This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 83%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi,
We have a mutli-tenant app registration in our organization portal.azure.com
We also created a Microsoft Entra External ID which we invite our customer into. The customer have a Microsoft Entra ID account and receives the email invitation, accepts and I can see the account in the Microsoft Entra External ID where user type is 'Guest' and Identities is 'ExternalAzureAD'.
In the Microsoft Entra External ID, we went through the admin consent process to add our multi-tenant app in the Microsoft Entra External ID / Enterprise Applications. This works as expected. As after the consent it appears in the Enterprise Applications list.
Now when the user tries to authenticate it receives "invalid_request: AADSTS500208: The domain is not a valid login domain for the account type."
BUT if I assigned a role for example 'Guest Inviter' to the guest account. Then the user is able to login without any issue.
Why does assigning a role will make it work? Is this by design?
Please note that the authority used is login.microsoft.com/<tenantId>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi @Paul
Thank you for posting this in Microsoft Q&A.
I understand that you are getting error "invalid request: AADSTS500208: The domain is not a valid login domain for the account type."
Why does assigning a role will make it work? Is this by design?
Yes, this error is expected if the user has no role assigned.
This error could be caused by a consumer user from an AAD B2C or an Entra External ID for Customers (CIAM) tenant attempts to log in to login.microsoftonline.com without having any roles assigned.
Azure AD B2C consumer users are intended to login to b2clogin.comURL
Entra External ID for Customers consumer users are intended to login to ciamlogin.com URL
If it is a guest admin \ invitation scenario, where user is hitting login.microsoftonline.com endpoint to manage a B2C or CIAM tenant via Entra\Azure portals then ensure the user has a valid role assigned in resource tenant.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 32%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPW%3C/text%3E%3C/svg%3E)
Hi,
I'm having the same dillema as OP. I have to assign administrative roles to external users before they can use SAML/SSO to login to our application. The downside is of course, that the external users is now capable of reading all user en application data in our Azure External ID tenant.
How to circumvent this problem?
Thanks!