Azure/Entra Connection Error: "AADSTS900023: Specified tenant identifier 'undefined' is neither a valid DNS name, nor a valid external domain."

ConnectionsSingle Sign-On
Sep 10, 2025
Overview

An Azure/Entra Enterprise connection has been configured in an Auth0 tenant. The following error is thrown:

AADSTS900023: Specified tenant identifier 'undefined' is neither a valid DNS name, nor a valid external domain.

 

There are other Azure/Entra connections configured in other tenants that do not seem to have this issue. This error may be encountered either when the connection is manually configured or when Deploy CLI is in use. 

Applies To
  • Azure/Entra Connection
Cause
Official Microsoft reason:

The login request was malformed and could not be matched with an existing authentication endpoint or instance.

This error may arise in a variety of contexts. But in terms of Auth0 configuration, this error may be thrown if the connection was not configured with the 'domain' and 'tenant_domain' attributes.

Example of non-working connection config:
  
{
  "id": "con_identifier",
  "options": {
    "domain": "acme.com",
    "client_id": "client-id",
    "use_wsfed": false,
    "ext_groups": true,
    "ext_profile": true,
    "identity_api": "microsoft-identity-platform-v2.0",
    "basic_profile": false,
    "waad_protocol": "openid-connect",
    "domain_aliases": [
      "acme.com"
    ],
    "api_enable_users": false,
    "ext_nested_groups": false,
    "useCommonEndpoint": false,
    "max_groups_to_retrieve": "500",
    "should_trust_email_verified_connection": "always_set_emails_as_verified"
  },
  "strategy": "waad",
  "name": "connection-name",
  "is_domain_connection": false,
  "show_as_button": false,
  "enabled_clients": [
    "client1",
    "client2",
    "client3"
  ],
  "realms": [
    "connection-name"
  ]
}


Example of working connection config:
  
{
  "id": "con_identifier",
  "options": {
    "domain": "company.com",
    "client_id": "client-id",
    "use_wsfed": false,
    "ext_groups": true,
    "ext_profile": true,
    "identity_api": "microsoft-identity-platform-v2.0",
    "basic_profile": false,
    "tenant_domain": "company.com",
    "domain_aliases": [
      "company.com"
    ],
    "should_trust_email_verified_connection": "never_set_emails_as_verified"
  },
  "strategy": "waad",
  "name": "connection-name",
  "is_domain_connection": false,
  "show_as_button": false,
  "enabled_clients": [],
  "realms": [
    "connection-name"
  ]
}


 
Solution

Review the Azure/Entra connection configuration. The best way to see the JSON object representing a given connection is to leverage the Management API's connections endpoint.

NOTE: When updating a connection's 'options' object, all pre-existing values will need to be included, along with any new values, when updating a given connection; otherwise, those values will be dropped.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community