Unable to Sign in with Personal Microsoft Accounts (MSAs) in Verified Multitenant App — Despite Proper Configuration

Pablo Robles 40 Reputation points
2025-04-23T06:35:54.1466667+00:00

Hello Microsoft Community,

We are experiencing an issue where users cannot sign in with personal Microsoft accounts (MSAs) using our verified, multitenant Microsoft Entra ID app registration, even though the app is explicitly configured to support MSAs.

App Configuration:

App is publisher verified and shows the verified checkmark.

  • App is registered with the following signInAudience: "signInAudience": "AzureADandPersonalMicrosoftAccount" Supported account types is set to:

    "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts"

  • We use the OAuth 2.0 authorize endpoint:
      https://login.microsoftonline.com/common/oauth2/v2.0/authorize
    
    No domain_hint or login_hint are passed in the URL. We also tried forcing: prompt=login
      `prompt=select_account`
    

Observed Behavior:

When typing in a personal account (e.g. @outlook.com), we receive:

"You can't sign in here with a personal account. Use your work or school account instead."

When typing in a non-Microsoft account (e.g. not @outlook.com or @hotmail.com), we receive:

"This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin."

If a personal account appears on the Microsoft account picker as “Signed in,” it can be selected and used successfully. This indicates that MSA login is not completely blocked, but only fails when attempting a fresh login.

We attempted all of the above in private/incognito browser sessions with no cookies or prior login sessions, but the issue persists.

When we switch to the https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize endpoint, MSAs can sign in without issue.


Request:

Could you please investigate why our verified multitenant app, configured for personal Microsoft accounts, is not allowing fresh logins with MSAs via the common endpoint?

We suspect that this may be related to:

Entra ID tenant-level policies (e.g. External ID restrictions) that might be overriding the app's configuration, or

Silent enforcement of login restrictions when the app is accessed within a tenant context.

We would like guidance on:

Whether our tenant or External ID/B2B configuration is preventing MSA login.

Whether there are settings or policies we can change to enable MSA sign-in support for our app via the common endpoint.

We are happy to provide app IDs, sign-in logs, or sample auth URLs if needed.


Thank you in advance for your support.

Pablo R

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 23,800 Reputation points Microsoft External Staff Moderator
    2025-04-24T21:31:03.83+00:00

    Hello @Pablo Robles,

    Thank you for connecting offline.

    I performed a repro and observed the same behavior. Based on test analysis, I understand that for CIAM (Microsoft Entra External ID) tenants, we should not use the "Accounts in any organizational directory and personal Microsoft accounts (e.g., Skype, Xbox)" option when registering applications.

    As documented here: https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers#application-registration

     User's image

    This is because External ID tenants authenticate through the CIAM gateway (https://{domain}.ciamlogin.com/...) rather than the standard login.microsoftonline.com endpoint. External ID tenants are purpose-built to support consumer and business customers accessing applications, particularly those federated with External Identity Providers like Facebook, Microsoft Accounts (MSA), and Gmail.

    To support these scenarios, applications should:

    • Be registered as single-tenant apps in the External ID tenant.
    • Be used exclusively within CIAM-based sign-in flows.

    Therefore, the intent to support sign-in for "all Microsoft account types" (multi-tenant and MSA) is not compatible with Entra External ID tenants.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.