This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I have MS Entra External ID preview tenant created. However, I noticed that I cannot authenticate successfully with the local account. Below I provide more details. I would be grateful for help/hints.
Describe the bug
When I try to login with corporate account or standard customer account (for instance using email from minutemailbox) I have below error displayed after authentication is completed:
There was an error trying to log you in: 'AADSTS500208: The domain is not a valid login domain for the account type.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
User should be authenticated successfully and tokens should be issued to the application.
My test tenant ID: 17444b8d-b055-4b48-8797-2c12f5b9b416
Few weeks ago I was able to successfully authenticate.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 33%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
EDIT: Oops, I see now there were comments on the answers below that I had missed that cover most of what I put here, but I'll leave it anyway in case there's anything useful
I'm having the same issue as the OP. The demo that sends you to jwt.ms appears to work, but when using it in my SPA using the MSAL library, I receive the AADSTS500208 error. Here are a few things I've tried and their results:
Environment Setup:
Using login.microsoftonline.com/{tenantId}, I am only able to log in with accounts that have the Global Administrator role. I tried signing in with invited AD accounts (guest and member), local, and social accounts. If the user does not have the role, it returns the originally mentioned error: "AADSTS500208: The domain is not a valid login domain for the account type."
Using {tenantName}.ciamlogin.com, I was unable to test the roles because it didn't prompt for AD accounts, so I tried this with local users and it gets a different error: "AADSTS500207: The account type can't be used for the resource you're trying to access."
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 11%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hi, could we please have an update on this?
Tried all options but end up with the following error when using the following configuration. This is a blazor webassembly app using MSAL.js
------Msal configuration:
{ "AzureAdB2C": { "Authority": "https://9fc5b3ac-e8e6-4099-9e21-xxxxxxxx.ciamlogin.com/9fc5b3ac-e8e6-4099-9e21-xxxxxxxx/", "ClientId": "77afc723-5c93-459b-8d27-xxxxxxxxx", "ValidateAuthority": false }}
---Redirect uri for the registered app in azure is: https://localhost:7000
------Error: AADSTS650053: The application 'MyApp' asked for scope '77afc723-5c93-459b-8d27-xxxxxxxx' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
So, got it to work. I was porting an app from AD B2C to Entra for Customers. Previously I was required to add the following scope (which is actually my app) when calling "AddMsalAuthentication" which is not required anymore, so delete the following:
options.ProviderOptions.DefaultAccessTokenScopes.Add("77afc723-5c93-459b-8d27-xxxxxxx");
Redirection url needs to be the same as it was for B2C:
https://localhost:7000/authentication/login-callback
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 56.00000000000001%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPL%3C/text%3E%3C/svg%3E)
Good morning everyone,
I got my scenario working on Friday, thanks to this thread.
Previously, I had to amend the new user in the portal and assign them an admin role before the user could proceed to the app after signing in.
On Friday, with below staticwebapp.config.json, I was able to register a new user account and sign-in to the app without any manual tweaking of the user account.
{
"routes": [
{
"route": "/src/index.html",
"allowedRoles": [
"anonymous"
]
},
{
"route": "/logout",
"redirect": "/.auth/logout?post_logout_redirect_uri=/logout_complete.html"
},
{
"route": "/me",
"redirect": "/.auth/me"
},
{
"route": "/authOnly*",
"allowedRoles": [
"authenticated"
],
"headers": {
"Content-Type": "application/javascript"
}
}
],
"responseOverrides": {
"401": {
"statusCode": 302,
"redirect": "/.auth/login/aad?post_login_redirect_uri=.referrer"
}
},
"trailingSlash": "auto",
"platform": {
"apiRuntime": "dotnet-isolated:8.0"
},
"auth": {
"identityProviders": {
"azureActiveDirectory": {
"userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"registration": {
"openIdIssuer": "https://TenantID.ciamlogin.com/TenantID/v2.0",
"clientIdSettingName": "CLIENT_ID",
"clientSecretSettingName": "CLIENT_NAME"
}
}
}
}
}
Regards, Paul.
I have confirmation from Microsoft that the issue is fixed in all tenants. Documentation and samples were also updated. I can confirm that I do not face the issue anymore.