I am trying to set up a new Web Application in Visual Studio using Microsoft authentication.
I have created a new Tenant in portal.azure.com. My issue is, every page I visit in the Azure Portal, including my profile, I receive a 403 error.
The only function I am able to perform is creating a new App Registration.
When I try to authentication in the Web Application, I receive the error "Selected user account does not exist in tenant".
I am confused with how to add the account that created the Tenant to it without the required permissions.
Does anybody know how I can go about resolving this issue?
TIA.
Error means that the logged in email address you are trying to use to link to is not yet added to your new tenant. Please make sure that the work email address is added in that tenant, if it is not admin.
If you have added the account to tenant or you are the admin itself , please refresh and try again.
Sign out and clear all cookies .
Try using a Microsoft Edge "InPrivate"/ Incognito browser and check if you are signing into correct tenant and switch the tenant and try to access the app.
If you have the same account with matching your personal account ,try to change it and add as Microsoft account .
Try to login with common endpoint https://login.microsoftonline.com/common, if it is personal account and app is multitenant.
If above doesn’t solve the issue see This document which lists several causes to find yours.
References:
azure active directory - Selected user account does not exist in tenant 'UserVoice, Inc.' - Stack Overflow
azure - Microsoft Graph Identity Java - Selected user account does not exist in tenant 'Microsoft Services' - Stack Overflow
Related
I want to access the outlook API with a Python application. I followed this guide but quickly ran into authentication issues. Tried it with my existing private Microsoft account and with a new created account, but ran into authentication issues quickly. Whenever I try to do anything in the portal, I get this message:
Already checked in with the general Microsoft support. They directed me towards Azure support, but I can't reach anybody there.
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the Microsoft personal account is not added as an external/guest user to an Azure AD tenant.
To resolve the error, contact the Global admin to invite the account as a guest user like below:
Once the admin invites, you will get an email notification to accept the invitation like below:
After accepting the invite, the Personal Microsoft account will be added to the tenant successfully like below:
And now you will be able to access the Azure Portal without any issue and you can also create your own tenant to have admin access.
If still the issue persists, try the below:
Sign out from the active session and sign in incognito window or any different browser.
Clear browser cache and cookies and try.
Confirm whether the admin has set any External user settings that is restricting the access:
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory
When looking into the Build Python apps with Microsoft Graph tutorial that you followed, one of the pre-requisites mentioned signing up for the Microsoft 365 Developer Program to get a free Microsoft 365 subscription. After you sign-up, you'll need to use the Microsoft 365 developer sandbox credentials in order to continue following the tutorial without having to leverage your own Azure AD tenant or subscription (pay-as-you-go).
Build Python apps with Microsoft Graph:
Join the Microsoft 365 Developer Program
Deploy the Developer Sandbox
Using the Microsoft 365 Developer subscription(s) info you'll be able to login to the Azure Portal or Azure Active Directory admin center.
Note: You can navigate to your developer tenant using - https://aad.portal.azure.com/<<SandboxTenantName>>.onmicrosoft.com, or when prompted to sign in use your sandboxes' admin account.
If you only signed up for a new personal Microsoft account (Outlook), you'll notice that once you sign into the Azure AD Admin Center, your Outlook.com user isn't associated with any Azure tenants, and you'll run into the authentication issue error message that you referenced, so you'll have to create your own Azure AD tenant by signing up for an Azure Free Trial or Pay-as-you-go.
I hope this helps!
I have created a webapp on Azure and have set the authentication mode to;
"Accounts in any organizational directory (Any Azure AD directory -
Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use
your application or API. This includes Office 365 subscribers."
It works perfectly for me and my colleges, and it works also for personal Microsoft accounts.
I am now trying to login users on a different Azure AD, but these cannot login. Here is the login log of an attempt taken from their AD. A similar message was displayed to the user onscreen
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
the sole purpose of the webapp is to get an Azure/MS verified email address of the user and perform a lookup in a user database.
Preferably this should be achieved without need the "other azure AD" admins to do anything on their end. But if need be this can be asked. I just don't know what to ask.
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
This error usually occurs for many reasons. Please check if below are helpful:
Case1:
Please check if your sign-in URL is something like this:
https://login.microsoftonline.com/<tenant_id>/
If it is like that, you may get error as you selected this option: “Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)” and users from other organizations can't access the application.
To resolve that error, try to change the sign-in URL as
https://login.microsoftonline.com/common
Apply this URL value in Authority Setting in your application code.
To know how to do that in detail, go through this link.
Case2:
There is also a possibility where the user has active session already signed in using different personal account other than Microsoft. To confirm this scenario, check User Account and Identity Provider values in error message.
To resolve that error, inform the user to sign out from their active session and sign in again from different browser or private browser session. Otherwise ask them to clear the cookies and cache, sign in as new.
If still the error won’t resolve means, please go through below reference if it is helpful.
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory | Microsoft Docs
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
I am having difficulty logging in to a Microsoft site using my Azure AD (Work) account.
After successfully authenticating, I get the error:
AADSTS700016: Application with identifier '3075c070-b4d6-4bba-88c3-bcc51c74a2f4' was
not found in the directory '{my-directory}'. This can happen if the
application has not been installed by the administrator of the tenant
or consented to by any user in the tenant. You may have sent your
authentication request to the wrong tenant.
I have gone into my Azure AD tenant and searched for an application with that Id so I can add it, but it returns no results.
I am able to authenticate if I use an account that has a Microsoft Account, however, when I get to the Microsoft page, I get an error saying I need to log in using the same email account that the account was registered under.
Unfortunately, the work account I need to use does not have an associated Microsoft Account.
I think a solution to this would be to add the Application into my tenant, but not sure how to find the application with ID only.
I am afraid that you can not add the application into your tenant manually. When you successfully login in to this application, this application will exist in your tenant under enterprise application.
But it seems that this application only allows Microsoft account to login.
We are a teeny tiny startup. We were in Bizspark, which has now expired, but we all still have our MSDN accounts at the free level. I have commented our product code, run JsDoc3 on it to generate a documentation website. I put up a free level Web App on Azure. Works fine unauthenticated. I figured I'd throw together a small AD for the few of us in there with our Microsoft accounts, set the authentication of the app to the AD and pow, good to go. It would ask us to log in with our Microsoft accounts and all would be fine. Only we would be able to see the site with our internal code documentation. Seemed to work for me since I created everything. But everyone else I put into the AD can't authenticate. We get this error:
"AADSTS50020: User account 'joe#ourdomain.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'app-id-key' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
I have no idea. I've never used AD before. This is so common, I figure it must be the simplest use-case. I must be missing something stupid. All of my googling and searching Stack Exchange isn't finding me the answer though. Can someone please help me figure this out?
Thanks in advance for your help.
Please ensure you have added the external account successfully in your Azure AD tenant. In my testing , if I haven’t added the external account , I will get the same error message like yours .
To add an exits Microsoft Account to azure ad tenant ,you could follow below steps :
In the classic portal , click users in your azure ad tenant .
Click [Add User] button ,choose type : User with an existing Microsoft account :
After added , you will find the added Microsoft account in azure ad tenant like :
In addition, There are some limitations of Azure AD external users ,for example ,external users can't consent to multi-tenant applications in directories outside of their home directory . You could click here to know more about external users in azure ad.