Share via

Integration with OAuth2 / Entra ID for authorization with Microsoft APIs

Tom Handcock 20 Reputation points
2026-04-02T21:36:30.4033333+00:00

Hello there,

I am trying to create an application that integrates with Azure DevOps (in organisations the end user is a part of). Naturally, I need the application to acquire tokens to authorize against the APIs and so I am trying to use an OAuth 2.0 PKCE flow.

The problem I am experiencing is that when I attempt to sign in with my Microsoft account, I am greeted with an error on the sign-in web page that states "You can't sign in here with a personal account. Use your work or school account instead.". I have followed multiple sources to try and fix this issue myself but have been unable to.

I have setup an external tenant in the Microsoft Entra ID admin centre and within that, created an application that is configured to support "Any Entra ID Tenant + Personal Microsoft accounts". Indeed in the registered application manifest, there is the following key-value pair...

"signInAudience": "AzureADandPersonalMicrosoftAccount"

I am also using the following /authorize endpoint to trigger the user sign-in...

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=REDACTED&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080&response_mode=query&code_challenge=REDACTED&code_challenge_method=S256&prompt=select_account&scope=openid+profile+offline_access

To my knowledge, this should allow me to sign in with my personal Microsoft account but I still see the above error.

Other things I have tried:

  • Using a different browser (Firefox) which doesn't have an active Microsoft session (doesn't work).
  • Using incognito mode in Chrome (doesn't work).
  • Deleting and re-creating the app registration in Microsoft Entra ID (doesn't work).
  • Ensuring 'Microsoft' is configured as an identity provider in External identities -> All identity providers (doesn't work).
  • Cross tenant access settings is unavailable, I presume due to using an external tenant (doesn't work).
  • I have previously tried using my default tenant in Entra ID (doesn't work).
  • Using the /consumers endpoint (does work).

Is there something I likely have misconfigured that is preventing me from using the /common endpoint?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Rukmini 35,485 Reputation points Microsoft External Staff Moderator
    2026-04-02T21:46:52.1366667+00:00

    Hello Tom Handcock

    You have configured everything correctly, but the error occurs because Azure DevOps does NOT support Personal Microsoft Accounts (MSA) via /common or multi-tenant flows, even if your app allows AzureADandPersonalMicrosoftAccount.

    The /consumers endpoint works but granted tokens are incompatible with Azure DevOps APIs.

    • Invite personal accounts as B2B guest users into your tenant before authentication

    This is not an app problem; rather, it is a service limitation (Azure DevOps). MSA + /common is not supported in this situation.

    Let me know if any further queries - feel free to reach out!

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yutaka_K_JP 1,650 Reputation points
    2026-04-03T12:32:12.7566667+00:00

    I think Azure DevOps drops MSA before token creation, so /common can’t ever work. Add the MSA as a B2B guest in the DevOps tenant and retry; if it still fails, use a work/school Entra ID.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.