This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 21%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERC%3C/text%3E%3C/svg%3E)
I'm trying to setup Microsoft Accounts as an Identity Provider in my AD B2C tenant following this documentation:
I already doubled check application client ID and the secrets are correct in the IDP configuration.
Should I create this client in my main tenant or in the AD B2C tenant?
When I start the login on MS I get the following error:
We're unable to complete your request
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Rafael Caviquioli ,
Thanks for reaching out.
As mentioned in the documentation, you need to create your Microsoft Account in Azure Active Directory.
You can switch your directory from B2C directory to default directory through settings in the portal and switch to default directory to register you application in Azure AD.
While registering the application in Azure AD, you need to make sure to enter correct URL under redirect where xxxx is your B2C tenant name.
and support account type is Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
Then copy the client id and client secret of your registered application to pass in Azure AD B2C tenant.
Again, switch back to your B2C directory using settings as mentioned above and configure Micrsoft Account in Azure AD B2C.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
Hi Shweta, thank you for your answer. I think it's clear to me that the application should be created in my main/default tenant instead of in the B2C tenant. I did it properly now.
But my problem is not solved completely, I will post in another comment the situation.
I opened a ticket in Microsoft Support, they gave me this answer:
To solve the issue please try to navigate to the Manifest of your App registration and set the two properties accessTokenAcceptedVersion and signInAudience like shown below:
"accessTokenAcceptedVersion": 2,
"signInAudience": "AzureADandPersonalMicrosoftAccount"
I changed the values in the manifest as you mentioned, and I understand this would allow only personal accounts to log in. This worked, I managed to log in with my personal account but also noticed I could not log in with my Microsoft business account.
Just to clarify our needs, we need to allow only business accounts to log in to our application, like customers that make use of Microsoft AD, we don't want anyone to sign in with a hotmail account.
I thought it would be possible to use the built-in solution for Microsoft IDP with the standard user flow, as it is mentioned in the documentation, but it doesn't look like working.
AzureADMultipleOrgs - Users with a Microsoft work or school account in any organization's Azure AD tenant (for example, multi-tenant)
I even tried AzureADMultipleOrgs and accessTokenAcceptedVersion = 2, but it didn't work.