topic Re: SAML EntraID Guest access not loading Microsoft login page in Network Access Control

SAML EntraID Guest access not loading Microsoft login page

Danijel Turkovic — Mon, 28 Jul 2025 12:07:32 GMT

Hi,

So we setup ISE and Entra ID integration with SAML.

Access work fine for notebooks (tested on 10+ devices), but I am running with issue on some mobile devices.

For some Android and iPhone device after redirect to login.microsoftonline.com page are not opening - blank screen with url only - without any error. Let's say from tested 10 device half is working and other half stuck on same problem (loading Microsoft login page).

I've check firewall and I can see flow to Internet from problematic client IP pointing to login.microsoftonline.com (TCP reset from client side and tcp-fin)

Also my pre-auth URL filter list is not working if I put deny statement -> in this guide there is deny statement for ULR filter list pointing to Microsoft login page.

https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-entra-id/ta-p/4400675

Anyone have any hint where to look further?

Re: SAML EntraID Guest access not loading Microsoft login page

MHM Cisco World — Mon, 28 Jul 2025 11:59:49 GMT

Try open url in browser

See if the page is secure or not.

If not you need to add CA cert

MHM

Re: SAML EntraID Guest access not loading Microsoft login page

Danijel Turkovic — Mon, 28 Jul 2025 12:01:09 GMT

Page is secured.

Re: SAML EntraID Guest access not loading Microsoft login page

MHM Cisco World — Mon, 28 Jul 2025 12:34:22 GMT

You check traffic between client and Microsoft in FW ?

Traffic must not pass via FW before user authc

MHM

Re: SAML EntraID Guest access not loading Microsoft login page

Danijel Turkovic — Mon, 28 Jul 2025 12:46:29 GMT

You have logs also attached.

But I think that you are wrong.

I should be able to see this traffic on my FW - check flow

That is why you need to use pre auth URL filter list to allow this traffic.

Re: SAML EntraID Guest access not loading Microsoft login page

Danijel Turkovic — Mon, 28 Jul 2025 14:27:02 GMT

I've think I resolve my problem with adding new URL list.

Looks like this list from Greg guide need to be extended for Android and iPhone

So from this

login.microsoftonline.com
aadcdn.microsoftonline-p.com
aadcdn.msauth.net

I've increase list to this - found this on forum

login.live.com
go.microsoft.com
aadcdn.msauth.net
aadcdn.msftauth.net
graph.microsoft.com
app.vssps.dev.azure.com
login.microsoftonline.com
app.vssps.visualstudio.com
login.microsoftonline-p.com
management.core.windows.net
secure.aadcdn.microsoftonline-p.com

And now problematic phones are opening login.microsoftonline.com without any issue.

Re: SAML EntraID Guest access not loading Microsoft login page

Greg Gibbs — Mon, 28 Jul 2025 22:08:55 GMT

Thanks for the update @Danijel Turkovic. I've updated my blog post with this list as well.