CODEWITHSUNDEEP
azureazure-active-directoryazure-web-app-service
Michael Sabin
Michael Sabin

Reputation: 1759

AADSTS50020 error when authenticating user with live.com based account

I am working on an app that manages azure resources for customers (provision VMs, create VNets).

We have created a multi-tenant application in the azure portal that is configured for Delegated permissions of Windows Azure Service Management API and Windows Azure Active Directory.

We are able to login AAD based account without a problem. But when a live.com based account logs in, the user gets a AADSTS50020 error.

We for the login, we are navigating to https://login.microsoftonline.com/common/OAuth2/Authorize with the following parameters:

client_id=XXX&response_mode=query&response_type=code&redirect_uri=XXX&prompt=consent

Here is the full error message:

AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'XXX' and cannot access the application 'xxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Upvotes: 6

Views: 6758

Answers (1)

LukeSolar
LukeSolar

Reputation: 3865

You need to use V2 endpoints in order to allow access from personal microsoft accounts. I run into the same problems by using the v1 endpoint.

Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

For example:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize ?client_id=ffffff-1111-2222-3333-37fd4f8c20ee &response_type=id_token &redirect_uri=http://localhost:8080/login/microsoft/callback &response_mode=form_post &prompt=consent &scope=openid &state=12345 &nonce=RandomGUI

Good luck

Upvotes: 0

Related Questions