Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
External Identities User Flows: Metadata Endpoint Returns 404 After 24+ Hours
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
John Flood
0
Reputation points
I am configuring the Entra External Identity for an SaaS application. I have 2 tenants, the primary workspace tenant, where I setup the application, Entra and user flow. The second tenant is an external Identity and is intended to allow external users to sign-up for the application. I am receiving a 404 error. I have checked for valid subscription and configuration.
-
- Tenant ID: xxx
- Tenant Name: nnn
- Primary Domain: ddd
- Metadata endpoint: https://nnn.ciamlogin.com/.well-known/openid-configuration
- Timeline: 24+ hours of 404 errors
- Request: Verify if External Identities is properly enabled, if ciamlogin.com domain is provisioned, and if there are any subscription/licensing restriction
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 10,505 Reputation points Microsoft External Staff Moderator2025-12-09T17:48:35.7733333+00:00 Hello John Flood,
Your 404 error on
https://.ciamlogin.com/.well-known/openid-configurationindicates that either the custom CIAM domain is not completely provisioned/verified or your external tenant is not set up as a Microsoft Entra External ID (CIAM) tenant. The OIDC metadata endpoint is only functional for CIAM tenants when:- The tenant is not a typical Entra workforce tenant, but rather an External ID (CIAM) tenant.
- Instead of in your primary tenancy, a user flow (Sign-up/Sign-in) is developed inside the CIAM tenant.
- If a custom URL domain was added, DNS verification is included in the fully provided ciamlogin.com domain.
- In that tenant, at least one CIAM application (with a redirect URI) is built. ciamlogin.com returns 404 if any of the aforementioned are absent.
This occurs 99% of the time because either the CIAM tenant was never created or the user flow was built in the workforce tenant rather than the External ID tenant.
To fix the issue: Set up user flow in an External ID (CIAM) tenant after creating and verifying one. The metadata endpoint will function if the ciamlogin.com domain is validated.
Let me know if any further queries - feel free to reach out!
-
Rukmini 10,505 Reputation points Microsoft External Staff Moderator
2025-12-10T19:17:20.26+00:00 Hello John Flood, Following up to see if the above provided information was helpful. If you have any further queries do let us know.
-
John Flood 0 Reputation points
2025-12-11T17:56:11.4866667+00:00 I am still working on creating the CIAM tenant properly. Is it safe to share screenshots?
Sign in to comment
Sign in to answer