Share via

Setting up SSO in Entra admin portal is giving unexpected permissions error

Jeffrey Mangiafesto 0 Reputation points
2025-08-06T20:32:00.8733333+00:00

I am trying to set-up a custom SSO configuration and keep getting permissions denied

According to the documentation here at a minimum all I should need is External IDP admin permissions (which I have). I have every permissions (short of global admin) that I could see as even remotely related to this setup, yet I still get permission denied.
https://learn.microsoft.com/en-us/entra/external-id/direct-federation

Is the documentation just not up to date? or am I missing something.
this is the page in the admin portal:
https://entra.microsoft.com/#view/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/~/IdentityProviders/menuId/ExternalIdentitiesGettingStarted
(Home -> external identities -> all IDPs -> custom -> add custom provider -> SAML/WS-Fed)

As soon as I click continue I get 401: "You don't have access" but I should have access. According to the list I can see - I should have more than enough permissions to do the above.
[https://admin.microsoft.com/Adminportal/Home#/users/:/managerbacroles/userDetail/GUID ID that I removed for privacy]/roleAssignments

Windows for business | Windows 365 Business
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daphne Huynh (WICLOUD CORPORATION) 165 Reputation points Microsoft External Staff Moderator
    2025-08-14T11:14:47.8566667+00:00

    Welcome to the Microsoft Q&A Platform and thank you for your question!

    Based on your description, the External IDP Admin role does not grant sufficient permissions to complete custom SAML/WS-Fed configuration. These tasks often require elevated roles such as Cloud Application Administrator, Application Administrator or Global Administrator. This is likely why you’re seeing the 401 “You don’t have access” error when proceeding with the setup.

    Let me share some steps that could help with the issue at hand.

    • Assign a higher-privilege role

    Assign Cloud Application Administrator, Application Administrator, or Owner of the relevant enterprise app. These roles allow access to the SSO settings.

    • Create or select your enterprise application

    Go to Entra ID → Enterprise apps → All applications.

    Choose your app or create a new one via “New application.”

    • Configure SAML SSO

    In your application, navigate to Single sign-on, choose SAML, and configure the necessary details (Entity ID, Reply URL, Sign-on URL).

    Save the settings and download the SAML metadata such as certificate, Login URL, and Identifier.

    • Use metadata to configure your SSO endpoint

    Within your identity provider or application’s SSO settings, enter the downloaded metadata values (setup or ACS URLs, certificate, etc.)

    Reference: Enable SAML single sign-on for an enterprise application - Microsoft Entra ID | Microsoft Learn

    Please let me know how it goes. Wishing you a successful resolution and a great day!

    1 person found this answer helpful.
    0 comments
  2. Monalisha Jena 330 Reputation points Microsoft External Staff Moderator
    2025-08-22T07:06:59.68+00:00

    Hello Jeffrey Mangiafesto,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. 

    You need a more elevated Entra admin role. The roles that Microsoft explicitly supports for enabling custom SAML/WS-Fed configurations include:

    Global Administrator

    Cloud Application Administrator

    Application Administrator or you may need to be the Owner of the relevant enterprise app

    You can follow the below Steps to Resolve

    1. Assign one of those higher roles to yourself — ideally Cloud Application Administrator if you don’t want full Global Admin.
    2. Navigate to Entra ID → External Identities → All identity providers → Custom → Add new → SAML/WS‑Fed.
    3. Fill in provider details:
    4. Click 'Save', you should now proceed without hitting the 401.

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it.

    Regards,

    Monalisha

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.