Share via

Entra ID with Cognito

studio 0 Reputation points
2024-10-01T22:45:01.55+00:00

I am trying to do the following:

  1. Set up AWS Cogntio with Azure OIDC as Federated sign-in identity
  2. in Azure, I have configured an app in Entra ID--> app registrations and I have picked Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) for supported account type
  3. In Cognito I have configured the following:
    1. client ID
    2. client secret
    3. issuer = https://login.microsoftonline.com/XXX
    4. Authorization endpoint = https://login.microsoftonline.com/XXX/oauth2/v2.0/authorize
    5. Token endpoint = https://login.microsoftonline.com/XXX/oauth2/v2.0/token
    6. Jwks_uri endpoint = https://login.microsoftonline.com/common/discovery/keys But when I try to login in it keeps giving me AADSTS50020: User account 'exmaple@hotmail.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'XXX'(smth-cogntio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

I have reached to AWS, but they said they don't support common

But I am sure, I am not the only one trying to attempt this

Any help would be much appreciated !

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,071 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 11,790 Reputation points Microsoft Vendor
    2024-10-04T09:59:24.56+00:00

    Hi @studio

    Thank you for posting this in Microsoft Q&A.

    When a guest user tries to access your application in a tenant, the sign-in fails, and an error message appears, such as "AADSTS50020: User account 'example@hotmail.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'XXX' in that tenant.

    Based on the information you provided, I understand that you have created an application registration with a supported account type as "Accounts in any organizational directory (Any Azure AD tenant - Multitenant)" and personal Microsoft accounts (e.g., Skype, Xbox). However, you are using the wrong authorization and token endpoint.

    If you use https://login.microsoftonline.com/<YourTenantNameOrID>, users from other organizations cannot access the application. You need to add these users as guests in the tenant specified in the request. In this scenario, authentication is expected to occur within your tenant only. This causes the sign-in error if you expect users to sign in using federation with another tenant or identity provider.

    Use the https://login.microsoftonline.com/commonendpoint for Multitenant and personal accounts.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.