![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 13%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
25,197 questions
Hello @Nishtha,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I see you are trying to allow users from other organizations to access your application. But whenever the user accesses your application getting an error message "AADSTS50020: User account '*****@domain.com' from identity provider 'domain.com' does not exist in tenant '<your_tenant_name>' and cannot access the application '<App_ID>'(App Name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.*"
This issue can occur if your application is registered with single-tenant support for account types. To enable users from other Microsoft Azure AD tenants to access your application with their accounts, you need to register your application with the supported account type "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)."
You can make these changes to your registered application from the Authentication tab. Please refer to the screenshot below for guidance.
If you've already verified this solution and the issue persists, please check your application's Common Authority URLs.
This issue typically arises when your application sends requests with a specific tenant ID. For instance, if your application is configured to support Any Microsoft Entra ID tenant - Multitenant, and you generate an access token by sending a request to https://login.microsoftonline.com/<tenant>/ authority URL, it will only authenticate users within that specific tenant. In those scenarios, users will receive an error message stating to add user as an external user in the tenant first.
To enable sign-ins from other tenants, your application should send requests to https://login.microsoftonline.com/organizations/. Please verify whether your application is using the /organizations/ authority URL. If it is currently sending requests to https://login.microsoftonline.com/<tenant>/, you should coordinate with your application team to update the authority URL to /organizations/.
For more details on authority URLs, you can refer to the documentation here:
I hope this information is helpful. Please feel free to reach out if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks,
Raja Pothuraju.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 13%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)