Getting Microsoft entra oauth login to work with personal accounts

MartinFirst alternate Tilsted 0 Reputation points
2024-02-05T21:11:45.3933333+00:00

A am using Oauth login with microsoft entra to allow users with a Microsoft account to login to our website. This works fine if I login with an email which belong to the same email address as the website. I get user info and all that. But if I test with a personal Microsoft account login fails with the error message: "Message: AADSTS500200: User account 'mtilsted@gmail.com' is a personal Microsoft account. Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization. Try signing out and signing back in with an organizational account. " I am requesting the scope "profile", and an example for a url is:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=1a729dee-4a8a-4519-bea7-b1e415f1f035&redirect_uri=https%3A%2F%2Fspintype.ai%2FMicrosoftOAuthCallback&scope=profile

In the web app setup under "Supported account types" it say "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers." So i don't understand why login with a personal Microsoft account is not allowed. Are there any other settings I need to enable, or ???

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,717 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Navya 2,795 Reputation points Microsoft Vendor
    2024-02-06T02:35:29.4+00:00

    Hi MartinFirst alternate Tilsted

    Thank you for posting this in Microsoft Q&A.

    I understand you are trying to use OAuth login with Microsoft Entra to allow users with a Microsoft account to log in to your website. The login works fine if the user logs in with an email that belongs to the same email address as the website, but if you test with a personal Microsoft account, the login fails with the error message "AADSTS500200: User account 'mtilsted@gmail.com' is a personal Microsoft account.

    AADSTS500200 is an error code that indicates User account from identity provider does not exist in tenant. This error can happen due to various reasons as explained in this document. I would suggest that you go through this document to fix this issue. https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Pinaki Ghatak 2,225 Reputation points Microsoft Employee
    2024-02-12T10:57:33.3+00:00

    @Hello @MartinFirst alternate Tilsted

    When using OAuth login with Microsoft Entra, encountering issues with personal Microsoft accounts can be frustrating. Let’s explore some possible solutions to address this:

    1. Application Configuration:
      • Ensure that your application is configured to support both multitenant and personal Microsoft accounts.
      • You can use the common endpoint to authenticate both multitenant and personal account users. Set the signInAudience property in your application’s manifest to "AzureADandPersonalMicrosoftAccount".
      • The endpoint for authentication can be: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=YourClientID&response_type=code&redirect_uri=https://jwt.ms&response_mode=query&scope=https://graph.microsoft.com/.default&state=12345.
    2. Prompt Options:
      • When constructing your login URL, consider using the prompt=consent parameter. This forces a new login session and ensures that the user is prompted for consent again.
      • If you’re still facing issues, try using prompt=login to explicitly request a fresh login session.
    3. Testing in Incognito Mode:
      • Sometimes browser caches or existing sessions can interfere with the login process. Try testing in an incognito window or clear your browser cache before attempting the login again.
    4. Check Azure AD Configuration:
      • Verify that your Azure AD application is correctly configured to support sign-ins from personal Microsoft accounts.
      • If the issue persists, try signing in with another personal Microsoft account to see if the problem is specific to the user account.

    Remember that the error message “AADSTS90023 Microsoft account logins are not supported” indicates that the Azure AD Application is not configured to handle personal accounts. By following the steps above, you should be able to resolve this issue and allow personal Microsoft accounts to log in successfully.

    If the above information helps you, please tag this as an accepted answer, so it may help further readers who may have similar questions.