Riva Insight: Microsoft Login Not Enabled on Policy

Grace Wannapongsai
Grace Wannapongsai
  • Updated

Overview

Users may be unable to sign in to Riva Insight using the Sign in with Microsoft option when Microsoft 365 / Graph has not been enabled as an Identity Provider on the Office 365 email connection associated with their Riva Cloud policy.

This issue typically occurs when the user’s policy is configured for another Identity Provider, such as Salesforce, or when the Microsoft 365 Identity Provider setting has not been enabled on the related Office 365 email connection.

Symptoms

A user attempts to log in to Riva Insight using Sign in with Microsoft, but authentication fails.

The user may see an error similar to: 

Riva Cloud Authentication Error: [MS365AuthError] Unable to find existing MS365 user with the provided TenantId.

In some cases, the issue may be reported as:

Microsoft Login is not enabled on a policy corresponding to the user's tenant.

Environment

This issue may apply to environments using:

  • Riva Insight
  • Riva Cloud
  • Microsoft 365 / Exchange Online
  • Microsoft Graph authentication
  • Entra ID / Azure AD
  • RAS-backed policies

Cause

The Sign in with Microsoft option in Riva Insight requires the following setting to be enabled on the Office 365 email connection used by the policy: 

  • "Allow Microsoft 365/Graph to act as an Identity Provider (IdP) for Riva Insight user authentication."

    If this setting is not enabled, Riva Insight cannot use Microsoft 365 / Graph as the Identity Provider for that user’s tenant.

This can also occur when multiple Microsoft tenants are involved and the Office 365 connection does not have the correct IdP group name configured.

Resolution

There are two possible resolution paths depending on whether Microsoft SSO should be enabled for the policy.


Option 1 — Enable Microsoft SSO on the Policy

Use this option when users are expected to sign in to Riva Insight using Sign in with Microsoft.

Steps

  1. Locate the affected Riva Cloud policy.
  2. Open the associated Office 365 email connection.
  3. Enable the following setting: "Allow Microsoft 365/Graph to act as an Identity Provider (IdP) for Riva Insight user authentication."
  4. Configure the correct IdP Group.

    The IdP Group must match the display name of the group in Entra ID / Azure AD.

  5. Save the connection changes.
  6. Have the user complete the following client-side steps:
    • Clear browser cache.
    • Close Outlook completely.
    • Reopen Outlook.
    • Relaunch the Riva Insight panel.
    • Attempt to sign in again using Sign in with Microsoft.

Option 2 — Use the Configured Identity Provider

Use this option when Microsoft SSO is not intended to be enabled for the policy.

In this scenario, advise the user to sign in using the Identity Provider already configured on the policy (such as Sign in with Salesforce) or whichever login method is enabled for that environment.

Important Notes

  • For environments with multiple Microsoft tenants, each Office 365 connection must have its own correct IdP group name configured.
  • The IdP group name should match the group display name in Entra ID / Azure AD.
  • In some environments, the Riva app registration in Azure may need to be changed from Single-tenant to Multi-tenant.
  • If the support team does not have direct access to the Office 365 email connection settings, this change may require Riva Operations involvement.
  • After updating the setting, users should clear cache and restart Outlook before testing again.

Validation

After the setting has been enabled and the user has restarted Outlook:

  1. Launch the Riva Insight panel.
  2. Select Sign in with Microsoft.
  3. Confirm that the user is routed through the correct Microsoft tenant.
  4. Confirm that Riva Insight loads successfully.
  5. If the error persists, verify:
    • The correct Office 365 email connection was updated.
    • The IdP Group display name is correct.
    • The user belongs to the expected Entra ID / Azure AD group.
    • The Microsoft tenant matches the tenant configured on the policy.
    • The Azure app registration supports the required tenant configuration.