Unable to Sign in with Personal Microsoft Accounts (MSAs) in Verified Multitenant App — Despite Proper Configuration

Question

Hello Microsoft Community,

We are experiencing an issue where users cannot sign in with personal Microsoft accounts (MSAs) using our verified, multitenant Microsoft Entra ID app registration, even though the app is explicitly configured to support MSAs.

App Configuration:

App is publisher verified and shows the verified checkmark.

• App is registered with the following signInAudience: "signInAudience": "AzureADandPersonalMicrosoftAccount" Supported account types is set to:

  "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts"

• We use the OAuth 2.0 authorize endpoint:

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize
  

  No domain_hint or login_hint are passed in the URL. We also tried forcing: prompt=login

    `prompt=select_account`
  

---

Observed Behavior:

When typing in a personal account (e.g. @outlook.com), we receive:

"You can't sign in here with a personal account. Use your work or school account instead."

When typing in a non-Microsoft account (e.g. not @outlook.com or @hotmail.com), we receive:

"This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin."

If a personal account appears on the Microsoft account picker as “Signed in,” it can be selected and used successfully. This indicates that MSA login is not completely blocked, but only fails when attempting a fresh login.

We attempted all of the above in private/incognito browser sessions with no cookies or prior login sessions, but the issue persists.

When we switch to the https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize endpoint, MSAs can sign in without issue.

---

Request:

Could you please investigate why our verified multitenant app, configured for personal Microsoft accounts, is not allowing fresh logins with MSAs via the common endpoint?

We suspect that this may be related to:

Entra ID tenant-level policies (e.g. External ID restrictions) that might be overriding the app's configuration, or

Silent enforcement of login restrictions when the app is accessed within a tenant context.

We would like guidance on:

Whether our tenant or External ID/B2B configuration is preventing MSA login.

Whether there are settings or policies we can change to enable MSA sign-in support for our app via the common endpoint.

We are happy to provide app IDs, sign-in logs, or sample auth URLs if needed.

---

Thank you in advance for your support.

Pablo R

Answer 1

Hello @Pablo Robles,

Thank you for connecting offline.

I performed a repro and observed the same behavior. Based on test analysis, I understand that for CIAM (Microsoft Entra External ID) tenants, we should not use the "Accounts in any organizational directory and personal Microsoft accounts (e.g., Skype, Xbox)" option when registering applications.

As documented here: https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers#application-registration

 

This is because External ID tenants authenticate through the CIAM gateway (https://{domain}.ciamlogin.com/...) rather than the standard login.microsoftonline.com endpoint. External ID tenants are purpose-built to support consumer and business customers accessing applications, particularly those federated with External Identity Providers like Facebook, Microsoft Accounts (MSA), and Gmail.

To support these scenarios, applications should:

• Be registered as single-tenant apps in the External ID tenant.
• Be used exclusively within CIAM-based sign-in flows.

Therefore, the intent to support sign-in for "all Microsoft account types" (multi-tenant and MSA) is not compatible with Entra External ID tenants.