This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 76%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Hello,
I am having issues when trying to sign into my External tenant and specifying a custom scope. The error happens when I am making use of the MSAL library but also when attempting to authenticate with Postman or Insomnia.
I have set my authority to be https://{domain-name}.ciamlogin.com/ and when attempting to sign in with an external user in that tenant and specifying one of the scopes to be a custom scope that I have defined, it returns the AADSTS500207 error. If I don't specify this scope and only specify standard MS Graph scopes such as openid & offline_access, it logs in fine however I require this custom scope for authentication to my own api.
I have configured the application ID url to be api://... and I have included the full path in the scope however it fails regardless. If I don't include the full path and just include the name of the scope itself, I get another error stating the scope could not be found.
I have also attempted trying to sign in with an internal account however it states that my email cannot be found as I am trying to use this as public client.
Any help would be greatly appreciated as currently.
Kind Regards,
Sam
Thank you James.
Just to provide an update on some further testing that I've done. It seems that I don't encounter this error if I set the the Supported Account Types for the App Registration to single tenant. Under this scenario, all of my accounts login successfully including internal accounts and external accounts in the tenant.
As soon as I swap it back to a multi-tenant option, none of them can sign in again. I have the intention of integrating it with another tenant at some point so keeping it as single-tenant isn't really an option unfortunately.
Many thanks,
Sam
Hi Sam, so sorry for the delay in response. I was out of office. What is the account type that you're trying to sign in with? For example, if you are trying to access a resource that requires a work or school account, you cannot use a personal Microsoft account.
Hey James, no problem at all. The error occurs when trying to sign in with a personal account however the application is setup to allow multitenant and also personal accounts. I get a completely different error when signing in with an internal user from that tenant.
Hi @Sam Anson , can you please send me an email at "azcommunity@microsoft.com" with subject "ATTN: James Hamil" and your subscription ID? I can open a free support ticket for you.
Best,
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 37%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
Did you get any solution for this im also facing same problem
Have you found any solution to this im also facing same issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 69%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBN%3C/text%3E%3C/svg%3E)
Hi @James Hamil , I'm facing the same issue, using an api://... scope makes it throw the 'AADSTS500207: The account type can't be used for the resource you're trying to access.'.
I configured my apps the same way I did on an Entra ID instance but the same setup in Entra External Id doesn't work.
Can you give feedback about that support ticket :D ?
edit: This only happens if I configure the apps as multi tenant.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 57.99999999999999%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
@James Hamil I'm also seeing the same issue. I can get it to work if i use 'https://login.microsoftonline.com/tenant' format for the Authority, but not if i use the .ciamlogin.com format.
Any ideas?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 8%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
I am having the same issue as Casey - works fine using login.microsoftonline.com but not if I use the .ciamlogin.com format.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 33%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EII%3C/text%3E%3C/svg%3E)
@James Hamil I'm also seeing the same issue. I can get it to work if i use 'https://login.microsoftonline.com/tenant' format for the Authority, but not if i use the .ciamlogin.com format.
Any ideas?
I was wrestling with this for quite some time, and found that if my API application was configured as single-tenant everything worked as expected. Still testing, but I believe that this should accomplish my goals as the client Entra application through which users can generate a token is still set up as multi-tenant and therefore should allow access to guest users.