The Account Needs to be Added as an External User in the Tenant with Azure AD Apps
This is an error I see pop up in various discussions forums every now and then and tracking it down can be somewhat difficult. I had this happen recently in a scenario that I think probably is or will be one of the more common scenarios so I figured I'd write it up here. In my case I had an application registered in Azure Active Directory. I configured the app to be multi-tenant and started building and testing the app, and everything was working fine. I tend to build my apps for Azure somewhat manually as it comes to the authentication configuration. What I mean by that is that I use this github sample as my starting point each time: https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet. I use that because it allows me to build out my application in such a way that I can use Azure AD to secure both my web UX as well as Web API endpoints.
So I built out my web application and was testing it with an account in my tenant and all was working great. Since I wanted this application to work as a multi-tenant app though, I went to the next great github sample to get some of the code from it: https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet. However, as soon as I tried logging into the web app using an account from another tenant, it immediately stopped up in Azure after I authenticated and gave me the "bad request" error, and down in the details the "Account Needs to be Added as an External User in the Tenant" message.
After a bunch of troubleshooting and investigation, I finally figured out that I had left one line of code in my Startup.Auth.cs class from my original single tenant configuration:
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
The gist of what's happening there is that I am taking my tenant name and using that to create the Authority for the OpenID authentication. Well that works great when everyone is logging in from that tenant, but when someone from a different tenant tries to log in using that authority, then you hit the problem I was getting. All that's needed to fix it is to instead use the Common logon authority: https://login.windows.net/common. Once I made that very minor tweak, my authentication started working across tenants. It took me a while to track that down so just though I'd share it here.