Entra doesn't send tenanted SP Entity ID while doing IdP federation of domain

Question

Entra doesn't send tenanted SP Entity ID while doing IdP federation of domain

Romit 0

Hello Microsoft Support Team,

I am reaching out to request your assistance with an issue we are encountering in our direct federation setup with Microsoft Entra External ID (formerly Azure AD External ID). According to the Microsoft documentation (Direct Federation in Microsoft Entra ID), newer applications should utilize an SP entity ID that includes a tenant ID parameter for better isolation. However, in our current configuration, we are receiving a global SP entity ID (urn:federation:MicrosoftOnline) instead of the expected tenant-specific entity ID, such as https://login.microsoftonline.com/$tenant_id$/. We would like to migrate to a tenant-specific entity ID to align with our multi-tenant architecture and ensure proper isolation.

Background: We have successfully configured direct federation for our domain ([MASKED]) using the Microsoft Graph API, with Keycloak serving as our external Identity Provider (IdP). Below are the key details of our setup:

Domain: [MASKED] IdP Issuer URI: [MASKED] Sign-in URL: [MASKED] Current SP Entity ID: urn:federation:MicrosoftOnline (global) Desired SP Entity ID: A tenant-specific format, e.g., https://login.microsoftonline.com/$tenant_id$

We configured the federation using a PowerShell script with the Microsoft Graph API. Here is a masked version of the script for reference:

# Domain to federate
$domainId = '[MASKED]'

# SAML Issuer URI (Entity ID of the IdP)
$issuerUri = '[MASKED]'

# Sign-in URL (SSO Redirect URL)
$signinUri = '[MASKED]'

# Signing certificate (masked)
$cert = '[Masked certificate data]'

# Sign-out URL
$signoutUri = '[MASKED]'

# Display name
$displayName = '[MASKED]'

# Federation parameters
$domainAuthParams = @{
    DomainId = $domainId
    IssuerUri = $issuerUri
    DisplayName = $displayName
    ActiveSignInUri = $signinUri
    PassiveSignInUri = $signinUri
    SignOutUri = $signoutUri
    SigningCertificate = $cert
    PreferredAuthenticationProtocol = 'saml'
    FederatedIdpMfaBehavior = 'acceptIfMfaDoneByFederatedIdp'
}

# Apply federation
New-MgDomainFederationConfiguration @domainAuthParams

Problem Statement: When we examine the SAML AuthnRequest sent by Microsoft Entra to our IdP (Keycloak), the SP entity ID is consistently set to the global identifier urn:federation:MicrosoftOnline. Based on the documentation, we anticipated a tenant-specific SP entity ID, such as https://login.microsoftonline.com/$tenant_id$/, which would provide better isolation for our multi-tenant environment. Currently, the global entity ID does not meet our needs, as it does not differentiate between tenants, potentially leading to conflicts or misconfigurations in our architecture.

To summarize the issue:

Observed SP Entity ID: urn:federation:MicrosoftOnline (global) Expected SP Entity ID: https://login.microsoftonline.com/$tenant_id$/ (tenant-specific)

We have reviewed the Microsoft Graph API documentation and the New-MgDomainFederationConfiguration cmdlet, but we could not identify any parameters that allow us to specify or modify the SP entity ID. It appears that the SP entity ID defaults to the global value in our domain-level direct federation setup, and we are unsure how to configure it otherwise.

Request: We would like your guidance on the following:

Is it possible to configure a tenant-specific SP entity ID (e.g., https://login.microsoftonline.com/$tenant_id$/saml2) for our direct federation setup at the domain level?
As mentioned here (https://learn.microsoft.com/en-us/entra/external-id/direct-federation#step-2-configure-the-partner-organizations-idp)
If this is supported, could you please provide instructions or point us to the specific configuration steps or API parameters needed to migrate from the global entity ID to a tenant-specific one?
If this is not currently possible, can you confirm this limitation and suggest any alternative approaches (e.g., SAML attributes or other mechanisms) to achieve tenant isolation in our federation setup?

Your expertise in resolving this matter would be greatly appreciated, as it is critical for aligning our federation configuration with our multi-tenant requirements.

Additional Information: Domain: [MASKED]

Thank you for your support, and we look forward to your response.

Best regards,

Romit

Moosa Khan 175 Reputation points Microsoft External Staff Moderator

2025-04-30T16:05:37+00:00

Hello Romit,

Could you please help me with the PowerShell script that you are using for federation of your Domain with the Microsoft Graph API or the URLs you are using in the script.

This will help me to investigate/research regarding your issue.
Romit 0 Reputation points

2025-05-01T04:43:22.3833333+00:00
Hey Moosa,
The question aforesaid has the script which I was talking about. If you need an unamasked version let kindly let me know I'd be happy to share over the email.

I'm attaching the script again for your ref:

Domain to federate

$domainId = '[MASKED]'

SAML Issuer URI (Entity ID of the IdP)

$issuerUri = '[MASKED]'

Sign-in URL (SSO Redirect URL)

$signinUri = '[MASKED]'

Signing certificate

$cert = '[Masked certificate data]'

Sign-out URL

$signoutUri = '[MASKED]'

Display name

$displayName = '[MASKED]'

Federation parameters

$domainAuthParams = @{

DomainId = $domainId IssuerUri = $issuerUri DisplayName = $displayName ActiveSignInUri = $signinUri PassiveSignInUri = $signinUri SignOutUri = $signoutUri SigningCertificate = $cert PreferredAuthenticationProtocol = 'saml' FederatedIdpMfaBehavior = 'acceptIfMfaDoneByFederatedIdp' ```} # Apply federation New-MgDomainFederationConfiguration @domainAuthParams #
Moosa Khan 175 Reputation points Microsoft External Staff Moderator

2025-05-02T05:35:54.8266667+00:00

Hello Romit,

I have pinged you via private message, kindly share the requested information in private message only.
Moosa Khan 175 Reputation points Microsoft External Staff Moderator

2025-05-05T23:22:38.64+00:00

Hello Romit,
I've provided the information in the email. Please review it and let me know if you have any further questions.
SrideviM 3,190 Reputation points Microsoft External Staff Moderator

2025-05-07T08:58:59.34+00:00
Hello Romit,

I understand you are trying to configure Microsoft Entra External ID to send a tenant-specific SP Entity ID like https://login.microsoftonline.com/{tenant-id}/saml2 instead of the default urn:federation:MicrosoftOnline in your domain-level direct federation setup with Keycloak.

At this time, Microsoft Entra always uses the global SP Entity ID (urn:federation:MicrosoftOnline) for domain-level federations, and there’s no supported way to change this to a tenant-specific value. This behavior is by design and applies to all domain-based direct federations using Microsoft Graph or PowerShell.

If you need tenant-specific isolation, one option is to set up federation at the application level instead. In that case, Microsoft Entra uses https://login.microsoftonline.com/{tenant-id}/saml2 as the SP Entity ID. This approach is more suitable for multi-tenant scenarios where you need stronger separation between tenants.

You can refer to these articles for more details:

Direct federation in Microsoft Entra External ID

Set up federation with AD FS

Hope this helps!

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Romit 0 Reputation points

2025-05-07T13:50:25.77+00:00

Hey Sridevi,
Thanks for your reply.
Could you help me with the steps to federate Microsoft suite of applications (Office 365 apps) to external IdP instead of federating the whole domain?
Your response is greatly appreciated

Thanks,

Romit Mehta
SrideviM 3,190 Reputation points Microsoft External Staff Moderator

2025-05-08T01:02:18.7466667+00:00

Hello Romit,

I understand you're looking to federate Microsoft 365 apps like Outlook, SharePoint, and Teams with your external IdP (Keycloak) without federating the entire domain.

Currently, Microsoft 365 apps rely on domain-level SAML federation and are tightly bound to your verified Entra domain. They do not support app-level federation using the Enterprise Applications model. As a result, the SP Entity ID will always be urn:federation:MicrosoftOnline, and it's not possible to use a tenant-specific SP Entity ID like https://login.microsoftonline.com/{tenant-id}/saml2 for these apps.

That tenant-specific SP Entity ID format applies only to custom or third-party applications registered under Enterprise Applications in Entra ID.

If your goal is to identify the source tenant in a multi-tenant scenario, you might consider using RelayState or custom SAML claims to pass tenant-specific context. Microsoft Entra supports claims customization through claims mapping policies. You can learn more here: https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization

For guidance on configuring SAML for enterprise applications, this article may help: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso

Hope this clarifies things a bit!
SrideviM 3,190 Reputation points Microsoft External Staff Moderator

2025-05-09T01:57:03.01+00:00

Hello Romit,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.