This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 25%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi all,
I have an app setup and running in a workforce tenant. Using Entra External Id, I need to create an external tenant so that customers can sign-up to using their Entra accounts or personal Microsoft accounts (as well as other SSO providers in the future). However, neither of these are supported as in-built identity providers for the sign-up process.
The app registration for the external tenant is currently in single-tenant mode as, in multi-tenant mode, I get the following error trying to login: “AADSTS500207: The account type can't be used for the resource you're trying to access.”
My main questions are:
Any advice is greatly appreciated. Please, let me know if any further details are required.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Ash,
Please note that in External tenants, supported account types for creating Application Registration is only Single tenant.
Please refer to the below Screenshot for your reference.
Please note that currently using Microsoft accounts and Microsoft Entra accounts as an Identity Provider is supported only for Invited Guests and not supported for self-service sign-up users(consumers and business customers) in External tenant and in Workforce tenant, using Microsoft accounts and Microsoft Entra accounts as an Identity Provider is supported for both self-service sign-up users(consumers and business customers) as well as for Invited Guests.
Please refer to the below Screenshot for your reference.
So the best approach will be to use custom OIDC federation as an External Identity Provider for self-service sign-up users.
Please refer to the below documents which will be helpful.
Add OIDC for customer sign-in - Microsoft Entra External ID | Microsoft Learn
Add MSA for customer sign-in - Microsoft Entra External ID | Microsoft Learn
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Hi @Sanoop M ,
Thank you for your reply.
The core requirement is to provide a separate tenant to our own that customers can sign up to using their own entra accounts, personal microsoft accounts, and then other custom IdP providers. A user should be created within this tenant and custom attributes mapped.
I have setup MSA as a custom provider but in single-tenant mode for my external tenant, I get this error "unauthorized_client: The client does not exist or is not enabled for consumers" trying to sign up/sign in. If I am in multitenant mode however, I can sign up to my app but I then get the AADSTS500207 when requesting a token.
I am confused that external tenants can only be run in single-tenant mode yet the "Add MSA for customer sign-in" tutorial, which is for external tenants, requires it to be set to "Personal Microsoft accounts only".
Hello @Ash,
I have sent you the Private message asking for few details. Please review the Private Message and provide the requested details, so that we can connect offline to further discuss on this issue.
Hello @Ash,
Since we didn't receive your response on my previous Private Message, I am following up to check whether if you had a chance to review my last Private Message and please respond there so that we can connect offline to further discuss on this issue.