AADSTS5007413: Authentication with external provider cannot be completed due to invalid provider discovery response.
From Februrary 2026 Microsoft made a change so that they would strictly only accept the Discovery URL and the JWKS URI in the following format:
https://yourdualshieldFQDN.com:8074/sso/.well-known/openid-configuration
https://yourdualshieldFQDN.com:8074/sso/.well-known/openid-configuration/jwks
If the integration was done before this time, you will see that the path included '/v1/authc/oauth/'. This is no longer valid and may cause the above issue when trying to sign in.
You will not be able to edit the Discovery URL field. The issue was fixed in DualShield version 8.0.7, therefore, you will need to upgrade to version 8.0.7 or above.
Once the upgrade is complete and DualShield has fully started lopg into the Admin Console, go to SSO>SSO Servers and edit the Single Sign-On Server. Select the OpenID Connect tab at the top.
Click on the Load Default button at the top. You should see the Discovery URL and JWKS URI update
Click Save at the bottom.
Copy the new Discovery URL
On Azure, navigate to your EAM Policy and Click on Configure
Paste in the new Discovery URL as per the example below.
Save the change.
You may have to wait up to 20 minutes for Microsoft to refresh this configuration. Once done, please test again