[Feature Request] Support for idp parameter in initiate_auth_code_flow() for Microsoft Entra ID External ID

[piotrstempkowski]

MSAL client type

Public

Problem Statement

Describe the feature request

Microsoft Entra ID External ID with Google federation shows an email
input screen despite using domain_hint=google.com. The idp parameter
could bypass this screen for direct Google redirect, but MSAL Python
doesn't support it.

Goal: Enable direct redirect to Google OAuth without Microsoft email
input screen.

Current behavior

import msal

app = msal.PublicClientApplication(
    client_id="your-client-id",
    authority="https://tenant.ciamlogin.com/tenant-id"
)

flow = app.initiate_auth_code_flow(
    scopes=["User.Read"],
    redirect_uri="http://localhost:8000/callback",
    domain_hint="google.com",
    idp="Google"  #  TypeError: unexpected keyword argument 'idp'
)

Generated URL:
https://tenant.ciamlogin.com/.../authorize?...&domain_hint=google.com&..
.

Expected behavior

Support for idp parameter to enable direct Google redirect:

flow = app.initiate_auth_code_flow(
    scopes=["User.Read"],
    redirect_uri="http://localhost:8000/callback",
    domain_hint="google.com",
    idp="Google"  #  Should work for direct redirect
)

Expected URL:
https://tenant.ciamlogin.com/.../authorize?...&domain_hint=google.com&id
p=Google&...

User experience impact

- Current UX: User clicks "Login with Google" → Microsoft shows email
input → user enters email → redirect to Google
- Expected UX: User clicks "Login with Google" → direct redirect to
Google OAuth (no email input)

Current workaround

flow = app.initiate_auth_code_flow(scopes, redirect_uri,
domain_hint="google.com")
flow["auth_uri"] += "&idp=Google"  also tried with kwargs

MSAL Python version

python -c "import msal; print(msal.__version__)"
# 1.32.3

Environment

- Microsoft Entra ID: External ID (CIAM)
- Identity Provider: Google OAuth federation
- Use Case: FastAPI authentication API

Additional context

The idp parameter is documented in https://docs.microsoft.com/en-us/azur
e/active-directory/develop/v2-oauth2-auth-code-flow and would improve
user experience for federated authentication scenarios.

https://learn.microsoft.com/en-us/answers/questions/2279262/how-can-i-configure-microsoft-entra-external-id-to

### Proposed solution

_No response_

[rayluo]

Additional context

The idp parameter is documented in https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow and would improve user experience for federated authentication scenarios.

https://learn.microsoft.com/en-us/answers/questions/2279262/how-can-i-configure-microsoft-entra-external-id-to

But the keyword idp is not found in your first link above. It was mentioned in the second link which was a Q&A, which claimed that the readers can "Refer this Microsoft Document: Set up direct sign-in using Azure Active Directory B2C | Microsoft Learn"; yet the keyword idp seems still absent from the 3rd link above.

If there is no official document to define that parameter, we are reluctant to add it into this SDK.

[piotrstempkowski]

Thanks for the clarification!

Just to confirm — is there any supported way to achieve direct sign-in with a known IdP like Google (i.e., skipping the email input screen) using MSAL or Microsoft Entra?

Appreciate your help!

[rayluo]

The team behind this SDK is not particularly familiar with the CIAM behavior of whether/how it can achieve "direct sign-in with a known IdP". Perhaps you can engage with your CIAM support channel, and/or engage with the doc team by tentatively creating an edit for the first doc link above.