Entra External Tenant MSA Guest user sign-in problems

Anton Lindén 20 Reputation points
2025-01-20T11:27:28.93+00:00

Hi,

we are creating a web application that uses Entra External Tenant as CIAM provider. All the end-users are first invited to the tenant as Guests and after accepting the invitation, they are granted access to the app via a security group. The sign-in works for all but MSA identity types (Identity=MicrosoftAccount). ExternalAzureAD works well with their own email+password, mail type identities work well with OTP codes, but for some reason when a Guest user with MSA type tries to sign-in, the sign-in page instantly says "This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin." so it seems the application can't even find the user from the Entra ID directory.

When viewing the MSA guest type sign-in logs, there is no logs about sign-ins. From Identity Providers, Microsoft Accounts is enabled.

For app reg I have tried AzureADandPersonalMicrosoftAccount and AzureADMyOrg (should work as all identities are guests in the tenant) and our authority url is https://{tenantName}.ciamlogin.com/{tenantID}/v2.0

I have email and upn ID tokens enabled and the app has API permissions to read all users' profiles.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,034 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,263 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Zafer KAYA 90 Reputation points MVP
    2025-01-20T11:30:35.8366667+00:00

    Check MSA Guest User Invitation and Acceptance Flow

    • Invite process: Ensure that the MSA users are invited properly as guests to your Entra tenant. When inviting users with MSA, make sure that their email addresses are added correctly, and that they have accepted the invitation before attempting to sign in.
    • Email domain validation: Ensure that MSA identities are not blocked by your tenant's security settings or restrictions. Sometimes, organizations restrict certain email domains (like @outlook.com, @hotmail.com, etc.) from being used as guest identities.
    • Ensure MSA Authentication is Supported
      • External Azure AD and Microsoft Accounts: Since you mentioned that you've enabled "Microsoft Accounts" as an identity provider in your Entra directory, confirm that you’ve configured the Multi-tenant and Personal Microsoft Account (MSA) sign-ins correctly for your application.
      • Go to your Azure AD App Registration and check under AuthenticationSupported Account Types. Make sure that it's set to allow both Accounts in any organizational directory and Personal Microsoft accounts.
        • Double-check the API permissions to ensure that the application has the correct permissions, including those required to read user profiles, access Microsoft Graph for guest users, and authenticate MSA users properly.
        • Verify Authority URL
        Your authority URL (https://{tenantName}.ciamlogin.com/{tenantID}/v2.0) appears to be part of the Entra ID CIAM system, which should be correct for the authentication process. Ensure that this URL is correctly configured within the application registration and in your application's authentication flow. For MSA, make sure it aligns with Microsoft Identity Platform and is correctly recognized by the CIAM service.
        • You can test the URL directly in a browser with different user types to see if the response aligns with expectations.
        • Even though the logs for MSA users don’t show up in your application, check the Azure AD Sign-in logs for more information.
        • Go to Azure ADSign-ins and filter by Identity or Guest user and check for any error messages or failed attempts.
          • If the MSA identity is not even appearing in the logs, that might indicate an issue with the tenant registration or the guest invitation acceptance.
          • Ensure Proper API Permissions
          • You mentioned enabling API permissions to read user profiles, but ensure that the API permissions are granted and consented both for Delegated and Application permissions.
            • Review the permissions for Microsoft Graph API (e.g., User.Read, User.ReadBasic.All, Directory.Read.All, etc.), and ensure that they are not only granted but also admin consented if needed.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.