Share via

Entra ID oauth flow

Tomoki 40 Reputation points
2024-10-04T09:59:48.5066667+00:00

Hi and thanks in advance!

I'm developing a web application that uses Microsoft Entra ID to allow any Microsoft Entra ID user to login in my app, I was able to integrate and configure the oAuth2 flow with users I have manually created in my Entra ID tenant, but I'm having problems with external users, in my web application the user starts the oauth flow and Microsoft login screens is displayed, but after the user fills his Entra ID credentials, the user gets an error message

AADSTS50020

User account '{EUII Hidden}' from identity provider 'live.com' does not exist in tenant 'xxxxx' and cannot access the application 'xxxxx'(xxxxx) in that tenant. The account needs to be added as an external user in the tenant first.

Do I need to add the user to my own entra ID tenant as external first and then start the OAuth flow?

thanks!

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator
    2024-10-04T22:04:43.71+00:00

    Hello @Tomoki,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you've registered a web-based application in Microsoft Entra ID that uses the OAuth protocol for authentication. Users in your tenant can access the application without issues, but when users from other tenants try to access it, they receive the following error message: "User account '{EUII Hidden}' from identity provider 'live.com' does not exist in tenant 'xxxxx' and cannot access the application 'xxxxx' (xxxxx) in that tenant. The account needs to be added as an external user in the tenant first."

    In this situation, there are two solutions to resolve the issue. First, you can invite users from other tenants to your tenant as guest accounts. Alternatively, you can configure your application to support multi-tenant access.

    To invite users as guest accounts, please follow this documentation: Add guest users to your tenant.

    To configure your application as multi-tenant, follow these steps:

    1. By default, web app/API registrations in Microsoft Entra ID are single tenant when created. To make it multi-tenant, log in to the Microsoft Entra admin center and select the app registration you want to update.
    2. Open the app registration and select the Authentication pane.
    3. In the Supported account types section, change the setting to Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant).

    User's image

    Additionally, ensure your code sends authentication requests to /common. In a multi-tenant application, the app can't determine which tenant the user belongs to immediately, so requests must be sent to a common endpoint (https://login.microsoftonline.com/common) that serves all Microsoft Entra tenants as a central hub.

    For more details, please refer to the following document: Convert an app to be multi-tenant.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.