Share via

authentication issues on creating a resource or access any page on azure

Aparna D 0 Reputation points
2023-06-07T10:46:47.1833333+00:00

Receiving below error on trying to create a new VM or any access

User's image


{
  "sessionId": "3e30e6a22b0e4b9f8170820e9ba2812c",
  "errors": [
    {
      "errorMessage": "AADSTS16000: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '0a2057a8-149c-40ca-859e-98de032535fb'(Microsoft Azure Marketplace) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.\r\nTrace ID: b59dc36e-ebc6-4333-b5c5-e18c683d3a00\r\nCorrelation ID: bd3d5ccf-25e9-4051-912d-c6152305dbaa\r\nTimestamp: 2023-06-07 10:28:03Z",
      "clientId": "0a2057a8-149c-40ca-859e-98de032535fb",
      "scopes": [
        "a0e1e353-1a3e-42cf-a8ea-3a9746eec58c/.default"
      ]
    }
  ]
}
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Authenticator

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
    2023-06-08T21:15:02.01+00:00

    @Aparna D

    Thank you for your post!

    Error Code: AADSTS16000

    • SelectUserAccount - This is an interrupt thrown by Azure AD, which results in UI that allows the user to select from among multiple valid SSO sessions. This error is fairly common and may be returned to the application if prompt=none is specified.

    Findings:

    From your error code, it looks like a silent request was sent to Azure AD to sign-in your user. A Silent request usually has a 'prompt' parameter with a value of 'none', for example:

    • https://login.microsoftonline.com/...onmicrosoft.com/oauth2/authorize?response_type=code&client_id=12345...&scope=openid&prompt=none

    When using silent requests, it is expected that the user has already signed in and there's an existing ESTSAUTH cookie in the request header. If this cookie is missing or the session has expired, this error will be thrown.

    Sometimes, a browser configuration or how the application sends the silent request may block the cookies from being passed. However, in most cases, you'll want to ensure that your browser is properly configured such as

    • Adding both login.microsoftonline.com and the applications endpoint to the trusted sites.
    • Logging in from a Private Browser/ session to ensure your user has access to your tenant.
    • Logging out from any sessions and interactively signing in again.

    I also looked into your Correlation ID and noticed that the Client ID within your error blocked Passthru users due to its configuration.

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.