Getting error "You can't sign in here with a personal account. Use your work or school account instead."

Question

I have an Entra External Tenant for the users of my application, but I'm getting this error when trying to log into my application:

You can't sign in here with a personal account. Use your work or school account instead.

The email I'm trying to login in with is my personal email. A user exists in my External Tenant with that email, but the email is also tied to my personal Microsoft account. Other emails who are not connected to a personal Microsoft account work perfectly when logging in, including an email which is not connected to any Microsoft account and an email which is connected to my work Microsoft account. It seems as if Entra External ID is prioritizing the personal account over the External Tenant account.

The terraform configuration of the app registration in my External Tenant looks like this:

resource "azuread_application" "backend" {
  provider     = azuread.users
  display_name = "appreg-${local.module_name}-${var.env}"
  owners       = [data.azuread_client_config.users.object_id]

  api {
    requested_access_token_version = 2
  }

  sign_in_audience = "AzureADandPersonalMicrosoftAccount"

  web {
    redirect_uris = concat(
      [local.backend_redirect_uri],
      var.additional_redirect_uris
    )
  }

  required_resource_access {
    # Microsoft Graph
    resource_app_id = "00000003-0000-0000-c000-000000000000"

    resource_access {
      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
      type = "Role"
    }
  }
}

Most notably I have set

sign_in_audience = "AzureADandPersonalMicrosoftAccount"

I thought this would allow personal accounts to log in.

I have tried every AUTHORITY value that I could find, but nothing solves the issue.

# AUTHORITY = "https://login.microsoftonline.com/common"
# AUTHORITY = "https://login.microsoftonline.com/consumers"
# AUTHORITY = f"https://login.microsoftonline.com/{env_vars.USERS_TENANT_ID}"
# AUTHORITY = f"https://{env_vars.USERS_TENANT_SUBDOMAIN}.ciamlogin.com"
# AUTHORITY = f"https://{env_vars.USERS_TENANT_SUBDOMAIN}.ciamlogin.com/{env_vars.USERS_TENANT_ID}"
AUTHORITY = f"https://{env_vars.USERS_TENANT_SUBDOMAIN}.ciamlogin.com/{env_vars.USERS_TENANT_SUBDOMAIN}.onmicrosoft.com"

The rest of my authentication code looks like this:

def _build_msal_app(
    token_cache: msal.token_cache.TokenCache | None = None, authority: str | None = None
):
    """
    Build the MSAL application.

    Args:
        token_cache (msal.token_cache.TokenCache): The token cache.
        authority (str): The authority.

    Returns:
        msal.ConfidentialClientApplication: The MSAL application.
    """

    return msal.ConfidentialClientApplication(
        client_id=env_vars.CLIENT_ID,
        authority=authority,
        client_credential=client_credential,
        token_cache=token_cache,
    )


scopes = ["User.Read"]


@router.get("/login")
def login():
    msal_app = _build_msal_app(authority=AUTHORITY)

    auth_url = msal_app.get_authorization_request_url(
        scopes=scopes,
        redirect_uri=env_vars.REDIRECT_URI,
        prompt="select_account",
    )

    return RedirectResponse(auth_url)

API Permissions for Microsoft Graph delegated permissions offline_access, openid, profile and User.Read have also been granted.

Is this a bug in Microsoft Entra External ID or am I doing something wrong?

Answer 1

Hi @Pål Andreas Morholmen
Thank you for reaching us!
Based on the information you provided; it looks you have not added the Identity provider in your invitation flow or a self-service sign-up user flow.
For more information, please read Use Microsoft Entra work and school accounts for B2B collaboration
Hope this helps. If this is not your query do let us know by responding in the comments section.