Azure AD AADSTS90072 Error
I'm currently assisting in the process of Migrating all our users to SSO on our app, however, they are getting the AADSTS90072 Error as follows
AADSTS90072: User account 'firstname.lastname@example.org' from identity provider 'live.com' does not exist in tenant '%COMPANY%' and cannot access the application '%APPLICATIONID%'(LastPass Login App) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
Out of the 2000+ users we have migrated, only 13 people show this error so we have confirmed that it isn't anything to do with the provisioning of the apps and it does not appear to be a vendor issue.
however we can't seem to find a way around this, we have even tried changing the URL mid-load which was never expected to work in the first place, but at this point, we are trying everything.
I have noticed that when the user goes through the login process, the web URL that it directs them to is login.live.com whereas the users that work get directed to login.microsoftonline.com
Our company uses the UPN as the primary login email and all of our user's UPN is different from the email address which it's trying to log in as.
Our UPN is; [staffID@companydomain2.com]
whereas our email is [email@example.com]
We have compared each of the affected users vs working users' proxy information and they are all using the same proxy, we also checked the SMTP setup and they are all the same for each of them minus the different names.
has anyone got any idea what could be causing this?
We have noticed that on 3 of the affected users, it will initially prompt them to sign in using their [firstname.lastname@example.org] email address, but when they put their password in it will tell them it's incorrect, and it doesn't give them the option to change the email they use to login.
We checked the logs but nothing is showing up. possibly because it's being directed to login.live.com so it's not actually making it anywhere near the AD Tenant
Thank you for posting your question in Microsoft Q&A.
I will get back to you post my research on this.
Much appreciated Sandeep
Hey @Sandeep G-MSFT
Just a quick update Sandeep, Where I mentioned before "the web URL that it directs them to is login.live.com whereas the users that work get directed to login.microsoftonline.com"
Seems like some users are actually being redirected through login.microsoftonline.com as well now, so the redirection url doesn't seem to be the main cause of the issue in this case.
Sign in to comment