Microsoft OAuth2 - "The account needs to be added as an external user in the tenant first" error when granting permissions

blam 36 Reputation points
2022-10-04T01:50:04.653+00:00

Hello I'm trying to implement an OAuth2 to get an access token and send an email on behalf of the user. I'm getting the error below:

AADSTS50020: User account '----' from identity provider 'live.com' does not exist in tenant '----' and cannot access the application '----' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

My question is, do I need to always add the account as a user? Is there any way to implement OAuth2 and have the ability to send an email on the user's behalf without having to manually add them?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
{count} votes

Accepted answer
  1. CarlZhao-MSFT 46,376 Reputation points
    2022-10-05T10:11:12.647+00:00

    Hi @blam

    Yes, you can send email on behalf of any user without having to manually add them to your tenant. Before doing so, make sure your application is registered as: Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

    247679-image.png

    Next use the auth code flow for interactive logins to get an access token, note that you need to change /{tenant id} to /common to allow personal accounts to log in.

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?  
    client_id=client id  
    &response_type=code  
    &redirect_uri=redirect url  
    &response_mode=query  
    &scope=https://graph.microsoft.com/Mail.Send  
    &state=12345  
    

    Finally call the /sendMail endpoint to send email for the personal account.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.