OIDC integration - Azure AD - MS365 User without license #541

New Issue

OVERLORD · 2026-02-04T20:18:04+03:00

OVERLORD commented

2026-02-04 20:18:04 +03:00

Originally created by @marcomatrella on GitHub (Jun 28, 2024).

Where is the problem occurring?

I encountered the problem while using the application (Frontend)

What browsers are you seeing the problem on?

Chrome, Firefox, Microsoft Edge, Safari

Current behaviour

I configured the OIDC integration in Planka with those variables :

# INTEGRAZIONE CON AZURE AD - APPLICAZIONI AZIENDALI OIDC_ISSUER=**<issuer>** OIDC_CLIENT_ID=**<client_ID>** OIDC_CLIENT_SECRET=**<secret>** OIDC_IGNORE_ROLES=true OIDC_IGNORE_USERNAME=true OIDC_SCOPES=openid profile email OIDC_ENFORCED=true

Everything seems ok until I access with an user that have an active license in Microsoft Azure.
When I login with an user that has no license, I do the login and when the authentication flow calls the callback-uri, I receive an "Unknown error, try again" in Planka Login Page.

In the console, there is this error :

POST https://planka.lab.valueson.it/api/access-tokens/exchange-using-oidc 422 (Unprocessable Entity)`

{
    "code": "E_UNPROCESSABLE_ENTITY",
    "message": "Unable to retrieve required values (email, name)"
}

I tried to change the configurations in Azure AD, but nothing seems working. I have other application integrated with Azure AD (eg. Gitlab) that works perfectly with an user that doesn't have license assigned.

Thank you for your help

Desired behaviour

No response

Steps to reproduce

Create a new company application in Azure AD
Create a new user in Azure AD without license
Configure Planka with OIDC integration
Try to login in Planka with the Microsoft User without license

Other information

No response

Originally created by @marcomatrella on GitHub (Jun 28, 2024). ### Where is the problem occurring? I encountered the problem while using the application (Frontend) ### What browsers are you seeing the problem on? Chrome, Firefox, Microsoft Edge, Safari ### Current behaviour I configured the OIDC integration in Planka with those variables : `# INTEGRAZIONE CON AZURE AD - APPLICAZIONI AZIENDALI OIDC_ISSUER=**<issuer>** OIDC_CLIENT_ID=**<client_ID>** OIDC_CLIENT_SECRET=**<secret>** OIDC_IGNORE_ROLES=true OIDC_IGNORE_USERNAME=true OIDC_SCOPES=openid profile email OIDC_ENFORCED=true ` Everything seems ok until I access with an user that have an active license in Microsoft Azure. When I login with an user that has no license, I do the login and when the authentication flow calls the callback-uri, I receive an "Unknown error, try again" in Planka Login Page. In the console, there is this error : POST https://planka.lab.valueson.it/api/access-tokens/exchange-using-oidc 422 (Unprocessable Entity)` ``` { "code": "E_UNPROCESSABLE_ENTITY", "message": "Unable to retrieve required values (email, name)" } ``` I tried to change the configurations in Azure AD, but nothing seems working. I have other application integrated with Azure AD (eg. Gitlab) that works perfectly with an user that doesn't have license assigned. Thank you for your help ### Desired behaviour _No response_ ### Steps to reproduce - Create a new company application in Azure AD - Create a new user in Azure AD without license - Configure Planka with OIDC integration - Try to login in Planka with the Microsoft User without license ### Other information _No response_

OVERLORD added the help wanted label 2026-02-04 20:18:04 +03:00

OVERLORD closed this issue

2026-02-04 20:18:11 +03:00

OVERLORD commented

2026-02-04 20:18:19 +03:00

@simeoncode commented on GitHub (Jul 1, 2024):

I'm not sure what "without license" means here (guest user?) but I had another issue that might help you.

My problem was that the user didn't have an assigned email address. The email address used for OIDC is not the same thing as the Entra ID (i.e. user@domain.com, which also looks like an email). The email field that is used can instead be found in the "Contact Information" section, scrolling down to bottom next to "Fax number".

Maybe "without license" also causes this particular email field to be empty? Just guessing, since I had the same error message.

I think it would be nice if Planka logged out the OIDC object that was sent back from e.g. Entra ID (formerly known as Azure AD) and which expected fields are missing from it.

@simeoncode commented on GitHub (Jul 1, 2024): I'm not sure what "without license" means here (guest user?) but I had [another issue](https://github.com/plankanban/planka/discussions/591#discussioncomment-9128434) that might help you. My problem was that the user didn't have an assigned email address. The email address used for OIDC is not the same thing as the Entra ID (i.e. user@domain.com, which also looks like an email). The email field that is used can instead be found in the "Contact Information" section, scrolling down to bottom next to "Fax number". Maybe "without license" also causes this particular email field to be empty? Just guessing, since I had the same error message. I think it would be nice if Planka logged out the OIDC object that was sent back from e.g. Entra ID (formerly known as Azure AD) and which expected fields are missing from it.

OVERLORD commented

2026-02-04 20:18:24 +03:00

@marcomatrella commented on GitHub (Jul 1, 2024):

I'm not sure what "without license" means here (guest user?) but I had another issue that might help you.

My problem was that the user didn't have an assigned email address. The email address used for OIDC is not the same thing as the Entra ID (i.e. user@domain.com, which also looks like an email). The email field that is used can instead be found in the "Contact Information" section, scrolling down to bottom next to "Fax number".

Maybe "without license" also causes this particular email field to be empty? Just guessing, since I had the same error message.

I think it would be nice if Planka logged out the OIDC object that was sent back from e.g. Entra ID (formerly known as Azure AD) and which expected fields are missing from it.

I try to explain.
I am the admin of my organization in Microsoft Portal (Portal.Azure/Admin exchange/etc).

When I create a new user for my Microsoft organization, I can decide to assign him a license (eg. Microsoft Business Standard) or I can create an user without a license (Don't know if you mean a Guest user, for me is a regular user that can only access to files shared in Sharepoint, for example, from user who have a License).

An user, with a standard license, works perfectly .
The same user, with the same details, but without license, gives the described error in Planka.

I agree to log the entire userDetail when getting that error, to be able to understand if Microsoft, with this kind of difference, handles an user in a different way.

@marcomatrella commented on GitHub (Jul 1, 2024): > I'm not sure what "without license" means here (guest user?) but I had [another issue](https://github.com/plankanban/planka/discussions/591#discussioncomment-9128434) that might help you. > > > > My problem was that the user didn't have an assigned email address. The email address used for OIDC is not the same thing as the Entra ID (i.e. user@domain.com, which also looks like an email). The email field that is used can instead be found in the "Contact Information" section, scrolling down to bottom next to "Fax number". > > > > Maybe "without license" also causes this particular email field to be empty? Just guessing, since I had the same error message. > > > > I think it would be nice if Planka logged out the OIDC object that was sent back from e.g. Entra ID (formerly known as Azure AD) and which expected fields are missing from it. I try to explain. I am the admin of my organization in Microsoft Portal (Portal.Azure/Admin exchange/etc). When I create a new user for my Microsoft organization, I can decide to assign him a license (eg. Microsoft Business Standard) or I can create an user without a license (Don't know if you mean a Guest user, for me is a regular user that can only access to files shared in Sharepoint, for example, from user who have a License). An user, with a standard license, works perfectly . The same user, with the same details, but without license, gives the described error in Planka. I agree to log the entire userDetail when getting that error, to be able to understand if Microsoft, with this kind of difference, handles an user in a different way.

OVERLORD commented

2026-02-04 20:18:31 +03:00

@simeoncode commented on GitHub (Jul 1, 2024):

Ah, you are talking about Microsoft 365.

Possibly, it could work to log into the Azure Portal (or even the Entra ID admin center) and manually modify the user in Entra ID. Populate the Email contact information field, make sure the user is enabled etc.

But if it doesn't work, the user might be disabled from the 365 product somehow. There is a disclaimer here saying:

! Important
Creating accounts in Microsoft 365 without assigning a license (to SharePoint Online, for example) means that the account owner can view the Microsoft 365 center but can't access any of the services within your company's subscription.

I don't think there is anything that Planka can do in this situation, since there is obviously no user data passed in the OIDC integration. But I would first check that pesky Email field in the "Contact information" section that I mentioned.

@simeoncode commented on GitHub (Jul 1, 2024): Ah, you are talking about Microsoft 365. Possibly, it could work to log into the Azure Portal (or even the [Entra ID admin center](https://entra.microsoft.com/)) and manually modify the user in Entra ID. Populate the Email contact information field, make sure the user is enabled etc. But if it doesn't work, the user might be disabled from the 365 product somehow. There is a disclaimer [here](https://learn.microsoft.com/en-us/microsoft-365/enterprise/manage-microsoft-365-accounts?view=o365-worldwide) saying: > **! Important** > Creating accounts in Microsoft 365 without assigning a license (to SharePoint Online, for example) means that the account owner can view the Microsoft 365 center but can't access any of the services within your company's subscription. I don't think there is anything that Planka can do in this situation, since there is obviously no user data passed in the OIDC integration. But I would first check that pesky Email field in the "Contact information" section that I mentioned.

OVERLORD commented

2026-02-04 20:18:35 +03:00

@marcomatrella commented on GitHub (Jul 1, 2024):

Ah, you are talking about Microsoft 365.

Possibly, it could work to log into the Azure Portal (or even the Entra ID admin center) and manually modify the user in Entra ID. Populate the Email contact information field, make sure the user is enabled etc.

But if it doesn't work, the user might be disabled from the 365 product somehow. There is a disclaimer here saying:

! Important

Creating accounts in Microsoft 365 without assigning a license (to SharePoint Online, for example) means that the account owner can view the Microsoft 365 center but can't access any of the services within your company's subscription.

I don't think there is anything that Planka can do in this situation, since there is obviously no user data passed in the OIDC integration. But I would first check that pesky Email field in the "Contact information" section that I mentioned.

It's strange Because I'm currently using the OIDC integration with other Enterprise applications (eg. Gitlab with Omniauth) and even with users that I didn't assign a license to, it works like a charm. So there is something missing, I think, in the way with which Planka tries to retrieve the user informations.

@marcomatrella commented on GitHub (Jul 1, 2024): > Ah, you are talking about Microsoft 365. > > > > Possibly, it could work to log into the Azure Portal (or even the [Entra ID admin center](https://entra.microsoft.com/)) and manually modify the user in Entra ID. Populate the Email contact information field, make sure the user is enabled etc. > > > > But if it doesn't work, the user might be disabled from the 365 product somehow. There is a disclaimer [here](https://learn.microsoft.com/en-us/microsoft-365/enterprise/manage-microsoft-365-accounts?view=o365-worldwide) saying: > > > **! Important** > > > Creating accounts in Microsoft 365 without assigning a license (to SharePoint Online, for example) means that the account owner can view the Microsoft 365 center but can't access any of the services within your company's subscription. > > > > I don't think there is anything that Planka can do in this situation, since there is obviously no user data passed in the OIDC integration. But I would first check that pesky Email field in the "Contact information" section that I mentioned. It's strange Because I'm currently using the OIDC integration with other Enterprise applications (eg. Gitlab with Omniauth) and even with users that I didn't assign a license to, it works like a charm. So there is something missing, I think, in the way with which Planka tries to retrieve the user informations.

OVERLORD commented

2026-02-04 20:18:40 +03:00

@daniel-hiller commented on GitHub (Jul 14, 2024):

Looks like a Microsoft issue
Maybe this can help
https://stackoverflow.com/a/40632090
https://docs.planka.cloud/docs/Configuration/OIDC

We can't test this, we don't use Microsoft services in any way

@daniel-hiller commented on GitHub (Jul 14, 2024): Looks like a Microsoft issue Maybe this can help https://stackoverflow.com/a/40632090 https://docs.planka.cloud/docs/Configuration/OIDC We can't test this, we don't use Microsoft services in any way

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#541