Azure B2C : Getting error while switching from Sign_up policy to Sign_In_Policy (Error Code: AADB2C90088)

Rohit Karmarkar 1 Reputation point
2022-04-18T13:41:21.657+00:00

Hi All,

In our application when User is redirected to Sign Up page (https://signin.***.com/***.onmicrosoft.com/{sign_up_policy_name}/), user has choice to Sign In if he already is a Sign User, for this we have a hyperlink with following url pattern : (https://signin.***.com/***.onmicrosoft.com/{sign_in_policy_name}/). When user clicks from on this links he is redirected to sign in page. But user is not able to sign in properly and we are getting following error with error code:

com.microsoft.aad.msal4j.MsalInteractionRequiredException: AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : {sign_up_policy_name} and Expected Value : {sign_in_policy_name}

Could you please help and give guidance on how to resolve the issue. Can we switch from https://signin.***.com/***.onmicrosoft.com/{sign_up_policy_name}/ url to https://signin.***.com/***.onmicrosoft.com/{sign_in_policy_name}/ url?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,701 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,078 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,441 Reputation points
    2022-04-19T08:35:57.52+00:00

    Hi @Rohit Karmarkar • Thank you for reaching out.

    Looks like it is trying to do a silent authentication in the context of the sign-up policy. The hyperlink that you have for the sign-in policy must invoke MSAL to trigger a new request to invoke the sign-in policy. You can include the prompt=login parameter in the URL of the sign-in policy to force interactive authentication.

    I tested it out by creating a custom HTML page for the Sign-Up policy which includes a link to go back to the Sign-in policy and it works without any issue.

    https://amsinstor.blob.core.windows.net/temp/unified.html (View page source: )

    See this in action:

    1. Access the SignUp policy > Click here
    2. Sign up for a new account.
    3. Access the SignUp policy again.
    4. On the signup page, click on the Back to sign-in! link.
    5. Sign in with the credentials you used to signup.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.