This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 99%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
I have set up a tenant for testing various authentication methods by using my Visual Studio Enterprise Subscription. Users are synced from on premise AD and pass through authentication is used. I have set up test app and I could authenticate and get access token on the side of the app. Then, because of the project requirement, I tried to add custom claims provider. First I used my app and set up everything based on https://video2.skills-academy.com/en-us/entra/identity-platform/custom-extension-get-started?tabs=entra-admin-center%2Chttp and I got error: AADSTS1100001: Non-retryable error has occurred.
After various attempts to correct this I deleted everything and then did exactly what is described in tutorial from the link and I still got the same error.
Is there any way to find out what is causing this error or is there any way to resolve it or work around it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
I wanted to check if you are trying to add custom claim provider in Azure and get claims out of it?
Hi Sandeep,
thank you for your reply.
Yes, I'm trying to get additional data into token via Azure function. It seemed to me that custom claims provider would be exactly right for that.
This needs little deeper investigation. Let's work on this issue offline.
Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:
Link to this thread/post
We can connect offline and discuss further on this.
Hi Sandeep,
I have tried to send email to azcommunity [at] microsoft [dot] com¸ but I got back error:
Delivery has failed to these recipients or groups:
mtmvp@microsoft.com
Your message wasn't delivered because the recipient's email provider rejected it.
Diagnostic information for administrators:
Generating server: CH2PR21MB1382.namprd21.prod.outlook.com
mtmvp@microsoft.com
Remote Server returned '554 5.7.0 < #5.7.133 smtp;550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group>'
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 32%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHT%3C/text%3E%3C/svg%3E)
I'm having the same issue.
I have an Microsoft Entra B2C Tenant and a Azure Function in another Microsoft Entra ID tenant.
I followed this tutorial the way it's written without skipping any steps. Everything works correctly until step 5.1 (Using OpenID Connect identity provider) when trying to secure the Azure function.
https://video2.skills-academy.com/en-us/entra/identity-platform/custom-extension-attribute-collection?context=%2Fentra%2Fexternal-id%2Fcustomers%2Fcontext%2Fcustomers-context&tabs=start-continue%2Csubmit-continue
When I open a web app and try to sign-up with a new user, I receive this message:
Thie happens after I confirm the code received in e-mail.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 42%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Was this ever solved? As I have gotten to the same error
Unfortunately it didn't. We decided to use different Identity provider.
Regards,
Jadran Bižić.
Unfortunately it didn't. We decided to use different Identity provider.
Any more information on this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 51%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
We had the same issue and it seems the metadata URL in the official docs is wrong for the cross tenant using OpenID Connect identity provider. In docs it is https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration but it should be https://{domainName}.ciamlogin.com/{tenant_id}/v2.0/.well-known/openid-configuration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 94%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)
I managed to fix the problem by following Admin Amir Chisti's advice using the URL: https://{domainName}.ciamlogin.com/{tenant_id}/v2.0/.well-known/openid-configuration in the Open ID Connect identity provider configuration.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 93%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFG%3C/text%3E%3C/svg%3E)
Complicated instructions to set up. I never got it to work with a WebJobsTokenIssuanceStartRequest. Instead, we switched to an HTTP Trigger function and had success. Claims entered into your custom auth extension are case sensitive so watch for that.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 9%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
I have the same issue as well. It seems like when we add Authentication to protect Azure Function then we get this error. If we don't add it then it works properly.
I dont know if this bug has been reported or am I missing something in configurations.