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
we configured the app to be multi-tenant
then that led to the callback error
can you pls open a new issue with all teh details, I can have a better look tomorrow
sure
thanks
btw is your project using the new login page ?
no, I didnt have app setupon my zitadel, but I am not using login UI V2