Reputation: 226
Azure SSO Error: AADSTS50020 when prompt=consent and user is a live account
I've a MUTITENAT app on my Azure ActiveDirectory. I'm using it to log in users on my web site.
When redirecting the user, We were using no 'prompt' parameter. We don't like this because if the user is already log in azure and then he click the link: is redirected to azure and then is automatically redirected to my site without accepting anything.
So now, we want the user to accept the permissions. So we are adding 'prompt=consent' parameter when redirecting the user.
The problem is that now every live account that tries to log in, receives an Azure error page with this error message:
AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'XXX' and cannot access the application 'xxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
More details about the error and my actual configuration:
- I'm using common endpoints to call the api(/common/oauth2/authorize and /common/oauth2/token)
- I've also try to log in even when a live account that was on my tenant. It's also failing
- Also, when I try to log in with an Azure account (whether is on my tenant or a different tenant) it works fine (redirecting the user to my website with code parameter).
Upvotes: 2
Views: 2937
Answers (1)
Reputation: 10646
Support for LiveIDs is only available in the v2 endpoint.
Based on what you've posted, you're hitting the v1 endpoint. In order to move over to v2, you'd need to be calling
/common/oauth2/v2.0/authorize
/common/oauth2/v2.0/token
Or if you are using the metadata endpoint to discover the auth endpoints:
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
There's a few other things you'd need to tweak as part of using the v2 endpoint like using scopes instead of resources. Also, the v2 endpoint doesn't support all flows yet.
You can find more info in the Azure AD App Model V2 documentation.
Upvotes: 4
Related Questions
- I receive the error AADSTS50020 when authenticating in an azure app registration
- Error when trying to consent Azure VPN application
- Oath problem with Microsoft personal account authentication
- Login with personal Microsoft accounts failes to Oauth2 v2
- AADSTS50020 error when authenticating user with live.com based account
- Azure multitenant app cant access
- Azure B2C. User account does not exist in tenant 'xxx' and cannot access application
- Azure AD authentication failing when using ms live accounts other than my AAD acount
- Multi-tenant app in Azure AD (Active Directory) fails with AADSTS50020
- SSO: Using outlook.com accounts to login to Azure AD