Azure AD Single-Sign-on with AWS SSO (With Guest User) — Invalid MFA credentials

I have recently integrated Azure AD with AWS SSO for one my client and everything went well, but when the client tried to add the Guest user (for the external users), then the issue came. got the following error: “Invalid MFA credentials. Your MFA credentials were incorrect. Please check your device and try again.”

Let’s look at how I resolved the issues.

Pre-Requisites

1. Setup AWS SSO: There are few guides available online. But the one which worked for me is from AWS side Link

Steps

1. Login to your Azure and navigate to Azure AD
2. In left menu, Click ‘Enterprise applications’
3. Choose your AWS SSO app
4. In left menu, click ‘Single Sign On’
5. Under ‘User attributes and claims’ — Click edit
6. Under Required claim, for the ‘Claim name’ = ‘Unique User Identifier (Name ID)’, click the value column
7. Click ‘Source attribute’ dropdown and choose select ‘user.mail’ (Try to take screenshot of the current value incase if we want to rollback)
8. Click ‘Save’. Now you can open private browser mode and give it a try with your own email id. It should work
9. Then ask your Guest user to try test via incognito browser tab. It worked for my Guest user as well.

Hopefully it will work for you. Try and let me know your results.