Greetings! Thanks for raising this question in the Power Platform Community forum.
You've already done great analysis here! The root cause is almost certainly a claims mapping issue between your Entra External ID token and what Power Pages expects during the contact provisioning step at `/contact/createuser`. Power Pages needs specific claims particularly `email`, `given_name`, and `family_name` to be present and correctly mapped in the token to create a Contact record in Dataverse. If any of these are missing or mismatched, authentication succeeds but the user provisioning step fails silently and redirects to the "External login failed" page.
Here's a step-by-step approach to fix this:
Step 1: Verify claims coming from the token
Use a tool like [jwt.ms](https://jwt.ms) to decode the token your Entra External ID provider is returning after login. Check that the token actually contains `email`, `given_name`, and `family_name` claims with real values. If `email` is missing or empty, that alone will cause the contact creation to fail.
Step 2: Check your OpenID Connect claims mapping in Power Pages
Go to Power Pages Management App → Authentication Settings → your OpenID Connect provider. Confirm the following claim mappings are set correctly:
Email → email (or the exact claim name from your token)
First Name → given_name
Last Name → family_name
If your Entra External ID token uses a different claim name (like `emails` as an array instead of `email` as a string), you need to match that exactly.
Step 3: Configure Entra External ID to emit the right claims
In your Entra External ID user flow, go to the user flow settings → User Attributes and Token Claims. Make sure you have enabled the following as both **Collect attributes** and **Return claim**:
- Email Address
- Given Name
- Surname
- Display Name
Save and republish the user flow after making changes.
Step 4: Check for required fields in the Contact table
Open your Dataverse Contact table in Power Apps (make.powerapps.com) and check if there are any required fields that have no default value set. If any required field can't be populated from the incoming token claims, Dataverse will reject the record creation silently. Common culprits are custom required fields added to the Contact table.
Step 5: Check for any business rules or plugins on Contact creation
If your Dataverse environment has any plugins, workflows, or business rules firing on Contact create, these could be blocking or throwing an error during the provisioning. Go to Power Apps → Solutions → check for any active plugins on the Contact table's Create message and temporarily disable them to test.
Step 6: Enable Power Pages Diagnostic Logging
In the Power Pages Portal Management App, go to Site Settings and add or update the following setting:
Name: Diagnostics/Enabled
Value: true
`
Then reproduce the login failure and check the Portal Diagnostics logs in the Azure Portal under your Portal's Application Insights (if connected) or in the Diagnostic Logs section. This will give you the exact error happening during the `/contact/createuser` step.
Step 7: Test with a local identity provider first
As a quick sanity check, create a test user using Power Pages' built-in local identity (username/password) and confirm that contact creation works fine. If it does, the issue is definitively in the external claims mapping and not in the Contact table configuration itself.
If this answer helps you kindly accept the answer which will help others who have similar questions.
Best Regards,
Jerald Felix.
Share
Report
All responses (
Answers (
356
