AADSTS50020: User account 'my#email' from identity provider 'https://sts.windows.net/783c0fcf-4d70-4426-9bbc-1e83f8b865b2/' does not exist in tenant 'Default Directory' and cannot access the application '872cd9fa-d31f-45e0-9eab-6e460a02d1f1'(Visual Studio).
I am logging in with an account (mine) that is a Global Administrator and owner of that Azure organization. How can I be not authorized? This makes zero sense -__- As a test I invited my other email (on a different domain) as an external guest and the login worked for that account. So I can login as a guest but not as an owner.
There maybe relatably few possible causes for this error.
Possible cause 1
Please check if you might have already have an active session that
uses a different account (personal) than the one that's intended to
be used where you are admin. Or it maybe meant for guest user
account.
To see if above is the reason, look for the User account and Identity
provider values in the error message. Check if those values match the
expected combination .
See if sign in is done by using organization account to your tenant
instead of home tenant Or is the login is by using a different
personal account than the one that needed to be.
Resolution
To resolve this issue please sign out from active session, then sign in again from a different browser or a private browser session.
Cause 2
Also if you have set Supported account types to Multiple
organizations. But if your authentication call is for specific tenant
i.e., https://login.microsoftonline.com/tenant name or id. In that
case users from other organizations cannot be able to access the
application and those users are required to be added as guests in the
tenant specified in the request.Maybe this seems to be the reason for
as guest account is signed in.
Resolution
So for multiple organizations, authentication request should either
be common or organizations ex:
https://login.microsoftonline.com/`organizations` or
https://login.microsoftonline.com/`common`
Also check Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory | Microsoft Docs to troubleshoot in other cases.
Related
I am trying to get graph api access token in my c# application using GetAccessTokenForUserAsync().
It throws below error :
Error = invalid_grant
Error_description = "AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/--/'
does not exist in tenant 'ABC' and cannot access the application '--**-****'(xyz-app) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the user and Application exists in the different tenants. Make sure to check the user exists in the Azure AD Application tenant. Try to sign-in and sign-out.
Check whether the sign-in URL you are making use is valid:
Multitenant applications
https://login.microsoftonline.com/organizations
Multitenant and personal accounts
https://login.microsoftonline.com/common
Personal accounts only
https://login.microsoftonline.com/consumers
Please check whether the guest user has been invited to the tenant like below:
Try clearing the browser cookies/log-in via Incognito.
You can also make use of domain_hint parameter which specifies from which domain Azure AD User should be from. You can configure from both client and server side.
If the issue still persists, please refer the below MsDoc:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory
I'm new to AAD and I'm trying to allow sign-ins for users in tenants outside of my current one (the tenant that I set up AAD with). I have two outlook accounts that I'm testing with. And when I sign in with the other outlook account, I get the error:
"AADSTS50020: User account 'user#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
I don't want to invite any users to my tenant, since if there are more users, they'll also have to be invited. I set up the configuration to be multi-tenant (orgs & personal accounts), and my api hits the /common endpoint.
Is there something that I'm missing? Or am I misunderstanding how multi-tenant works? Thanks!
"AADSTS50020: User account 'user#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '' in that tenant
This error will occur whenever a guest user tries to access a resource or application within the resource tenancy, the sign-in process fails and display an error.
To resolve this issue, Go to azure portal -> App registrations-> your App -> Manifest -> check signInAudience ->AzureADandPersonalMicrosoftAccount like below.
If signInAudience property is missing in your manifest, try to recreate app registration by choosing the appropriate account type.
If the users sign in into your tenant with their personal account, they need to be added as guest users even you select multi-tenant account type.
If there are more users, you can make use of bulk invite option by modifying UserInviteTemplate.csv file like below.
Go to Azure active directory -> users -> bulk operation -> Download the csv template.
In template, add the list of user's email address to invite as below.
Upload UserInviteTemplate.csv file in bulk invite user.
To check whether the guest users are added or not, you can filter user type == guest as below.
I have created a webapp on Azure and have set the authentication mode to;
"Accounts in any organizational directory (Any Azure AD directory -
Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use
your application or API. This includes Office 365 subscribers."
It works perfectly for me and my colleges, and it works also for personal Microsoft accounts.
I am now trying to login users on a different Azure AD, but these cannot login. Here is the login log of an attempt taken from their AD. A similar message was displayed to the user onscreen
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
the sole purpose of the webapp is to get an Azure/MS verified email address of the user and perform a lookup in a user database.
Preferably this should be achieved without need the "other azure AD" admins to do anything on their end. But if need be this can be asked. I just don't know what to ask.
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
This error usually occurs for many reasons. Please check if below are helpful:
Case1:
Please check if your sign-in URL is something like this:
https://login.microsoftonline.com/<tenant_id>/
If it is like that, you may get error as you selected this option: “Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)” and users from other organizations can't access the application.
To resolve that error, try to change the sign-in URL as
https://login.microsoftonline.com/common
Apply this URL value in Authority Setting in your application code.
To know how to do that in detail, go through this link.
Case2:
There is also a possibility where the user has active session already signed in using different personal account other than Microsoft. To confirm this scenario, check User Account and Identity Provider values in error message.
To resolve that error, inform the user to sign out from their active session and sign in again from different browser or private browser session. Otherwise ask them to clear the cookies and cache, sign in as new.
If still the error won’t resolve means, please go through below reference if it is helpful.
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory | Microsoft Docs
I try login to Azure AD web app and when i do it with user inside my tenant its ok,
but when login other user i get
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'a1eda862-65fb-4f90-8482-06151f5c7abc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Login Url :
https://login.microsoftonline.com/common/oauth2/authorize?client_id=a1eda862-65fb-4f90-8482-06151f5c7abc&response_type=id_token+code&redirect_uri=http://localhost:44302/&response_mode=form_post&scope=openid+profile&state=12345&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7&resource=https://management.azure.com/
Tenant settings
Few things to check -
Based on the error you shared, it seems you're logged in with some Microsoft account like live.com/hotmail etc. Are you doing that intentionally or just happened to be logged in and getting confused by that? If you do want to login with a Microsoft account other than a usual organizational account, then as the error says, you need to add that account to your AzureAD tenant as an external user.
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant
For any other organizational user, i.e. user from a different AzureAD tenant than the one where this application is registered, you will first need to go through the consent process. You may have done it already or not.
More details on that process here - https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent
Issue:
You wanted to use a personal account within a multi-tenant application to get a token for the "https://management.core.windows.net" API
Scope:
We will focus on this issue and consider it as resolved once we provide you with the reason that Personal accounts cannot be used against a v1 multi-tenant application.
Alternatively, we will consider this case resolved if we confirm that the problem is caused by a third-party application or is by-design.
This agreed resolution statement describes the specific conditions where we will close this case. Please let me know if you do not agree with this scope.
Cause:
For multi-tenant applications in v1 you can only use an organizational account and not a personal one. That happens because for personal ones you will be logged authenticated by the “Live” endpoints and not by Azure endpoints, also because we are sending the user to the “common” endpoint and in there we do not know in which directory you want to sign in.
Resolution:
Having a multi-tenant application and sign-in users with personal and organizational accounts can be covered by the Azure AD V2 endpoints, nevertheless the v2 has some limitations right now and one of them is that you could only get a token for Microsoft Graph API and not for https://management.core.windows.net. We plan to implement all APIs that are available in v1 also in v2, but as for now cannot be used to acquire a token for such API.
I've utilized the Partner Center REST API to provision tenants with orders/subscriptions. Now I want to start configuring the domains and users for the tenant I just created. My first step was to get a list of users using the Graph API https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations as a test expecting to see the admin account. If I pass in the domain of the reseller account in the request URL, it shows me the reseller users. But when I put in the domain of the account I just provisioned, I get Invalid domain name in the request url. I'm using the resellers AD token to do this. I'm confused as it gives me the option to specify a domain, but I can only access my own.
What credentials am I supposed to be using here? I tried to use the user/pass that was generated for the admin account from the provision, but I get unauthorized_client when trying to get an AD token from the Graph API.
It is hard to directly address your issues here since they are a little broad, and I would need more specific details about the various tenants you are working with, how your app is provisioned, permissions your app has etc...
However I think there a few principals you can follow which may help you debug your issues.
All AAD Authentication happens within the context of a specific tenant. This means whenever you get an access token for a resource, the scope of that token is limited to the boundaries of the tenant.
To authenticate with a client application in the context of a tenant, you must have the app registered in the tenant you are trying to access (line of business application / single tenant) or you have to make the app multi-tenant, in which case your app should be able to function in the context of any tenant... if the right provisioning has occurred.
Every tenant where your app is trying to function must have a service principal for the application provisioned in the tenant. This service principal represents your application's identity in the context of that tenant, and acts as a place to store the permission your application has in the context of that tenant. Most normally, this service principal gets provisioned into a tenant after a user from that tenant has consented to use the app as a part of the login experience.
If you are trying to use user context (authorization code grant flow) to retrieve details about a tenant, you must ensure that that user is present in the directory you are trying to query. For example a user U can exist in their home tenant T1. If you try to query another tenant T2 using that user account, you will get any number of errors describing that the user account does not exist etc. You can remedy this by creating a guest account for U in T2, in which case there will be a brand new user object created in T2 which links to the original user object in T1. None the less, the user object should always be present in the tenant you are trying to query.
If you are trying to sign into an application with a user account that is in T1 and T2, you need to be sure to specify the tenant you want to actually get the token for. By default, if you use the common endpoint, you will get a token for the users home tenant. However, it is perfectly valid to get a token for the secondary tenant, as long as you specify that to our Token Service when making the request.
Finally the client application you use to make these requests needs to have the right permissions to the Graph API if you want to make specific calls to the Graph API. Every tenant needs to individually consent to the application in their tenant context in order to provision the correct permissions to their application.
With those principals in mind:
The error you are getting with "unauthorized_client" seems to be an issue with application provisioning in the secondary tenant. Please make sure to first login to the application with a user from the secondary tenant, and make sure that user has the correct permissions to consent to your app (a tenant admin is best here).
For the second issue with "Invalid domain name in the request url" please try using some hints here.
Specifically this:
By using the myOrganization alias. This alias is only available when using OAuth Authorization Code Grant type (3-legged) authentication; that is, when using a delegated permission scope. The alias is not case sensitive. It replaces the object ID or tenant domain in the URL. When the alias is used, Graph API derives the tenant from the claims presented in the token attached to the request. The following URL shows how to address the users resource collection of a tenant using this alias:
https://graph.windows.net/myorganization/users?api-version=1.6.
I hope this puts you on the correct path to resolve most of your issues.
There are issues with sandbox accounts and Azure. Access to the Azure Management Portal for the sandbox isn't straightforward and at this time does not work properly. I had to create a free Azure account with my hotmail account, then link AD from the new account to my sandbox AD to bypass the bug. When adding a new directory to the new Azure account, select "Use existing directory", sign out, then sign into the sandbox account you want to link it to. Then create your app from the new account.
After getting my app setup properly and new credentials, I had to enable pre-consent with the instructions listed at the end of: https://github.com/Microsoft/Partner-Center-Explorer
Lastly, I had to login to the Graph API with the customers ID, but with the resellers credentials.
The scenarios on the Partner Center SDK website include a section "Manage user accounts and assign licenses" under the "Manage customer accounts" section.
These samples include creating users and assigning licenses and a link to a console test app.
As an aside, a new version of the Partner Center SDK has just become available here. It was released on July 5th. While there is no official change history that I can find, I can see that it includes some new classes such as CustomerUser. You may find it easier to use that library rather than hitting the REST API (depending on how much work you've already done).