'AADSTS500207: The account type can't be used for the resource you're trying to access' error when trying to access custom scope in an External Tenant

Sam Anson 20 Reputation points
2024-07-03T14:32:57.8966667+00:00

Hello,

I am having issues when trying to sign into my External tenant and specifying a custom scope. The error happens when I am making use of the MSAL library but also when attempting to authenticate with Postman or Insomnia.

I have set my authority to be https://{domain-name}.ciamlogin.com/ and when attempting to sign in with an external user in that tenant and specifying one of the scopes to be a custom scope that I have defined, it returns the AADSTS500207 error. If I don't specify this scope and only specify standard MS Graph scopes such as openid & offline_access, it logs in fine however I require this custom scope for authentication to my own api.

I have configured the application ID url to be api://... and I have included the full path in the scope however it fails regardless. If I don't include the full path and just include the name of the scope itself, I get another error stating the scope could not be found.

I have also attempted trying to sign in with an internal account however it states that my email cannot be found as I am trying to use this as public client.

Any help would be greatly appreciated as currently.

Kind Regards,

Sam

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,953 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Drew Trafton 5 Reputation points
    2024-09-09T13:14:39.1466667+00:00

    I was wrestling with this for quite some time, and found that if my API application was configured as single-tenant everything worked as expected. Still testing, but I believe that this should accomplish my goals as the client Entra application through which users can generate a token is still set up as multi-tenant and therefore should allow access to guest users.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.