Sign-in with new guest user returns AADSTS90036: An unexpected, non-retryable error stemming from the directory service has occurred

member45232 51 Reputation points
2022-04-04T20:27:08.003+00:00

I'm facing this error now with a new external guest user that I created, while previously created or internal users work.
Is this still a bug or a configuration issue? The message certainly does not help.

curl https://login.microsoftonline.com/<my app id>/oauth2/v2.0/token \  
     -d 'grant_type=password&' \  
     -d 'username=externalguestuser@gmail.com&password=theuserspassword' \  
     -d '&scope=<clientid>/user_impersonation&client_id=<clientid>'  

Same as https://learn.microsoft.com/en-us/answers/questions/6541/index.html
It is described as a bug there, but I suppose it was fixed since then?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,181 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,466 Reputation points
    2022-04-05T06:34:31.23+00:00

    Hi @member45232 • Thank you for reaching out.

    Looking at the code snippet, I can see that you are using grant_type=password which initiates ROPC (Resource Owner Password Credential) flow. When the ROPC flow is used, the username and password are verified against the identity provider (IDP) to which you are sending the authentication request. If the IDP doesn't contain the username & password for the specified user account, the authentication fails.

    For the Guest/External users, the credentials are stored in their home tenant and not in the guest tenant. Guest users have an attribute named altSecID which contains the information about the home tenant of the user to facilitate the authentication. So, if you try to authenticate the user using ROPC flow, it will always try to authenticate the user against the tenant you specify in the authentication request. This flow doesn't have the capability to redirect the user to a different tenant for credentials validation.

    In your case, you are using a gmail account, which requires either redirection to Google's authentication endpoint if Google Federation is configured. If Google Federation is not configured, an MSA (Microsoft Account) corresponding to the gmail account gets created, which requires redirection to login.live.com. So, in either case, redirection is required which cannot be done using ROPC.

    I would suggest you either use Authorization Code flow or Implicit flow, which opens a browser that supports the redirection required to authenticate the guest users. Even when you use the set-msoluser cmdlet to change the userType from guest to member for the gmail account, you still don't have the password for that account in your tenant and you cannot use Reset Password option to store the password of the user in your tenant.

    Hope this information helps. Feel free to tag me in your reply if you have any further questions regarding this issue.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful