Share via

Entra External ID - Domain Hint for Custom OpenID Connect IDPs

Josh Dinndorf 156 Reputation points
2025-08-27T18:32:51.5466667+00:00

I am expecting Entra External ID to support the query parameter domain_hint for HRD i.e. login straight to the Custom OpenID Connect IDP without having to select

domain_hint=login.live.com works for MS accounts

https://wggdemo.ciamlogin.com/818fbfd7-0338-45d3-8cc8-8d521cc578b2/oauth2/v2.0/authorize?client_id=10....domain_hint=login.live.com

however anything I try for custom idp does not.

In AzureB2C this works as expected allowing to specify the domain to IDP

<Domain>customidp.com</Domain>

Does Entra External ID support this? If so what domain hint should be used from the Custom IDP configuration?

The Entra demo states

"The domain_hint parameter is an optional query parameter that can be added to the authorization request URL. It indicates to Microsoft Entra external ID which domain the user should use for signing in. When included, the user will bypass the Microsoft Entra external ID sign-in page and proceed directly to the external identity provider's sign-in page. This feature is currently in preview and available only for Custom OpenID Connect IDPs"

https://woodgrovedemo.com/#usecase=DomainHint

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Josh Dinndorf 156 Reputation points
    2025-09-08T15:35:01.73+00:00

    MS Support got back to me and mentioned this is not supported. No comment on if it will ever be supported and/or when....

    We are flipping to another 3rd party solution here as Entra External ID is not ready to replace Azure B2C and MS is not able to address these missing features.

    "Upon receiving your request, I've had an internal discussion with my team and also created an internal ticket to consult with our higher engineers. 

    Unfortunately, at the moment, External ID doesn't support domain hint parameter yet. "

    3 people found this answer helpful.
  2. Benjamin Versteeg 5 Reputation points
    2025-09-16T15:38:08.9233333+00:00

    I personally also didn't get it to work with domain_hint, however, I did manage to get it to work by passing idp parameter instead of domain_hint. Unfortunately, this method does require prior knowledge of the Identity Provider ID which in my case, the only way I could figure it out was by first logging in with a user of that Identity provider. Once the user was created within my Entra ID External ID environment, I was able to get the ID of the Identity Provider.

    I was able to recover the ID of the identity provider by clicking on the user in the users directory and then click on the link called Identities. Here you will find the Issued assigned ID. This ID can then be used to redirect the user directly to the correct login screen without needing to first make a selection. Just pass the ID as &idp=<ID>.Passing the name as idp instead of an ID did not work. And perhaps we can grab the ID from the identity provider using the graph API. I have not tried this yet.

    Please let me know if you guys found a better way of getting the Identity Provider ID without needing to first login with a user using that identity provider.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.