AADSTS50020 error when authenticating user with live.com based account

6
votes

I am working on an app that manages azure resources for customers (provision VMs, create VNets).

We have created a multi-tenant application in the azure portal that is configured for Delegated permissions of Windows Azure Service Management API and Windows Azure Active Directory.

We are able to login AAD based account without a problem. But when a live.com based account logs in, the user gets a AADSTS50020 error.

We for the login, we are navigating to https://login.microsoftonline.com/common/OAuth2/Authorize with the following parameters:

client_id=XXX&response_mode=query&response_type=code&redirect_uri=XXX&prompt=consent

Here is the full error message:

AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'XXX' and cannot access the application 'xxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

1
azureazure-active-directoryazure-web-app-service
Are you using the AAD v1 or v2 endpoints? I believe you'll need to be using the v2 endpoint if you want to surface prompt=consent for personal accountsDmitry Pimenov
@michael-sabin: Did you solve this? I have the same issue.user3624833
It looks like there is now a way to support live.com accounts but I haven't tried it because it enforces URL validation that restricts some of the redirect URLs i use. The other workaround would be to ask the user to enter in their tenant id, and then use that in the URL instead of commonMichael Sabin
@MichaelSabin that is actually not true, see my answer below.LukeSolar

1 Answers

0
votes

You need to use V2 endpoints in order to allow access from personal microsoft accounts. I run into the same problems by using the v1 endpoint.

Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

For example:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize ?client_id=ffffff-1111-2222-3333-37fd4f8c20ee &response_type=id_token &redirect_uri=http://localhost:8080/login/microsoft/callback &response_mode=form_post &prompt=consent &scope=openid &state=12345 &nonce=RandomGUI

Good luck