This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I have MS Entra External ID preview tenant created. However, I noticed that I cannot authenticate successfully with the local account. Below I provide more details. I would be grateful for help/hints.
Describe the bug
When I try to login with corporate account or standard customer account (for instance using email from minutemailbox) I have below error displayed after authentication is completed:
There was an error trying to log you in: 'AADSTS500208: The domain is not a valid login domain for the account type.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
User should be authenticated successfully and tokens should be issued to the application.
My test tenant ID: 17444b8d-b055-4b48-8797-2c12f5b9b416
Few weeks ago I was able to successfully authenticate.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 33%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
EDIT: Oops, I see now there were comments on the answers below that I had missed that cover most of what I put here, but I'll leave it anyway in case there's anything useful
I'm having the same issue as the OP. The demo that sends you to jwt.ms appears to work, but when using it in my SPA using the MSAL library, I receive the AADSTS500208 error. Here are a few things I've tried and their results:
Environment Setup:
Using login.microsoftonline.com/{tenantId}, I am only able to log in with accounts that have the Global Administrator role. I tried signing in with invited AD accounts (guest and member), local, and social accounts. If the user does not have the role, it returns the originally mentioned error: "AADSTS500208: The domain is not a valid login domain for the account type."
Using {tenantName}.ciamlogin.com, I was unable to test the roles because it didn't prompt for AD accounts, so I tried this with local users and it gets a different error: "AADSTS500207: The account type can't be used for the resource you're trying to access."
Hi everyone, I would like to provide update on this thread as I was working together with Microsoft team and MVP Rory Braybrook to find the root cause of this issue.
First of all, here is the answer I got from the person from Microsoft:
Looking deeper this is a pretty generic error code - there are many ways you might end up miscoding the login domain such that you end up here. We have two fixes we'll be working on this quarter to help avoid this - fixing the issue Rory brought up where you get shown Entra ID configured samples in the App Registration pages and also updating the endpoints shown in the App Registration page which still point to login.onmicrosoft.com.
One more important thing is that samples were wrongly configured. You can read Rory's post here:
https://medium.com/the-new-control-plane/using-entra-external-id-ciam-with-the-msal-samples-86e6de6a8f20
One of the important things is the correct format for the authorize endpoint: https://<TENANT_ID>.ciamlogin.com/<TENANT_ID>/oauth2/v2.0/authorize
If you configure the sample with all above recommendations and you still face the issue it means that probably one of the issues mentioned by the person from Microsoft is happening in your preview tenant. The team is working to fix all potential issues this quarter.
I hope this will help you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 2%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
The recommended solution does not work. When changed to use it, I get the error "There was an issue looking up your account" when attempting to sign in via my microssoft account.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 11%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENE%3C/text%3E%3C/svg%3E)
Hi @Daniel Krzyczkowski
thank you for the update. Do you have any follow-up information if all the issues were addressed in Q1?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 56.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKI%3C/text%3E%3C/svg%3E)
Maybe you should set "https://<tenant-subdomain>.ciamlogin.com/<tenant-id>/v2.0" for Issuer URL.
OpenID Configuration endpoint is "https://<tenant-subdomain>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 75%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
When using "https://<tenant-subdomain>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration" the login works, but the returned openid-configuration is not OpenIdConnect compliant and fails validation.
Sadly https://<tenant-subdomain>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration returns a configuration containing "issuer":"https://login.microsoftonline.com/<tenant-id>/v2.0"
The OIDC spec for the discovery endpoint https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidationstates clearly:
The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.
Is there any fix on the way for this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 56.00000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGL%3C/text%3E%3C/svg%3E)
The solution is to use tenant-id instead of tenant-name:
https://<tenant-id>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration
The issuer url is now identical to the issuer value
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 96%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Assuming that you have an application registered on Tenant 17444b8d-b055-4b48-8797-2c12f5b9b416, you'd need to sign in using a user account that exists on the same Tenant or invite an external user as a Guest.
If you create a new account on your Azure AD tenant (test@yourdomain.onmicrosoft.com) would you get the same error?
Thanks.
Hi @Fabio Andrade ,
Thank you for your response.
The issue is that I cannot sign up and sign in with any customer account.
Please see example below. I use minute-mailbox temporary email for tests.
When I am trying to register the user, I got error returned from the Azure AD External ID. Please see the flow below:
After redirection to the application I have this error:
There was an error trying to log you in: 'AADSTS500208: The domain is not a valid login domain for the account type. Trace ID: f4bd095b-edee-4bc5-b9a6-0efc2a074400 Correlation ID: 1bd2a3d7-7b33-4a43-be38-1de86116bf48 Timestamp: 2023-08-30 05:17:14
However, I see that account was created successfully under Users tab:
When I try to sign in with the same account above, I also have the same error:
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Daniel Krzyczkowski ,
Thanks for reaching out.
I tried to sign up and sign into External Id preview using minuteinbox account as well from other personal accounts and able to create the account successfully without any error.
I can understand that Microsoft Entra External Id is in preview and there might be chances that intermittent issues are coming.
Could you please confirm that are you still facing the issues?
Also, could you please confirm which application you are running to run the user flow?
Thanks,
Shweta
Thank you for your response.
Unfortunately, issue remains. I also created new, separate tenant and issue is exactly the same (both tenants have Azure subscription connected).
When it comes to application - this is Blazor WebAssembly SPA application.
When I use https://login.microsoftonline.com/17444b8d-b055-4b48-8797-2c12f5b9b416/ as authority value in app configuration, below error is displayed:
There was an error trying to log you in: 'AADSTS500208: The domain is not a valid login domain for the account type.
When I change authority to be:
https://techmindfactorycustomers.ciamlogin.com
There is error displayed that configuration cannot be retrieved from well-known endpoint. When you open below endpoint you can see the that other error is displayed.
https://techmindfactorycustomers.ciamlogin.com/v2.0/.well-known/openid-configuration
Tenant 'v2.0' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.
I have active subscription connected.
Hi Daniel Krzyczkowski •
Thanks for the update.
This is the known issue as mentioned here.
Could you please try to update accessTokenAcceptedVersion property from null to 2 in manifest and confirm.
Thanks,
Shweta
Thank you for this suggestion. Unfortunately it still does not work.
I can see that well-known endpoint does not work:
https://techmindfactorycustomers.ciamlogin.com/v2.0/.well-known/openid-configuration
It is independent from the concrete application. I should get OpenID configuration but got this error:
Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.
When I call:
https://techmindfactorycustomers.ciamlogin.com/common/discovery/keys
I got this error:
Unspecific Tenant is not supported in this domain
With below address I am able to get OpenID configuration:
However, when using above for the authority value in the app (https://login.microsoftonline.com/17444b8d-b055-4b48-8797-2c12f5b9b416/) I have this error and cannot login:
The domain is not a valid login domain for the account type.
It looks like there is some bigger problem with the service.
The well-known endpoint would be https://techmindfactorycustomers.ciamlogin.com/techmindfactorycustomers.onmicrosoft.com/v2.0/.well-known/openid-configuration
We have found some users with the same issue and our product team is looking into it.
As a work around, this issue is getting resolved by adding any admin role to CIAM user.
I will update you regarding this issue.
Thank you so much for the confirmation. I will wait for updates then.
This is a known issue now and our product team is working on this to fix.
I can repro the error at my end too and keeping an eye on this issue too.
Will let you know once will hear from team.
Thanks for your time and patience.
Hi @Shweta Mathur,
Thank you, I will wait for the updates.
Hi @Shweta Mathur,
I hope you are doing well. I wanted to ask id there are any updates on this? I think this is quite important bug. Did team manage to solve it?
Please let me know if you have any updates.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 36%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOP%3C/text%3E%3C/svg%3E)
We are waiting for a fix as well. Any news? There are a few critical bugs like this one that make the whole product unusable at the moment.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 41%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWW%3C/text%3E%3C/svg%3E)
We're also having the same issue.
Agreed, this bug is making the whole solution useless.
@Shweta Mathur Any updates?
Hi Daniel Krzyczkowski, Olli-Pekka Heinisuo,
Apologies for late response. I was checking with product team for the updates.
We are able to find the issue which seems to be device URL is not returning properly. We are working on to update the documentation for now as workaround and working on fix as well.
Thanks for your time and patience.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 18%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Just in case this is useful, I was having the same issue testing the React SPA, and resolved it by:
If you can't get to https://$whatever.ciamlogin.com in a browser then you might be running into the same thing I was, and if that doesn't work nothing else will.
Hope that helps!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 79%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
@Shweta Mathur any updates? With a broken sign up experience, half of the feature set of Entra Id for Customers is currently broken...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 81%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
@Shweta Mathur Just wondering if you can give us an approx. timeframe when this will be fixed?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 33%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
@Shweta Mathur are there any updates on this?
Any customer account with a domain name other than the tenant domain name is getting:
AADSTS500208: The domain is not a valid login domain for the account type.
Is there a workaround for this yet?