Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
6
Helpful
6
Replies

SAML EntraID Guest access not loading Microsoft login page

Danijel Turkovic
Level 1
Level 1

‎07-28-2025 04:50 AM - edited ‎07-28-2025 05:07 AM

Hi, 

So we setup ISE and Entra ID integration with SAML.

Access work fine for notebooks (tested on 10+ devices), but I am running with issue on some mobile devices. 

For some Android and iPhone device after redirect to login.microsoftonline.com page are not opening - blank screen with url only - without any error. Let's say from tested 10 device half is working and other half stuck on same problem (loading Microsoft login page).

I've check firewall and I can see flow to Internet from problematic client IP pointing to login.microsoftonline.com (TCP reset from client side and tcp-fin)

Also my pre-auth URL filter list is not working if I put deny statement -> in this guide there is deny statement for ULR filter list pointing to Microsoft login page.

 

https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-entra-id/ta-p/4400675

 

 

Anyone have any hint where to look further?

Preview file
45 KB
Preview file
58 KB
Preview file
44 KB
Preview file
112 KB
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎07-28-2025 04:59 AM

Try open url in browser 

See if the page is secure or not.

If not you need to add CA cert

MHM

0 Helpful

Danijel Turkovic
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2025 05:01 AM

Page is secured.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Danijel Turkovic

‎07-28-2025 05:34 AM

You check traffic between client and Microsoft in FW ?

Traffic must not pass via FW before user authc 

MHM

0 Helpful

Danijel Turkovic
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2025 05:46 AM

You have logs also attached.

But I think that you are wrong.

 

I should be able to see this traffic on my FW - check flow

 

DanijelTurkovic_0-1753706729355.png

 

 

That is why you need to use pre auth URL filter list to allow this traffic.

 

 

0 Helpful

Danijel Turkovic
Level 1
Level 1

‎07-28-2025 07:27 AM

I've think I resolve my problem with adding new URL list.

 

Looks like this list from Greg guide need to be extended for Android and iPhone 

So from this

login.microsoftonline.com
aadcdn.microsoftonline-p.com
aadcdn.msauth.net

I've increase list to this - found this on forum

 

login.live.com
go.microsoft.com
aadcdn.msauth.net
aadcdn.msftauth.net
graph.microsoft.com
app.vssps.dev.azure.com
login.microsoftonline.com
app.vssps.visualstudio.com
login.microsoftonline-p.com
management.core.windows.net
secure.aadcdn.microsoftonline-p.com

And now problematic phones are opening login.microsoftonline.com without any issue.

 

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Danijel Turkovic

‎07-28-2025 03:08 PM

Thanks for the update @Danijel Turkovic. I've updated my blog post with this list as well.

Customers Also Viewed These Support Documents