I want to perform an outlook login, so that I can get calendar events. should I register the application as ad b2c or any suggestions regarding it. I have also tried doing it by registering the application but I have some issues regarding the tokens.

Question

I want to perform an outlook login, so that I can get calendar events. should I register the application as ad b2c or any suggestions regarding it. I have also tried doing it by registering the application but I have some issues regarding the tokens.

vegeta psych 0

I have registered my application in both ad b2c and as a normal application. after trying to login through Outlook, I am only receiving an access token but no refresh token; even though I have included offline_access in my scope. I received the error: OutlookAPIError: ErrorCode: 'PP_E_RPS_CERT_NOT_FOUND'. Message: ' Internal error: spRPSTicket->ProcessToken failed. Failed to call CRPSDataCryptImpl::UnpackData: Internal error: Failed to decrypt data. : Failed to get session key. RecipientId=293577. spCache->GetCacheItem returns error.:Cert Name: (null). SKI: 00ec83bf497a3dc095bbcf649b3bea6669160019...'. While trying to login through my normal account(not as ad b2c), I am receiving the refresh token as well, but I am unable to use the token to get a new access token. I did give all the API permissions, set the identity provider for Microsoft using the client ID and secret and I have created a client secret. I am receiving this error:

 "error": "invalid_grant",
    "error_description": "AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'ac4a2eb9-54c9-4e34-bb6a-8256a955b7d2'(remindMe) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. Trace ID: d7956bc0-254f-4265-9784-5e0008727900 Correlation ID: 6f7c9552-7c00-449d-a0f9-b7025c2c0664 Timestamp: 2023-12-03 16:11:18Z"

Navya 17,730 Reputation points Microsoft External Staff

2023-12-07T12:39:25.1166667+00:00

Hi@vegeta psych

Following up to see if the provided information was helpful. If you had any other questions or if you were able to resolve this issue?
vegeta psych 0 Reputation points

2023-12-07T19:33:15.57+00:00

Hi @Navya ,

Thank you for your information, It helped me solve a part of it but I'm still facing an issue. After creating the app by following the steps you have provided, I wanted to log in as a user through his Microsoft account. Microsoft account identity provider is already present as a default identity. After successful login, the user is not added to the user list and hence I'm not able to refresh the token to get new access and refresh tokens because it says the user account from identity provider "live.com" is not provided in the tenant. If I add the user manually by sending an invite to him to join as a guest user, I can refresh the token and get new tokens successfully. I have tried to do the self-service sign-up method by adding a new user flow, but it still doesn't add the user. Any suggestions on how to solve this?
Navya 17,730 Reputation points Microsoft External Staff

2023-12-08T06:41:42.7633333+00:00

Hi@vegeta psych

The identity provider 'live.com' does not exist in tenant usually occurs when you sign into Azure Portal using your personal account which is not added as an external/guest user to an Azure AD/Microsoft Entra tenant.

Microsoft Entra ID is the default identity provider for self-service sign-up, not Microsoft account. If you want to add users from Microsoft account, make sure to check this highlighted option.

For your reference: Add identity providers
Enable self-service sign-up for your tenant
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya
vegeta psych 0 Reputation points

2023-12-08T07:34:07.3233333+00:00

Hi Navya,

I have the following identity providers as default

After selecting the Microsoft account I have the following pop-up

I have performed the following steps provided in this documentation: https://learn.microsoft.com/en-us/entra/external-id/self-service-sign-up-user-flow

Should the app's publisher domain be verified to work for Microsoft accounts as external identity as this documentation says: https://learn.microsoft.com/en-us/entra/external-id/microsoft-account

I am a little confused about this.
Navya 17,730 Reputation points Microsoft External Staff

2023-12-08T11:22:58.13+00:00

Hi@vegeta psych
Verifying the application's publisher domain is not required for all apps, but it is recommended. If the publisher domain is not verified, the app will show up as unverified in the user consent prompt, which may lead to users being hesitant to grant consent to the app. It is recommended to verify the publisher domain to improve the branding of the app and increase transparency for users.
https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain#app-registration-date
Navya 17,730 Reputation points Microsoft External Staff

2023-12-12T04:09:25+00:00

Hi@vegeta psych

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Navya 17,730 Reputation points Microsoft External Staff

2023-12-15T09:15:06.5766667+00:00

Hi @vegeta psych

Following up to see if the below answer was helpful. And, if you have any further query do let us know.Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

1 answer

Your answer

Navya 17,730 Reputation points Microsoft External Staff

2023-12-07T12:39:25.1166667+00:00

Hi@vegeta psych

Following up to see if the provided information was helpful. If you had any other questions or if you were able to resolve this issue?
vegeta psych 0 Reputation points

2023-12-07T19:33:15.57+00:00

Hi @Navya ,

Thank you for your information, It helped me solve a part of it but I'm still facing an issue. After creating the app by following the steps you have provided, I wanted to log in as a user through his Microsoft account. Microsoft account identity provider is already present as a default identity. After successful login, the user is not added to the user list and hence I'm not able to refresh the token to get new access and refresh tokens because it says the user account from identity provider "live.com" is not provided in the tenant. If I add the user manually by sending an invite to him to join as a guest user, I can refresh the token and get new tokens successfully. I have tried to do the self-service sign-up method by adding a new user flow, but it still doesn't add the user. Any suggestions on how to solve this?
Navya 17,730 Reputation points Microsoft External Staff

2023-12-08T06:41:42.7633333+00:00

Hi@vegeta psych

The identity provider 'live.com' does not exist in tenant usually occurs when you sign into Azure Portal using your personal account which is not added as an external/guest user to an Azure AD/Microsoft Entra tenant.

Microsoft Entra ID is the default identity provider for self-service sign-up, not Microsoft account. If you want to add users from Microsoft account, make sure to check this highlighted option.

For your reference: Add identity providers
Enable self-service sign-up for your tenant
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya
vegeta psych 0 Reputation points

2023-12-08T07:34:07.3233333+00:00

Hi Navya,

I have the following identity providers as default

After selecting the Microsoft account I have the following pop-up

I have performed the following steps provided in this documentation: https://learn.microsoft.com/en-us/entra/external-id/self-service-sign-up-user-flow

Should the app's publisher domain be verified to work for Microsoft accounts as external identity as this documentation says: https://learn.microsoft.com/en-us/entra/external-id/microsoft-account

I am a little confused about this.
Navya 17,730 Reputation points Microsoft External Staff

2023-12-08T11:22:58.13+00:00

Hi@vegeta psych
Verifying the application's publisher domain is not required for all apps, but it is recommended. If the publisher domain is not verified, the app will show up as unverified in the user consent prompt, which may lead to users being hesitant to grant consent to the app. It is recommended to verify the publisher domain to improve the branding of the app and increase transparency for users.
https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain#app-registration-date
Navya 17,730 Reputation points Microsoft External Staff

2023-12-12T04:09:25+00:00

Hi@vegeta psych

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Navya 17,730 Reputation points Microsoft External Staff

2023-12-15T09:15:06.5766667+00:00

Hi @vegeta psych

Following up to see if the below answer was helpful. And, if you have any further query do let us know.Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

Answer 1

Hi @vegeta psych ,

Thank you for posting this in Microsoft Q&A.

I understand you want to perform an outlook login, so that you can get calendar events.

This Eror AADSTS50020 occurs in various scenarios. To resolve this issue, Follow the below steps:

1.Register your application as Enterprise application

Sign into the Microsoft Entra admin center -> Browse to Identity > Applications > App registrations and select new registration.

Enter name of the application and make sure to select supported account type as Accounts in any organizational directory and personal Microsoft accounts **(**supports both Microsoft and personal accounts)

2.API Permissions: Add permissions for Microsoft Graph API and grant admin consent for the application.

Calendars.ReadBasic, Calendars.Read, Calendars.ReadWrite

3.When you get an access token, make sure to set URL as https://login.microsoftonline.com/commonand call the Event API endpoint.

For your reference: https://learn.microsoft.com/en-us/graph/api/calendar-list-events?view=graph-rest-1.0&tabs=http

To get refresh tokens please refer this document

Hopes this helps. Do let us know if you any further queries.

Thanks,
Navya.

Fahad Gilani 0 Reputation points

2024-02-17T22:05:16.02+00:00

@Navya we've followed these exact steps but cannot get Personal outlook.com users working for our app (which uses EWS to fetch calendar events). The exact same flow works for enterprise O365 accounts.

Share via

I want to perform an outlook login, so that I can get calendar events. should I register the application as ad b2c or any suggestions regarding it. I have also tried doing it by registering the application but I have some issues regarding the tokens.

1 answer

Your answer