Hi. I am trying to use Azure AD B2C for my application. I created an app and selected the option to use multi-tenant as well as personal accounts. In the identity provider, I used Microsoft Account, but only personal Microsoft accounts are working and not my company's email accounts. Do you have any idea how to resolve this? Do we need to change some configuration to make it work for official Microsoft accounts as well? Error: while using Company's email address: https://evonsys22.b2clogin.com/evonsys22.onmicrosoft.com/oauth2/authresp?error=server_error&error_description=AADB2C90289%3a+We+encountered+an+%27invalid_client%27+error+connecting+to+the+identity+provider.+Please+try+again+later.%0d%0aCorrelation+ID%3a+ffff0a41-f1de-4f06-a13e-31daa58f677a%0d%0aTimestamp%3a+2024-07-15+20%3a06%3a52Z%0d%0a

Hi @Sonam K Thank you for posting this in Microsoft Q&A. I understand that you have created multi-tenant application in azure ad b2c but while using Microsoft accounts you are getting error "AADB2C9028 - encountered an 'invalid_client' error connecting to the identity provider. Please try again later". The error message "invalid_client" usually indicates that the client ID or client secret is incorrect or has expired. To resolve this issue, you can try the following steps: Verify the client ID and client secret in your Azure AD B2C policy to ensure they are correct and have not expired. You can locate the client ID and client secret in the "Keys" section of your Azure AD B2C application registration. Check the expiration date of the client secret. If the client secret has expired, you will need to generate a new one and update your Azure AD B2C policy with the new value. . Can you check metadata URL in the configuration of Identity Provider. The format of the metadata URL is similar to https://login.microsoftonline.com/your-tenant/v2.0/.well-known/openid-configuration , where your-tenant is your Microsoft Entra tenant name. For your reference: Setup multitenant application in Azure AD B2C Hope this helps. Do let us know if you any further queries. Thanks, Navya. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

How to fix this issue? - Microsoft Q&A

Accepted answer

Navya 12,405 Reputation points Microsoft Vendor

2024-07-16T11:13:32.2+00:00
Hi @Sonam K

Thank you for posting this in Microsoft Q&A.

I understand that you have created multi-tenant application in azure ad b2c but while using Microsoft accounts you are getting error "AADB2C9028 - encountered an 'invalid_client' error connecting to the identity provider. Please try again later".

The error message "invalid_client" usually indicates that the client ID or client secret is incorrect or has expired. To resolve this issue, you can try the following steps:

Verify the client ID and client secret in your Azure AD B2C policy to ensure they are correct and have not expired. You can locate the client ID and client secret in the "Keys" section of your Azure AD B2C application registration.

Check the expiration date of the client secret. If the client secret has expired, you will need to generate a new one and update your Azure AD B2C policy with the new value.

. Can you check metadata URL in the configuration of Identity Provider. The format of the metadata URL is similar to https://login.microsoftonline.com/your-tenant/v2.0/.well-known/openid-configuration, where your-tenant is your Microsoft Entra tenant name.

For your reference: Setup multitenant application in Azure AD B2C

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.

1 person found this answer helpful.
Sonam K 20 Reputation points

2024-08-01T14:57:39.8966667+00:00

Hi, Thank you for the response. This issue is fixed but I am observing another issue where if I am using the application which i created for my use using normal user flows. In this case, it's working if I am using my gmail account or personal account for SSO microsoft. But when I am trying to use my work email address, it's not working and throwing error. So for this custom policy is required or it's achievable through user flows as well?

Sonam K 20 Reputation points

2024-08-01T15:02:00.8133333+00:00

Hi, thank you for the update. However when I am using my personal email id, it's working fine but it's not working for work email addresses. But when I am using custom policy then both are working. Any idea, why it's not working for work email addresses?

Sonam K 20 Reputation points

2024-08-02T10:31:36.47+00:00

As per my understanding, when using "Microsoft" as the identity provider, we need to configure the Client ID and client secret. However, this configuration will redirect to the login.live.com portal, which only allows personal Microsoft accounts. If we are configuring any custom IDP, we have to provide the metadata URL with the tenant ID. In that case, it will only allow users available in that specific tenant, as it does not permit the use of the metadata URL "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration".

Navya 12,405 Reputation points Microsoft Vendor

2024-08-03T11:27:42.9+00:00

Hi @Sonam K

You are correct that when using the "Microsoft" identity provider in Azure AD B2C, you need to configure the client ID and client secret. However, the "Microsoft" identity provider is only intended for personal Microsoft accounts, and it does not support work or school accounts.

If you want to support work or school accounts in your Azure AD B2C tenant, you will need to use the Microsoft entra id identity provider instead of the "Microsoft" identity provider. When configuring the Microsoft entra id identity provider, you will need to provide the metadata URL for your Azure AD tenant, which includes the tenant ID. Users with work or school accounts in your Microsoft entra id will be able to sign in to your Azure AD B2C tenant.

For more information: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-identity-provider#select-an-identity-provider

Sonam K 20 Reputation points

2024-08-04T03:38:36.0233333+00:00

Hi Navya, but in that case it will work only for the users who are available in that tenant right? I would like to implement it in a way that it works for both personal and work email addresses as i feel if we are restricting based on one tenant, in that case it will work only for those users who are a part of that tenant.

Navya 12,405 Reputation points Microsoft Vendor

2024-08-05T10:48:37.65+00:00

Hi Sonam K

Multiple identity providers can be utilized simultaneously in a B2C tenant. Within the Microsoft "identity provider," there are two options available: Microsoft Entra ID (Single Tenant) and Microsoft Entra ID (Multi-Tenant). Microsoft Entra ID (Single tenant) permits users within that specific tenant to access services, whereas Microsoft Entra ID (Multi-tenant) enables users from various Microsoft Entra tenants to sign in using Azure AD B2C.

Sonam K 20 Reputation points

2024-08-05T16:49:25.59+00:00

Hi Navya, In that case, may i know how can i make an use of Microsoft Entra ID (Multi-tenant)? I mean is it possible to use this in normal "User Flows" or it is only achievable using Custom Policy?

Navya 12,405 Reputation points Microsoft Vendor

2024-08-06T01:37:38.37+00:00

Hi Sonam K
The Microsoft Entra ID multi-tenant feature is currently available only for custom policies and does not yet support user flows.

For your reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant?pivots=b2c-custom-policy

Navya 12,405 Reputation points Microsoft Vendor

2024-08-07T04:33:55.47+00:00

Hi Sonam K

If the information above has been helpful in addressing your question, please accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Sonam K 20 Reputation points

2024-08-07T08:53:36.3066667+00:00

Hi Navya,

One last question, I am on my trial period currently, So, once the trial period is over, the custom policy which is already configured, will that work like user flows works even after the trial period is over?

Navya 12,405 Reputation points Microsoft Vendor

2024-08-08T09:30:01.32+00:00

Hi Sonam K
Yes, the custom policy that you have configured in Azure AD B2C will continue to work even after the trial period is over. The trial period only affects the features and services that you can use in AAD B2C, but it does not affect the policies that you have already configured.

However, please note that there are some limitations in the trial version of Azure AD B2C, such as the number of monthly authentications and the number of user accounts that you can create. Once the trial period is over, you will need to upgrade to a paid subscription to continue using Azure AD B2C and its features without any limitations.

Navya 12,405 Reputation points Microsoft Vendor

2024-08-12T03:53:28.55+00:00

Hi Sonam K
If the information below has been helpful in addressing your question, please accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to fix this issue?

0 additional answers

Your answer