AADSTS50020 Error signing in to app

Jon Insley 0 Reputation points

I am adding the "Sign In with Microsoft" button to my web app following the instructions.

I registered a new app in Active Directory / Entra ID to use for the sign-in.

I set supported account types that can use it as "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" as I want my current tenant domain emails and all hotmail, live.com and other personal Microsoft emails to be able to sign-in.

When I try to sign-in with any Microsoft email other than the tenant domain email I get redirected to https://login.microsoftonline.com/common/federation/oauth2msa with this error:

*"AADSTS50020: User account 'email@live.com' from identity provider 'live.com' does not exist in tenant '{{TENANT NAME}}' and cannot access the application '{{APP ID}}' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
This should be able to login based on the supported account types. What could be the reason this error is occurring?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,513 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Neuvi Jiang 690 Reputation points Microsoft Vendor

    Hi Jon Insley,

    Thank you for posting in the Q&A Forums.

    Here are a few possible reasons:

    Wrong tenant: A user tries to sign in to an Azure Active Directory (AAD) tenant with his or her Microsoft personal account (typically Outlook.com, Hotmail.com, or Live.com), but the account has not been invited or added as an external user to that tenant.

    Unsupported account types: Azure AD tenants may only support work or school accounts (i.e., Azure AD accounts) and not personal Microsoft accounts. Some Azure AD applications are configured to accept only users from a specific Azure AD tenant.

    Application Configuration: Applications may be configured in Azure AD to only allow users from a specific tenant or a specific domain to sign in. If the application is set to support only single-tenant mode and the user is not in that tenant, they will be denied access.

    Directory permissions: Users may not have sufficient permissions to access the application, even if they have been added to the tenant as an external user.

    Login Experience Configuration: The application may be configured to use the wrong login experience (e.g., B2B, B2C, or multi-tenant) or may not have the Identity Provider (IdP) set up correctly.

    Authentication library/framework configuration: If your application uses a third-party authentication library or framework, it may not be properly configured to support Microsoft Personal Account login.

    To resolve this issue, you can:

    Confirm tenant: Ensure that the user is trying to sign in to the correct Azure AD tenant.

    Invite the user: If the user should be able to access the tenant, you can act as an administrator to invite them as an external user.

    Check Application Configuration: Make sure the application is configured in Azure AD to accept users from the correct tenant or identity provider.

    Update permissions: Ensure that the user has the required permissions to access the application.

    Check login experience configuration: Make sure your application and Azure AD are configured to support the required login experience.

    Update authentication libraries/frameworks: Ensure that the authentication libraries or frameworks used by your application are properly configured to support the required login types.

    Best regards



    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments