Issue with Authorization: AADSTS500207 - "The account type can't be used for the resource you're trying to access" in Multitenant OAuth Flow between App Registrations

Question

Hi,

I'm implementing an authentication and authorization scenario in Entra External ID with two App Registrations (frontend and API), both configured as multitenant. I'm trying to have my frontend obtain a valid token to access the API using a custom scope, but I keep getting the following error:

"AADSTS500207: The account type can't be used for the resource you're trying to access."

I want to clarify that this scenario is configured in an Azure Entra External ID (formerly known as Azure AD B2C / CIAM) tenant, not a standard Azure AD tenant. The tenant is specifically set up for external identities, with user flows and policies for external or guest users, rather than a classic organizational directory. Both App Registrations (frontend and API) are registered in this Entra External ID tenant.

Configuration details:

• App Registration (Frontend):
  • appId: fb5e08bc-xxxx-xxxx-xxxx-xxxxx
  signInAudience: AzureADandPersonalMicrosoftAccount "allowPublicClient": true "requiredResourceAccess" includes the API's scope. Grant type: Password Credentials (for testing only).
• App Registration (API):
  • appId: a396ea4c-xxxxx-xxxxx-xxxx-xxxxx
  signInAudience: AzureADandPersonalMicrosoftAccount
  • "identifierUris": api://a396ea4c-xxxx-xxxx-xxxx-xxxx
  • "oauth2Permissions" / "Expose an API":
    • Scope: access
    • Full value: api://a396ea4c-xxx-xxx-xxx-xxxx/access.api
    "preAuthorizedApplications" includes the frontend with the scope.
• User:
  • Testing with a corporate account from the same tenant: test@{local}.onmicrosoft.com

What I'm doing in Postman:

• Token endpoint: https://xxxx.ciamlogin.com/{tenant-id}/oauth2/v2.0/token

Grant type: Password Credentials

Client ID / Secret: those of the frontend

• Username / Password: corporate user from the tenant
• Scope: api://a396ea4c-xxxx-xxxx-xxxx-xxxx/access.api

Error received: AADSTS500207: The account type can't be used for the resource you're trying to access. Trace ID: [example] Correlation ID: [example

Additional detail: If I request a token without the custom API scope (for example, only with "openid profile"), the token is issued successfully. However, as soon as I add the custom API scope (api://a396ea4c-xxx-xxx-xxxx-xxxx/access.api), I get the AADSTS500207 error described above.

Questions:

Are there any additional restrictions for using Resource Owner Password Credentials (password grant) in CIAM/B2C or Entra External ID, multi-tenant scenarios?

Is any extra user/admin consent required even when the user is from the same tenant and the frontend is pre-authorized?

Is password grant restricted or blocked for some account/tenant types?

Any particular gotchas with custom scopes in this scenario?

Any help or pointers are appreciated.

Answer 1

Hi,

Thanks for the assistance.

After further testing, I found the root cause of the issue. Azure Entra External ID (CIAM) tenants do not support App Registrations configured with signInAudience set to AzureADandPersonalMicrosoftAccount when using custom scopes to access protected APIs, especially under the Resource Owner Password Credentials (ROPC) flow.

Once I reconfigured both the frontend and API App Registrations to use AzureADMyOrg (singletenant applications) the AADSTS500207 error was resolved and token issuance with the custom scope worked as expected...