Check MSA Guest User Invitation and Acceptance Flow
- Invite process: Ensure that the MSA users are invited properly as guests to your Entra tenant. When inviting users with MSA, make sure that their email addresses are added correctly, and that they have accepted the invitation before attempting to sign in.
- Email domain validation: Ensure that MSA identities are not blocked by your tenant's security settings or restrictions. Sometimes, organizations restrict certain email domains (like @outlook.com, @hotmail.com, etc.) from being used as guest identities.
- Ensure MSA Authentication is Supported
- External Azure AD and Microsoft Accounts: Since you mentioned that you've enabled "Microsoft Accounts" as an identity provider in your Entra directory, confirm that you’ve configured the Multi-tenant and Personal Microsoft Account (MSA) sign-ins correctly for your application.
- Go to your Azure AD App Registration and check under Authentication → Supported Account Types. Make sure that it's set to allow both Accounts in any organizational directory and Personal Microsoft accounts.
- Double-check the API permissions to ensure that the application has the correct permissions, including those required to read user profiles, access Microsoft Graph for guest users, and authenticate MSA users properly.
- Verify Authority URL
https://{tenantName}.ciamlogin.com/{tenantID}/v2.0
) appears to be part of the Entra ID CIAM system, which should be correct for the authentication process. Ensure that this URL is correctly configured within the application registration and in your application's authentication flow. For MSA, make sure it aligns with Microsoft Identity Platform and is correctly recognized by the CIAM service.- You can test the URL directly in a browser with different user types to see if the response aligns with expectations.
- Even though the logs for MSA users don’t show up in your application, check the Azure AD Sign-in logs for more information.
- Go to Azure AD → Sign-ins and filter by Identity or Guest user and check for any error messages or failed attempts.
- If the MSA identity is not even appearing in the logs, that might indicate an issue with the tenant registration or the guest invitation acceptance.
- Ensure Proper API Permissions
- You mentioned enabling API permissions to read user profiles, but ensure that the API permissions are granted and consented both for Delegated and Application permissions.
- Review the permissions for Microsoft Graph API (e.g.,
User.Read
,User.ReadBasic.All
,Directory.Read.All
, etc.), and ensure that they are not only granted but also admin consented if needed.
- Review the permissions for Microsoft Graph API (e.g.,