Microsoft AD email domain issue (resolved)
Hi all, we're having an issue with users not being able to login.
We're using the Microsoft Azure AD connection and it has been working flawlessly since we set it up months ago.
However now that we're onboarding new users with different email domains they get an error "email domain we detected is not allowed" (see screenshot)
The users for which this has been working have email domains like:
@waterland.nu
@waterland.de
The new users are facing issues with email domains:
@waterlandpe.fr
All users are within the AD group.
As far as I can tell - this is not something that I'm able to configure on Kinde (perhaps I'm wrong?)
Additionally - I've checked the Azure AD config and it is not configurable on that end.
I'd appreciate any assistance, since it is rather important to have these new users onboarded.
Thanks, Fritz
7 Replies
Hi Fritz
Enterprise SSO is domain restricted, so when you add a new email domain, you also need to add new 'allowed' domains to the connection in Kinde. E.g. you need to ad. the waterlandpe.fr domain to the home realm domains list in the Extra connection in Kinde.
Enterprise SSO is domain restricted, so when you add a new email domain, you also need to add new 'allowed' domains to the connection in Kinde. E.g. you need to ad. the waterlandpe.fr domain to the home realm domains list in the Extra connection in Kinde.
Waterland
Guider votre parcours entrepreneurial depuis 1999
We study an industry and business before we help companies grow to the next level and beyond. Learn more about how we make them successful.
Sorry that should have read, in the 'Entra' connection in Kinde
I'm using the Entra connection, but at the moment it's just through my own domain. So I just may not have hit this issue myself.
It isn't clear from your problem if you are trying to use Home realm discovery (when a user puts in their email address it helps to determine what auth methods are supported) or if you're using the default universal login. Details here - https://docs.kinde.com/authenticate/enterprise-connections/home-realm-discovery/
If it's just the standard 'universal' login (all users can log in with all auth methods - which is what I use) then it may not be a Kinde authentication issue. When you registered the app in Entra ID, what account types did you support?
https://learn.microsoft.com/en-us/entra/identity-platform/v2-supported-account-types
By default it's single tenant and only your own domain. I'd check that first.
E.g. for my dev account I have the attached.
Kinde docs
Home realm or IdP discovery
Our developer tools provide everything you need to get started with Kinde.
Supported account types - Microsoft identity platform
Conceptual documentation about audiences and supported account types in in the Microsoft identity platform
Thanks for the responses!
For context - there is only one auth method supported - the Entra ID SSO button (see screenshot)
What's unusual is that I haven't configured any home realm domains.
Yet - different email domains, eg:
@waterland.nu, @waterland.de, @waterland.dk, @waterland.ie are able to login without issue.
It's only an issue with @waterlandpe.fr.
--
Before I start fiddling - does it make sense to add all the waterland email domains to the home realm domains?
In what format should these domains be added? I assume: waterland.nu waterland.de waterlandpe.fr etc
--
Thanks again for the quick responses!
Hi Fritz
Sorry for the delayed response. If you only have one auth method supported, then you can use policies to define a list of allowed domains. See this doc. Let me know if this seems more suitable.
https://docs.kinde.com/build/set-up-options/access-policies/ Home realm domains are more for when you have multiple SSO connections
https://docs.kinde.com/build/set-up-options/access-policies/ Home realm domains are more for when you have multiple SSO connections
Thanks Claire, this was it 🤦♂️
Thanks for the help - i was certain it was something i misconfigured 😉