Share via

SharePoint guest user sign-in error - AADSTS50177

J$ 5 Reputation points
2023-05-09T13:35:53.52+00:00

Hello, I am working to grant access to a guest user to my tenant so they can access a SharePoint site. I have created the guest user, invited the user, and set their permissions on the specific SharePoint site. When they go to sign in, they get the following error message:

Message: AADSTS50177: User account ' ' from identity provider ' ' does not exist in tenant ' ' and cannot access the application '00000003-0000-0ff1-ce00-000000000000'(Office 365 SharePoint Online) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

The user has already signed out and attempted to sign in multiple times. yesterday, they could sign in with their email if they accessed an incognito browser. today, that workaround does not work.

Is there any configuration settings on AAD itself we need to review/adjust? I am not sure what else needs to be done since I have already invited the user, added them to the sharepoint site, and added to security group.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,848 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 24,386 Reputation points Microsoft Employee
    2023-05-09T21:00:37.93+00:00

    Hi @J$ , I'm sorry you're having this issue. You seem to have taken all the proper steps to resolve this , but there's one more you can try:

    Check for proxyAddress conflicts: Sometimes, the external guest user you're inviting conflicts with an existing Contact object. When this occurs, the guest user is created without a proxyAddress, which means that the user won't be able to redeem this account using just-in-time redemption or email one-time passcode authentication.

    To do this:

    1. Search for the guest user: Go to the "Users" section, and use the search functionality to find the guest user you have invited. Check if the user's User Type is set to Guest.
    2. Check for existing Contact objects: Go to the "All Contacts" section under "Users" in Azure Active Directory. Search for any Contact objects that have the same email address as the guest user you have invited.
    3. Compare proxyAddresses: If you find a Contact object with the same email address as the guest user, check the proxyAddresses attribute of both the guest user and the Contact object. You can do this by selecting the user or contact, then clicking on "Profile" and scrolling down to the "proxyAddresses" section. If there is a conflict, you will see the same proxyAddress value for both the guest user and the Contact object.
    4. Resolve the conflict: If you find a proxyAddress conflict, you can either:
      1. Remove the conflicting Contact object if it's no longer needed, or
      2. Update the proxyAddress of the Contact object to a different value.

    Please let me know if this works. If not I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.