Troubleshooting Azure AD/Entra Sign-In Errors with Helm Chart

·Sep 03, 2025 06:46 PM

hi, I'm getting the attached error while trying to sign in with Azure AD/Entra. I've configured the helm chart and redirect uri as per the documentation and confirmed via Azure AD signin logs that I was successfully authenticated. Any ideas what i might have done wrong? Pod logs:

INFO:     172.25.85.33:55498 - "GET /oauth2/microsoft_entra_id/tokens?code=1.AUYAIOXXXXX HTTP/1.1" 307 Temporary Redirect
INFO:     172.25.85.33:55498 - "GET /login?error=Sign+in+is+not+allowed. HTTP/1.1" 200 OK

7 comments

· Sorted by Oldest

RunLLM
APP
·
The error "Sign in is not allowed" after Azure AD/Entra authentication usually means the user account does not exist in Phoenix and automatic sign-up is disabled. In the Helm chart or environment, check if `allow_sign_up` (or `PHOENIX_OAUTH2_MICROSOFT_ENTRA_ID_ALLOW_SIGN_UP`) is set to `false`. If so, an admin must pre-create the user in Phoenix before they can sign in via SSO. If you want users to be auto-provisioned on first login, set `allow_sign_up` to `true` for your identity provider configuration in the Helm chart or as an environment variable. See <https://github.com/Arize-ai/phoenix/pull/7582|this PR> and <https://github.com/Arize-ai/phoenix/blob/main/helm/values.yaml|Helm chart docs> for details. Would you like step-by-step instructions for updating your configuration? Sources: - <https://github.com/Arize-ai/phoenix/pull/7582|feat!: allow a oauth2 only mode> - <https://github.com/Arize-ai/phoenix/blob/main/helm/values.yaml|Helm chart docs>
💡 Hint: Mention RunLLM in the thread for followups.
Roger Y.
·
The bot is correct. If you want to allow sign up, you would change that environment variable
Daniel N.
·
i think that was it, thank you!
Roger Y.
·
no problem
Daniel N.
·
much less important, but any chance it is possible to disable local admin and password entirely and only use SSO?
Roger Y.
·
yea, you can try this
PHOENIX_DISABLE_BASIC_AUTH=true
Daniel N.
·
perfect, thank you!
1