Problem statement
An Azure / Entra Enterprise connection has been configured in an Auth0 tenant. The following error is thrown:
AADSTS900023: Specified tenant identifier ‘undefined’ is neither a valid DNS name, nor a valid external domain.
There are other Azure/Entra connections configured in other tenants that do not seem to have this issue.
Cause
The presentation of the problem (e.g. error messages, description of behavior).
This error may be encountered either when the connection is manually configured or when Deploy CLI is in use.
Official Microsoft reason:
The login request was malformed and could not be matched with an existing authentication endpoint or instance.
This error may arise in a variety of contexts. But in terms of Auth0 configuration, this error may be thrown if the connection was not configured with the ‘domain’ and ‘tenant_domain’ attributes.
Example of non-working connection config:
{
"id": "con_identifier",
"options": {
"domain": "acme.com",
"client_id": "client-id",
"use_wsfed": false,
"ext_groups": true,
"ext_profile": true,
"identity_api": "microsoft-identity-platform-v2.0",
"basic_profile": false,
"waad_protocol": "openid-connect",
"domain_aliases": [
"acme.com"
],
"api_enable_users": false,
"ext_nested_groups": false,
"useCommonEndpoint": false,
"max_groups_to_retrieve": "500",
"should_trust_email_verified_connection": "always_set_emails_as_verified"
},
"strategy": "waad",
"name": "connection-name",
"is_domain_connection": false,
"show_as_button": false,
"enabled_clients": [
"client1",
"client2",
"client3"
],
"realms": [
"connection-name"
]
}
Example of working connection config:
{
"id": "con_identifier",
"options": {
"domain": "company.com",
"client_id": "client-id",
"use_wsfed": false,
"ext_groups": true,
"ext_profile": true,
"identity_api": "microsoft-identity-platform-v2.0",
"basic_profile": false,
"tenant_domain": "company.com",
"domain_aliases": [
"company.com"
],
"should_trust_email_verified_connection": "never_set_emails_as_verified"
},
"strategy": "waad",
"name": "connection-name",
"is_domain_connection": false,
"show_as_button": false,
"enabled_clients": [],
"realms": [
"connection-name"
]
}
Solution
Review the Azure/Entra connection configuration. The best way to see the JSON object representing a given connection would be to leverage the Management API’s connections endpoint.
NOTE: When updating a connection’s ‘options’ object, all pre-existing values will need to be included, along with any new values, when updating a given connection; otherwise, those values will be dropped.