Issue with App Service authentication using Microsoft accounts

fhtino 156 Reputation points
2021-05-03T05:34:23.693+00:00

I am experimenting with the new "Easy Auth" in App Service https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

Perhaps I didn't understand exactly how it works or I missed some details.
My target is to authenticate using Microsoft personal/consumer accounts. If I remember correctly, this was possible with the old "Easy Auth" (Authentication - clasic).

I followed the setup step going through "Microsoft" options. Screenshots below.
Everything works as expected until I use users from my tenant aad. They can be native aad users or microsoft accounts added to my tenant aad.

But when I try to authenticate with users from other tenant or other personal/consumer Microsoft accounts I got errors like the following:

Using a work account:

Selected user account does not exist in tenant 'xxxxxxxxx' and cannot access the application 'xxxxxxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

Using live.com account:

AADSTS50020: User account 'xxxxxxx' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxx'(xxxxxxx) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

93148-asa1.png

93149-asa3.png

93150-asa4.png

93198-asa5.png

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,024 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,455 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,656 Reputation points Microsoft Employee
    2021-05-17T17:08:03.41+00:00

    @fhtino
    Thank you for the detailed post and I apologize for the delayed response!

    Based off the information from your thread:
    -You can sign-in with users from your AzureAD Tenant.
    -Authentication doesn’t work from other personal/consumer accounts (Outside of your AzureAD tenant).

    Error Message:
    AADSTS50020: User account 'xxxxxxx' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxx'(xxxxxxx) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

    Findings:
    Following this article - Tutorial: Add authentication to your web app running on Azure App Service, I was able to reproduce your issue. However, after adding my external account to my AzureAD tenant, I was able to successfully sign-in to my web app.
    97238-easyauthadandnonaduser.gif

    Next Steps:

    1. From your error message, you'll need to manually add the user you're trying to sign-in with to your Azure Active Directory.
    2. You can also add a new Issuer URL (Copy and Save the old one as needed).

    Navigate to your Web App -> Authentication -> Edit your Identity Provider -> Issuer URL.

    URL: https://login.microsoftonline.com/common/v2.0
    97210-addcommonissueurl.gif

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.