Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
Cannot use personal account to log in with MS Entra ID when integrating with Flask.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 54%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENT%3C/text%3E%3C/svg%3E)
Nikola Tonev
5
Reputation points
I am trying to integrate "Sign in with Microsoft" option into my Flask application via Microsoft Entra ID. I have followed strictly all steps described in these two official MS tutorials:
And I have checked multiple times that the supported account types are "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".
The manifest is set up correctly too with:
"signInAudience": "AzureADandPersonalMicrosoftAccount"
For my Flask application, I am using Python's identity package and more specifically identity.web.Auth in the following way:
# Registering the client
microsoft_client_id = "my_client_id_here"
microsoft_client_secret_value = "my_clent_secret_here"
authority = "https://login.microsoftonline.com/common"
microsoft = identity.web.Auth(
session=session,
authority=authority,
client_id=microsoft_client_id,
client_credential={"client_secret": microsoft_client_secret_value}
)
# View function for logging in
@authnetication.route("/auth/microsoft_login", methods=["POST", "GET"])
def microsoft_login_api():
redirect_uri = url_for('authentication.auth_microsoft_callback', _external=True)
return redirect(microsoft.log_in(
scopes=["User.Read"],
redirect_uri=redirect_uri
).get('auth_uri'))
@authnetication.route('/auth/microsoft/callback')
def auth_microsoft_callback():
logging.info("Callback triggered.")
However, whenever I go to the login page and enter my outlook email, I keep getting the error message "You can't sign in here with a personal account. Use your work or school account instead."
I feel like this is an issue on Microsoft side, as I have done all steps exactly as described in the official tutorials and still it is not working... Can someone please support with this?
It is worth mentioning that I am using a free trial tenant account currently and also my redirect URI is on localhost ("http://localhost:5101/auth/microsoft/callback").
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
{count} vote
-
Nikola Tonev 5 Reputation points
2024-09-08T20:49:20.0433333+00:00 Update: I tried integrating the Microsoft login via Authlib as well and I got the same issue, which just confirms that the issue has to be on Microsoft's side.
Updated implementation:
# Registering the client microsoft = oauth.register( name='microsoft', client_id=os.getenv('MICROSOFT_CLIENT_ID'), client_secret=os.getenv('MICROSOFT_CLIENT_SECRET_VALUE'), client_kwargs={ 'scope': 'openid email profile', }, server_metadata_url=f'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration', redirect_uri='http://localhost:5101/auth/microsoft/callback' ) # View functions @authnetication.route("/auth/microsoft_login", methods=["POST", "GET"]) def microsoft_login_api(): redirect_uri = url_for('authentication.auth_microsoft_callback', _external=True) return app.microsoft.authorize_redirect(redirect_uri) @authnetication.route('/auth/microsoft/callback') def auth_microsoft_callback(): token = app.microsoft.authorize_access_token() user_info = app.microsoft.parse_id_token(token) session['user'] = user_info ... -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2024-09-13T21:31:23.8566667+00:00 Hi @Nikola Tonev , so sorry for the delay! Did you grant the "User.Read" permission to your app registration? Have you tried testing this with a different email?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 32%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPL%3C/text%3E%3C/svg%3E)
Pål Andreas Morholmen 10 Reputation points2025-03-07T08:58:34.2433333+00:00 Did you ever resolve this issue? I'm having the exact same issue and I have tried every type of authority I can find, but nothing seems to work. I cannot login with an email that is connected to a personal microsoft account even though it is registered in my Entra External Tenant.
# AUTHORITY = "https://login.microsoftonline.com/common" # AUTHORITY = "https://login.microsoftonline.com/consumers" # AUTHORITY = f"https://login.microsoftonline.com/{env_vars.USERS_TENANT_ID}" # AUTHORITY = f"https://{env_vars.USERS_TENANT_SUBDOMAIN}.ciamlogin.com" # AUTHORITY = f"https://{env_vars.USERS_TENANT_SUBDOMAIN}.ciamlogin.com/{env_vars.USERS_TENANT_ID}" AUTHORITY = f"https://{env_vars.USERS_TENANT_SUBDOMAIN}.ciamlogin.com/{env_vars.USERS_TENANT_SUBDOMAIN}.onmicrosoft.com"
Sign in to comment
Sign in to answer