Can't login to AAD Application with oAuth2: Personal Microsoft accounts are not supported for this application

Bülent Hacioglu 0 Reputation points
2023-05-10T10:25:44.79+00:00

Hi, I'm trying to login an user to my AAD Application via oAuth2. But I'm getting the following error:

Request Id: 818c8dfa-22fd-4e00-93f1-16e6d8142a00

Correlation Id: dc0539ce-d422-4933-b813-036dfcf50c48

Timestamp: 2023-05-10T09:57:44Z

Message: AADSTS500200: User account '****@****.net' is a personal Microsoft account. Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization. Try signing out and signing back in with an organizational account.

The goal is to impersonate the user and make requests to https://graph.microsoft.com on the users behalf with delegated permissions. As far as I understand a guest invitation to the application is not needed, is it? What do I need to change to allow any personal account to log in?

Things I already did:

  • Set account types to: "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)"
  • Add a publisher domain and link the MPN id to become a verified publisher
  • Set the authority to: https://login.microsoftonline.com/common 
  • Checked "Enabled for users to sign-in" under Enterprise Applications > Properties
  • Tried it from an incognito browser to make sure its not a caching problem
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,109 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,161 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Greg Leonardo 85 Reputation points MVP
    2023-05-10T12:09:51.8166667+00:00

    You may want to try Azure B2C as “social” accounts are used with AAD, that is more a B2B or AAD to AAD. I would B2C to segment out these type of accounts.

    0 comments No comments

  2. Shweta Mathur 28,921 Reputation points Microsoft Employee
    2023-05-11T12:10:51.33+00:00

    Hi @Bülent Hacioglu ,

    Thanks for reaching out.

    You need to invite the user as a guest user in your Azure AD tenant to authenticate using OAuth.

    Reference: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/add-users-administrator#add-guest-users-to-the-directory.

    If you don't want to invite guest users to your directory. Then you can leverage Azure AD B2B or Azure AD B2C as per case scenario to authentication to your application registered in Azure AD.

    https://learn.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.


  3. CarlZhao-MSFT 39,021 Reputation points
    2023-05-15T09:57:49.29+00:00

    Hi @Bülent Hacioglu

    Your error may be caused by one of the following reasons, please refer to the corresponding official document for troubleshooting.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments No comments