Share via

Azure Active Directory - User account doesn't exist in tenant and cannot access application

Jacob Zhang 26 Reputation points
2022-08-18T00:54:24.207+00:00

I am trying to setup OAuth with Azure Active Directory with next-auth.js, and I have registered a multi-tenant application and have the correct credentials and use the /common endpoint. I can sign in through the account I registered the app under, but when I try signing in with a different outlook account, it throws this error:
AADSTS50020: User account 'user@harsh.com .com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '<id>' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

I'm not sure what other configurations I should do. Do I need to be a verified publisher? I actually don't think I have an azure account tied with this outlook account since it won't let me create one :(

Thanks!

Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-08-29T06:00:40.767+00:00

    Hi @Jacob Zhang ,

    Thanks for reaching out.

    I understand you are trying to authenticate using external user account, outlook.com to your registered application and getting the error "AADSTS50020: User account 'user@harsh.com .com' from identity provider 'live.com' does not exist in tenant 'Default Directory".

    As mentioned by @ MohammedAltamashKhan-3285, you need to invite that outlook account as guest user in your organization to access the application.

    Azure AD allow you to access External Identities by invite the users as guest users to collaborate with your organization. A invitation and redemption process allow external users to use their own credentials to access your company's resources.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b

    Also as you mentioned, you don't want to invite users and allow all the users to access your application, then you need to add self service sign up user flow where user need to sign up for an application which create users as guest users to access the application.

    Hope this will help.

    Thanks,
    Shweta

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mohammed Altamash Mohammed Suleman Khan 2,331 Reputation points
    2022-08-18T01:37:12.137+00:00

    Hi @Jacob Zhang

    From the error its seem like the account doesn't exist in your tenant , you may need to invite that outlook account as guest user and assign permission over that application.

    For your reference : https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist

    Regards

    --please don't forget to Accept as answer if the reply is helpful--

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.