AADSTS90072 User Account Does Not Exist in Tenant

John Miller 0 Reputation points
2024-09-20T20:08:46.5533333+00:00

Our application utilizes Microsoft Entra as for authorization. Our application also allows clients to use their own Entra IDP for authentication, which invites their user to our tenant as an external user. Normally, when users accept an invitation, the identity shows as ExternalAzureAD. We are having one client with a single user showing up as MicrosoftAccount. They are able to authenticate into our website, but not through our office add-ins. I ran some network tracing and I see that the user is getting routed through login.live.com as opposed to login.microsoftonline.com as a normal account would do. We believe there is some misconfiguration with the user which is flagging it as a MicrosoftAccount instead of an ExternalAzureAD account causing this issue. The authentication has a signInAudience value of AzureADMyOrg, which indicates only users from the client's organization should be able to access and not personal accounts. What I am not understanding is what could be flagging the user's account as a MicrosoftAccount vs ExternalAzureAD account when it has been set up with the same domain as all of the other users. Any advice on what to review in the client's Entra configurations when reconnecting with them?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,787 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2024-09-20T20:50:23.3066667+00:00

    Hi @John Miller

    Thanks for reaching out to Microsoft Q&A.

    Usually, this behavior is presented because the Microsoft Account was created with a corporate domain as email address, this is not possible anymore now but used to be very common in the past.

    When inviting users, B2B redemption process verifies if the account you are inviting is a personal account, and if it is, Entra create the guest account as a MSA account:

    https://learn.microsoft.com/en-us/entra/external-id/redemption-experience#invitation-redemption-flow

    User's image

    In this case, I believe your options are to allow MSA accounts to login to your application, or invite the user with a different account.

    Thanks,

    Fabio


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.