Known issues with Microsoft Entra External ID for external-facing apps
This article describes known issues that you may experience when you use Microsoft Entra External ID for your external-facing apps, and provides help to resolve these issues.
Tenant creation and management
Using your admin email to create a local customer account prevents you from administering the tenant
If you're the admin who created the external tenant, and you use the same email address as your admin account to create a local customer account in that same tenant, you can't sign in directly to the tenant with admin privileges.
Cause: Using your tenant admin email to create a customer account via self-service sign-up creates a second user with the same email address, but with customer-level privileges. When you sign in to the tenant via https://entra.microsoft.com/<tenantID> or <tenantName>.onmicrosoft.com, the least-privileged account takes precedence, and you're signed in as the customer instead of the admin. You have insufficient privileges to manage the tenant.
Workaround: Take one of the following actions.
- When creating a local customer account, use a different email address than the one used by the admin who created the tenant.
- If you've already created a customer account with the same email address as the admin, sign out of the admin center, and then use
https://entra.microsoft.cominstead ofhttps://entra.microsoft.com/<tenantID>or<tenantName>.onmicrosoft.comto sign in with the correct admin account.
Token version in Web API
Error when running a web API
When you create your own web API in an external tenant (without using the app creation scripts in the web API samples), and then run it and send an access token, you enable logging and see the following error:
IDX20804: Unable to retrieve document from: https://<tenant>.ciamlogin.com/common/discovery/keys
Cause: This error occurs if you haven't set the accepted access token version to 2.
Workaround: Do the following.
- Go to the app registration for your application.
- Choose to edit the manifest.
- Change the accessTokenAcceptedVersion property from null to 2.
Related content
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for