I developed an Azure web app that was using Azure Active Directory on my subscription for authentication but I am now trying to switch from my test AAD directory to the actual AAD I want to use on another subscription. I am getting the following error:
AADSTS50020: User account 'MyAccount' from external identity provider 'https://sts.windows.net/a26def89-f7e6-4496-b4cb-7ffee9ddbabf/' is not supported for application '025ef17e-9767-4f4e-a1b1-6218491d94ed'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.
The tennant ID is correct but the application Client ID is not what I am putting in my App Settings and it's not even the correct Client ID that I am using for this deployment. I have two different Applications added under my Azure Active Directory account and this Client ID belongs to a different one. I do not understand where the site is grabbing this from. After searching my solution I found it embedded in the Web Deploy for a different publishing profile, not the one I have been publishing from. I commented out this reference and unchecked Enable Organizational Authentication when publishing to see if that would change anything and it hasn't.
I am using the standard AAD code that Visual Studio 2015 creates when you create a new MVC application and check to use Work or School accounts that provides the following AppSettings:
<add key="ida:ClientId" value="6b0dde38-55e6-4801-ba14-58708ecb5c06" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:Domain" value="new.domain.imtryingtouse" />
<add key="ida:TenantId" value="a26def89-f7e6-4496-b4cb-7ffee9ddbabf" />
<add key="ida:PostLogoutRedirectUri" value="mysite.azurewebsites.net" />
I have verified through FTP that the correct ClientId in AppSettings is in my web.config on the server but it's not the one being used in that error message.
Any help would be appreciated. Please and thank you.
