AADSTS500208: The domain is not a valid login domain for the account type.

Daniel Krzyczkowski 491

Hi,

I have MS Entra External ID preview tenant created. However, I noticed that I cannot authenticate successfully with the local account. Below I provide more details. I would be grateful for help/hints.

Describe the bug
When I try to login with corporate account or standard customer account (for instance using email from minutemailbox) I have below error displayed after authentication is completed:

There was an error trying to log you in: 'AADSTS500208: The domain is not a valid login domain for the account type.

To Reproduce
Steps to reproduce the behavior:

Open sign in page.
Create new account using using standard email like the one from minutemailbox service. Any account can be used, error is the same.
Try to authenticate with new account.
See error

Expected behavior
User should be authenticated successfully and tokens should be issued to the application.

My test tenant ID: 17444b8d-b055-4b48-8797-2c12f5b9b416

Few weeks ago I was able to successfully authenticate.

Thank you.

Matthew Keys 35 Reputation points

2023-09-15T16:37:56.71+00:00
EDIT: Oops, I see now there were comments on the answers below that I had missed that cover most of what I put here, but I'll leave it anyway in case there's anything useful

I'm having the same issue as the OP. The demo that sends you to jwt.ms appears to work, but when using it in my SPA using the MSAL library, I receive the AADSTS500208 error. Here are a few things I've tried and their results:

Environment Setup:

Create a new tenant for customers

Create a user flow with default options

Create a application

Configure my MSAL SPA with the clientId from step 3 and attempted with authorities below:

Using login.microsoftonline.com/{tenantId}, I am only able to log in with accounts that have the Global Administrator role. I tried signing in with invited AD accounts (guest and member), local, and social accounts. If the user does not have the role, it returns the originally mentioned error: "AADSTS500208: The domain is not a valid login domain for the account type."

Using {tenantName}.ciamlogin.com, I was unable to test the roles because it didn't prompt for AD accounts, so I tried this with local users and it gets a different error: "AADSTS500207: The account type can't be used for the resource you're trying to access."
Walid Wahba 5 Reputation points

2023-11-22T04:18:16.01+00:00

Any fix for this???

come on, the solution is useless without fixing signing up.

I'm guessing it had something to do with the "SAML request" sent by the application, it must use https://*.ciamlogin.com, but that doesn't make sense as the ciam solution should respond to any SAML request".
Martin Dreßler 30 Reputation points

2023-12-06T16:26:50.13+00:00

When using "https://<tenant-subdomain>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration" the login works, but the returned openid-configuration is not OpenIdConnect compliant and fails validation.

Sadly https://<tenant-subdomain>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration returns a configuration containing "issuer":"https://login.microsoftonline.com/<tenant-id>/v2.0"

The OIDC spec for the discovery endpoint https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidationstates clearly:

The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.

Is there any fix on the way for this?
Gunther Lochstampfer 0 Reputation points

2024-01-09T16:36:47.5233333+00:00

The solution is to use tenant-id instead of tenant-name:
https://<tenant-id>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration
The issuer url is now identical to the issuer value
rcd0 46 Reputation points

2024-02-08T11:22:50.79+00:00
Hi, could we please have an update on this?

Tried all options but end up with the following error when using the following configuration. This is a blazor webassembly app using MSAL.js

------Msal configuration:

{ "AzureAdB2C": { "Authority": "https://9fc5b3ac-e8e6-4099-9e21-xxxxxxxx.ciamlogin.com/9fc5b3ac-e8e6-4099-9e21-xxxxxxxx/", "ClientId": "77afc723-5c93-459b-8d27-xxxxxxxxx", "ValidateAuthority": false }}

---Redirect uri for the registered app in azure is: https://localhost:7000

------Error: AADSTS650053: The application 'MyApp' asked for scope '77afc723-5c93-459b-8d27-xxxxxxxx' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
rcd0 46 Reputation points

2024-02-08T12:09:54.11+00:00
So, got it to work. I was porting an app from AD B2C to Entra for Customers. Previously I was required to add the following scope (which is actually my app) when calling "AddMsalAuthentication" which is not required anymore, so delete the following:

options.ProviderOptions.DefaultAccessTokenScopes.Add("77afc723-5c93-459b-8d27-xxxxxxx");

Redirection url needs to be the same as it was for B2C:
https://localhost:7000/authentication/login-callback
Pim w 10 Reputation points

2025-01-17T08:31:47.61+00:00

Hi Daniel, I know this is a old thread and apparently this problem has been solved by an update. But i'm having the same problems in 2025 with 'Entra External Id'. Did you change anything in your configuration beside the update from Microsoft?

9 answers

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Paul Logan 0

Good morning everyone,

I got my scenario working on Friday, thanks to this thread.

Azure SWA set up in our main Entra ID Tenant.
App Registration for the SWA created in our new Entra External ID/Customer Tenant.
Using a temp email address to create an account at login time.

Previously, I had to amend the new user in the portal and assign them an admin role before the user could proceed to the app after signing in.

On Friday, with below staticwebapp.config.json, I was able to register a new user account and sign-in to the app without any manual tweaking of the user account.

{
    "routes": [
        {
            "route": "/src/index.html",
            "allowedRoles": [
                "anonymous"
            ]
        },
        {
            "route": "/logout",
            "redirect": "/.auth/logout?post_logout_redirect_uri=/logout_complete.html"
        },
        {
            "route": "/me",
            "redirect": "/.auth/me"
        },
        {
            "route": "/authOnly*",
            "allowedRoles": [
                "authenticated"
            ],
            "headers": {
                "Content-Type": "application/javascript"
            }
        }
    ],
    "responseOverrides": {
        "401": {
            "statusCode": 302,
            "redirect": "/.auth/login/aad?post_login_redirect_uri=.referrer"
        }
    },
    "trailingSlash": "auto",
    "platform": {
        "apiRuntime": "dotnet-isolated:8.0"
    },
    "auth": {
        "identityProviders": {
            "azureActiveDirectory": {
                "userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
                "registration": {
                    "openIdIssuer": "https://TenantID.ciamlogin.com/TenantID/v2.0",
                    "clientIdSettingName": "CLIENT_ID",
                    "clientSecretSettingName": "CLIENT_NAME"
                }
            }
        }
    }
}

Regards, Paul.

Daniel Krzyczkowski 491 Reputation points

2024-06-04T03:34:20.91+00:00

I have confirmation from Microsoft that the issue is fixed in all tenants. Documentation and samples were also updated. I can confirm that I do not face the issue anymore.
Please sign in to rate this answer.
Maddali Prasanth 0 Reputation points

2025-04-15T04:34:38.14+00:00

Hi, I encountered this error in a different context while integrating Salesforce SSO with Entra External ID. After provisioning the users, some were unable to log in and received the error:

AADSTS500208: The domain is not a valid login domain for the account type.

After some trial and error, I discovered that assigning the Directory Readers role to the affected user resolved the issue. Just sharing this here in case it helps someone facing a similar problem.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

AADSTS500208: The domain is not a valid login domain for the account type.

9 answers

Your answer