Entra External Id does not create user session when logging from login.microsoftonline.com link

Question

Entra External Id does not create user session when logging from login.microsoftonline.com link

Qazi Abdur Rehman 20

On the Entra External tenant where there are multiple types of users: external, invited and internal.

User logs in with ciamlogin.com endpoint to access a resource (a custom scope of a Multi-tenant application), I get the following error:

AADSTS500207: The account type can't be used for the resource you're trying to access.

However, assigning a role to the external user and using the login.microsoftonline.com endpoint works, but then session-related issues arise as below.

When the user is logged in having user type external or internal, with the endpoint https://<tenant>.ciamlogin.com/<tenantId>, the user gets successfully logged in and session is created in the browser. if the user challenge the login endpoint again, as the user is already signed in (below screenshot), user does not have to provide the credentials again. But I get a AADSTS500207 error when requesting scope of a multi-tenant app.

User's image

When the user logged in having user type external or internal, with the endpoint https://login.microsoftonline.com/<tenantId>, the user gets successfully logged in and I got access token for the requested scope. But the session is not maintained in the browser. If the user challenge back the same login endpoint, it asks the user to enter credentials again (below screenshot). Which is not the expected behaviour.

User's image

What I have assured:

There is no third party cookies blocked in browser
Tried on different browsers but same
No conditional access policy related to session management
Not passing prompt=login/none in the request
Workforce tenants are working fine
Tried on Chrome, Edge and FireFox

Can anybody help please?

Marten Theunissen 681 Reputation points

2025-03-24T10:40:08.8833333+00:00

Use Tenant-Specific Login URL:

Instead of using login.microsoftonline.com, try using the tenant-specific login URL:

https://<tenant>.ciamlogin.com/<tenantId>

This URL is designed to maintain user sessions more effectively.
Qazi Abdur Rehman 20 Reputation points

2025-03-24T11:07:07.0633333+00:00

When I use the ciamlogin.com endpoint to access a resource (a custom scope of an application), I get the following error:

AADSTS500207: The account type can't be used for the resource you're trying to access.

However, assigning a role to the external user and using the login.microsoftonline.com endpoint works, but then session-related issues arise (as explained above).
Marten Theunissen 681 Reputation points

2025-03-24T11:14:36.28+00:00

Ensure that the account type (e.g., work or school account, personal Microsoft account) matches the expected account type for the resource. For example, if the resource requires a work or school account, a personal Microsoft account cannot be used

" was wrestling with this for quite some time, and found that if my API application was configured as single-tenant everything worked as expected. Still testing, but I believe that this should accomplish my goals as the client Entra application through which users can generate a token is still set up as multi-tenant and therefore should allow access to guest users."
Qazi Abdur Rehman 20 Reputation points

2025-03-24T11:24:10.8966667+00:00

Yes, single tenant apps are working fine. Issue I am getting is when trying to access a multi-tenant app's scope from the ciamlogin endpoint . Unfortunately multi-tenant is the requirement.
Marten Theunissen 681 Reputation points

2025-03-24T11:30:29.8966667+00:00

Hey Qazi,

What steps did you follow when setting up? See the below and confirm if you did similar.

Might request some log post check

Steps to Configure Multi-Tenant App Settings

Register Your Application:

Go to the Azure portal and navigate to "App registrations."

Select "New registration" and fill in the necessary details.

Under "Supported account types," choose "Accounts in any organizational directory (Any Azure AD directory - Multitenant)"1.

Configure API Permissions:

In the app registration, go to "API permissions."

Add the necessary permissions for your application, such as User.Read, Group.Read.All, etc.

Ensure that the permissions are granted admin consent1.

Set Up Authentication:

Go to "Authentication" in the app registration.

Add a platform (e.g., Web, Mobile) and configure the redirect URIs.

Enable implicit grant and hybrid flows if needed1.

Define Custom Scopes:

In the app registration, go to "Expose an API."

Add custom scopes that your application will use. Ensure that these scopes are properly defined and accessible to the account types you're using1.

Configure Tenant-Specific Settings:

Use Azure App Configuration to store tenant-specific settings. You can use key prefixes or labels to distinguish settings for different tenants2.

Ensure that your application logic can retrieve and apply these settings based on the tenant context2.

Implement Cross-Tenant Access:

Set up cross-tenant synchronization and access settings in Microsoft Entra ID.

Configure organizational relationships and cross-tenant access policies to allow users from different tenants to access resources2.

Example Configuration Using PowerShell

Here’s an example of how to configure a multi-tenant organization using PowerShell:

Sign in to the owner tenant

Connect-AzAccount -TenantId <owner-tenant-id>

Create a multi-tenant organization

New-AzMultiTenantOrganization -Name "MyMultiTenantOrg" -Description "Description of my multi-tenant org"

Add tenants to the multi-tenant organization

Add-AzMultiTenantOrganizationTenant -OrganizationName "MyMultiTenantOrg" -TenantId <tenant-id>
Qazi Abdur Rehman 20 Reputation points

2025-03-24T12:58:08.73+00:00

Yes, we follow the same procedure for multitenant app registration, including the addition of custom scopes as described. We are not using Azure App Configuration at this time. Our current objective is to authenticate single-tenant users, this multitenant application is also registered on the same tenant. Cross-tenant access settings cannot be configured in our case because we are using an external tenant, and these settings are only supported in Workforce tenants.

Answer accepted by question author

0 additional answers

Your answer

Marten Theunissen 681 Reputation points

2025-03-24T10:40:08.8833333+00:00

Use Tenant-Specific Login URL:

Instead of using login.microsoftonline.com, try using the tenant-specific login URL:

https://<tenant>.ciamlogin.com/<tenantId>

This URL is designed to maintain user sessions more effectively.
Qazi Abdur Rehman 20 Reputation points

2025-03-24T11:07:07.0633333+00:00

When I use the ciamlogin.com endpoint to access a resource (a custom scope of an application), I get the following error:

AADSTS500207: The account type can't be used for the resource you're trying to access.

However, assigning a role to the external user and using the login.microsoftonline.com endpoint works, but then session-related issues arise (as explained above).
Marten Theunissen 681 Reputation points

2025-03-24T11:14:36.28+00:00

Ensure that the account type (e.g., work or school account, personal Microsoft account) matches the expected account type for the resource. For example, if the resource requires a work or school account, a personal Microsoft account cannot be used

" was wrestling with this for quite some time, and found that if my API application was configured as single-tenant everything worked as expected. Still testing, but I believe that this should accomplish my goals as the client Entra application through which users can generate a token is still set up as multi-tenant and therefore should allow access to guest users."
Qazi Abdur Rehman 20 Reputation points

2025-03-24T11:24:10.8966667+00:00

Yes, single tenant apps are working fine. Issue I am getting is when trying to access a multi-tenant app's scope from the ciamlogin endpoint . Unfortunately multi-tenant is the requirement.
Qazi Abdur Rehman 20 Reputation points

2025-03-24T12:58:08.73+00:00

Yes, we follow the same procedure for multitenant app registration, including the addition of custom scopes as described. We are not using Azure App Configuration at this time. Our current objective is to authenticate single-tenant users, this multitenant application is also registered on the same tenant. Cross-tenant access settings cannot be configured in our case because we are using an external tenant, and these settings are only supported in Workforce tenants.

Answer 1

Anonymous

Hi @Qazi Abdur Rehman,

Based on your query, I understand that you have an issue when you configured the application as multi-tenant application.

Microsoft Entra External tenant supports only single tenant application configuration. Currently Entra External does not support multi-tenant applications for authentication. This is by design and currently we do not have any ETA to update on you the same.

I would like to request you to share your idea on the same in our feedback forum link and upvote to let our product team know there is a requirement of the product.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Anonymous

2025-03-31T16:46:01.9133333+00:00

Hi @Qazi Abdur Rehman,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Anonymous

2025-04-01T17:00:30.0433333+00:00

Hi @Qazi Abdur Rehman,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Qazi Abdur Rehman 20 Reputation points

2025-04-07T07:11:44.5633333+00:00

Hi @Anonymous Thanks for the clarification. Is the session issue I mentioned in the question also expected?
Anonymous

2025-04-07T18:04:31.9466667+00:00

Hi @Qazi Abdur Rehman,

Thanks for your response,

Whenever the login goes to login.microsoftonline.com for external tenants, you will see such session errors. These are the expected scenario for Entra external tenants. Kindly make sure you use CIAM tenant URL's only for authentication and authorization.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Baptiste Viala 0 Reputation points

2026-02-16T08:45:19.4633333+00:00

Ok but why does the UI allows you to set the application registration to multitenant if this is not supported?

Share via

Entra External Id does not create user session when logging from login.microsoftonline.com link

Sign in to the owner tenant

Create a multi-tenant organization

Add tenants to the multi-tenant organization

0 additional answers

Your answer