Use this guide when Microsoft Entra sign-in is connected but users still cannot authenticate, receive the wrong access, or get stuck during admin consent.
1. Admin consent fails before returning to Divorcepath
If Microsoft shows an error before the admin is returned to Divorcepath, confirm that the consent request was started from your organization’s Entra settings and that the administrator is approving the request in the intended tenant.
2. Divorcepath reports an invalid state
An invalid state error usually means the admin consent flow was interrupted, restarted in a different session, or left idle long enough for the request to become stale. Start the consent flow again directly from your organization’s Entra settings.
3. Divorcepath reports a tenant mismatch
This happens when Microsoft returns a tenant that does not match the original request. Make sure the admin completes consent in the same tenant that was selected when the process began. If your administrator manages multiple tenants, verify the active directory before approving.
4. Consent succeeds but tenant verification fails
If Microsoft returns successfully but Divorcepath cannot finalize the connection, retry once from the organization’s Entra settings. If the error continues, capture the timestamp and tenant involved, then contact support.
5. Users authenticate but do not receive the expected access
- confirm the user’s email domain is in the allowed-domain list if your organization uses one
- review the default role configured for Entra users
- if role mapping is required, confirm a mapping exists for the user’s Entra group or source value
- verify the mapped role is the one your organization expects that user to receive
6. Users are blocked after SSO is enforced
If SSO enforcement is enabled too early, users may be blocked before domains, group mappings, or pilot validation are complete. Temporarily relax enforcement if needed, confirm the login path with pilot users, then re-enable it once the configuration is stable.
7. What to collect before contacting support
- the organization name
- the Microsoft tenant involved
- the user’s email domain
- whether the issue affects admin consent, authentication, or post-login access
- the exact error message shown in Divorcepath or Microsoft
If you need help reviewing Entra consent, domain allowlists, or role mappings, contact Divorcepath support at [email protected].
