Share via

AADSTS16000 – Account from live.com cannot access Microsoft Services tenant application

Ken Micheni 0 Reputation points
2026-03-19T19:07:44.1133333+00:00

Hello,

I am the tenant admin for the Microsoft Services Azure AD tenant. When I attempt to sign in to the Azure Portal or assigned applications, I receive the following error:

Code

interaction_required: AADSTS16000: User account '{EUII Hidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c' (Azure Portal) in that tenant. 
The account needs to be added as an external user in the tenant first. 
Sign out and sign in again with a different Azure Active Directory user account. 
Trace ID: ca8c00c4-ea66-45ed-851e-7329b2d91300 
Correlation ID: 719883ec-23e8-4919-9ec7-15088ef6530f 
Timestamp: 2026-03-19 18:09:43Z

Steps I’ve already tried:

  • Added my account as internal (Member) in the tenant.

Verified Global Administrator role assignment.

Attempted to clear cached sessions and re-login.

Still blocked with “You do not have access to view services” in the portal.

Questions:

How can I correctly configure access when the tenant admin account is a live.com identity?

Is it required to create a native Azure AD organizational account instead of using a personal MSA?

If guest access is the only option for live.com, how can I elevate permissions so I can manage subscriptions and services?

Any guidance on resolving this mismatch between tenant ownership and account type would be appreciated.Title:

AADSTS16000 – Account from live.com cannot access Microsoft Services tenant application

Body: Hello,

I am the tenant admin for the Microsoft Services Azure AD tenant. When I attempt to sign in to the Azure Portal or assigned applications, I receive the following error:

Code

interaction_required: AADSTS16000: User account '{EUII Hidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c' (Azure Portal) in that tenant. 
The account needs to be added as an external user in the tenant first. 
Sign out and sign in again with a different Azure Active Directory user account. 
Trace ID: ca8c00c4-ea66-45ed-851e-7329b2d91300 
Correlation ID: 719883ec-23e8-4919-9ec7-15088ef6530f 
Timestamp: 2026-03-19 18:09:43Z

Steps I’ve already tried:

Added my account as internal (Member) in the tenant.

Verified Global Administrator role assignment.

Attempted to clear cached sessions and re-login.

Still blocked with “You do not have access to view services” in the portal.

Questions:

How can I correctly configure access when the tenant admin account is a live.com identity?

Is it required to create a native Azure AD organizational account instead of using a personal MSA?

If guest access is the only option for live.com, how can I elevate permissions so I can manage subscriptions and services?

Any guidance on resolving this mismatch between tenant ownership and account type would be appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-19T19:08:09.6033333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The live.com account is a personal Microsoft account (MSA), not an organizational Microsoft Entra ID account. The error indicates that this MSA does not exist as a user in the Microsoft Services tenant, so it cannot access the Azure Portal application for that tenant.

    From the provided context, MSAs can be used as external identities via OpenID Connect in an external tenant, but they are not native organizational accounts. For tenant administration and Azure Portal access, an organizational account in the tenant is required.

    Based on the context:

    1. A Microsoft account (live.com) can be configured as an external identity provider for customer/external tenants using OpenID Connect. This allows users to sign in to applications with their MSA, but this is explicitly for external customer scenarios and not for B2B guest users or core tenant administration.
    2. The note in the MSA federation article states that this feature is available only for users who sign up with a Microsoft account (MSA) and is not available for B2B guest users invited to the tenant.

    Given that, the implications for the scenario are:

    1. A live.com MSA cannot function as a native organizational admin account for the Microsoft Services tenant.
    2. To administer the tenant and access the Azure Portal for that tenant, a native Entra ID organizational account in that tenant is required.
    3. Adding the MSA as a guest/external user does not convert it into a full organizational admin identity for tenant-level management.

    Therefore, to resolve the mismatch:

    • Create or use a native organizational account in the Microsoft Services tenant (for example, a user with an @<tenantname>.onmicrosoft.com or verified custom domain) and assign it the Global Administrator role.
    • Use that organizational account to sign in to the Azure Portal for the Microsoft Services tenant and manage subscriptions and services.
    • The live.com account can be used as an external identity for customer-facing apps if configured via OpenID Connect, but not as the primary tenant admin identity.

    This aligns with the documented pattern where MSAs are used via OIDC as external identities in customer tenants, while tenant administration is performed by organizational accounts in Entra ID.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.