Share via

Cant use personal accounts to login with entra id and oauth2

learlab 0 Reputation points
2024-07-13T18:26:33.61+00:00

I want to use entra id as an oauth 2 provider to let users sign in to app using their outlook accounts. Even though I am allowing personal accounts in the manifest


	"signInAudience": "AzureADandPersonalMicrosoftAccount"

Personal accounts still get this error message when signing in

The account needs to be added as an external user in the tenant first

So, is it possible at all to allow personal accounts to sign in with oauth without explicitly adding them as external users.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,371 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dillon Silzer 57,231 Reputation points
    2024-07-13T19:43:07.9466667+00:00

    Hello,

    I would recommend looking into Azure B2C solution:

    What is Azure Active Directory B2C?

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview#who-uses-azure-ad-b2c

    If this is helpful please accept as answer or upvote.

    Best regards,

    Dillon Silzer, Director | Cloudaen.com | Cloudaen Computing Solutions

    0 comments
  2. Raja Pothuraju 5,255 Reputation points Microsoft Vendor
    2024-07-16T15:53:37.7066667+00:00

    Hello @learlab,

    Thank you for posting your query on Microsoft Q&A.

    It seems you're encountering an issue when users attempt to sign in to your application using their Outlook accounts, receiving the error message "AADSTS50020: User account 'user@outlook.com' from identity provider 'live.com' does not exist in tenant '<tenant_name>' and cannot access the application '<App_ID>'(App Name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account." This occurs despite the application supporting "signInAudience": "AzureADandPersonalMicrosoftAccount".

    This issue typically arises when your application sends requests with a specific tenant ID. For instance, if your application is configured to support both work and school accounts or personal Microsoft accounts, and you generate an access token by sending a request to https://login.microsoftonline.com/<tenant>/ authority URL, it will only authenticate users within that specific tenant. That's why you have received an error message stating to add user as an external user in the tenant first.

    To enable sign-ins from other tenants or personal accounts, you should send requests to https://login.microsoftonline.com/common/. Please verify whether your application is using the /common/ authority URL. If it is currently sending requests to https://login.microsoftonline.com/<tenant>/, you should coordinate with your application team to update the authority URL to /common/.

    For more details on authority URLs, you can refer to the documentation here:

    https://learn.microsoft.com/en-us/entra/identity-platform/msal-client-application-configuration#authority

    User's image

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Thanks,
    Raja Pothuraju.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.