Migration check failed - Errors.IDMissing when Configuring Entra ID identity provider
Context :
Zitadel: Self-hosted instance (http://localhost:8081)
Identity Provider: Azure Entra ID (OIDC)
Redirect URI: http://localhost:8081/idps/callback (works)
Auth Flow: Web PKCE login
Error details :
2026-01-07T14:45:33.047418901Z time="2026-01-07T14:45:33Z" level=error
msg="migration check failed"
caller="/home/runner/work/zitadel/zitadel/internal/api/idp/idp.go:441"
error="ID=COMMAND-Sn3l1 Message=Errors.IDMissing"
intent=354504470794600450
What I've Done :
- Followed Zitadel docs:
https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc
https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc#token-configuration
https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc#api-permissions
- Configured Entra ID:
Claims mapping
API permissions
Redirect URIs
- Zitadel IDP Configuration
Provider: Azure AD (OIDC)
Client ID: [configured]
Client Secret: [configured]
Scopes: openid email profile
TenandID: [configured]
Redirect works fine - reaches Zitadel callback
The redirect succeeds, but Zitadel throws Errors.IDMissing when processing the callback. I'm trying to auto create the user in Zitadel that logs with Entra ID, everything is enabled that way in zitadel configuration. This suggests a missing or incorrectly mapped claim from Entra ID.
- Questions:
Which claim is missing? The error doesn't specify which ID field Zitadel expects
Token configuration issue? Are the sub, email, or other claims not being sent correctly?
Zitadel IDP configuration? Did I miss something in the Zitadel admin console when setting up the Azure provider?
Has anyone successfully integrated Entra ID with self-hosted Zitadel? The redirect works, but the callback fails with IDMissing.
Any ideas on:
Which specific ID claim Zitadel expects?
How to debug token contents during callback?
Common Entra ID ā Zitadel mapping issues?
Thanks!
Zitadel: Self-hosted instance (http://localhost:8081)
Identity Provider: Azure Entra ID (OIDC)
Redirect URI: http://localhost:8081/idps/callback (works)
Auth Flow: Web PKCE login
Error details :
2026-01-07T14:45:33.047418901Z time="2026-01-07T14:45:33Z" level=error
msg="migration check failed"
caller="/home/runner/work/zitadel/zitadel/internal/api/idp/idp.go:441"
error="ID=COMMAND-Sn3l1 Message=Errors.IDMissing"
intent=354504470794600450
What I've Done :
- Followed Zitadel docs:
https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc
https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc#token-configuration
https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc#api-permissions
- Configured Entra ID:
Claims mapping
API permissions
Redirect URIs
- Zitadel IDP Configuration
Provider: Azure AD (OIDC)
Client ID: [configured]
Client Secret: [configured]
Scopes: openid email profile
TenandID: [configured]
Redirect works fine - reaches Zitadel callback
The redirect succeeds, but Zitadel throws Errors.IDMissing when processing the callback. I'm trying to auto create the user in Zitadel that logs with Entra ID, everything is enabled that way in zitadel configuration. This suggests a missing or incorrectly mapped claim from Entra ID.
- Questions:
Which claim is missing? The error doesn't specify which ID field Zitadel expects
Token configuration issue? Are the sub, email, or other claims not being sent correctly?
Zitadel IDP configuration? Did I miss something in the Zitadel admin console when setting up the Azure provider?
Has anyone successfully integrated Entra ID with self-hosted Zitadel? The redirect works, but the callback fails with IDMissing.
Any ideas on:
Which specific ID claim Zitadel expects?
How to debug token contents during callback?
Common Entra ID ā Zitadel mapping issues?
Thanks!
