Microsoft Graph Identity Java - Selected user account does not exist in tenant 'Microsoft Services'

Question

I want to access a user's outlook calendar in my Java Application. For this I'm trying to use Microsoft Graph APIs.

I'm following this tutorial: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-java-webapp whose code is here: https://github.com/Azure-Samples/ms-identity-java-webapp/tree/master/msal-java-webapp-sample

I created app on portal.microsoft.com with type Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

I've created and copied keystore.p12 to resources directory.

My application.properties is:

#AAD configuration
aad.clientId=my client id
aad.authority=https://login.microsoftonline.com/my tenant id/
aad.secretKey=my secret key
aad.redirectUriSignin=https://localhost:8443/msal4jsample/secure/aad
aad.redirectUriGraph=https://localhost:8443/msal4jsample/graph/me
aad.msGraphEndpointHost=https://graph.microsoft.com/

#SSL configuration
server.port=8443
server.servlet.session.cookie.secure=true
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=password
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=testCert
server.ssl.key-password=password

When I run the application and access https://localhost:8443, I get the page with Login button. When I click on the Login button, I'm redirected to the page where I can choose among outlook accounts. The URL is:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&response_mode=form_post&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fmsal4jsample%2Fsecure%2Faad&client_id=ca146462-8880-424c-b629-cc7c0d0fb1b3&scope=openid+offline_access+profile&prompt=select_account&state=69a2ac0f-abac-46ad-b525-88f0b70182b7&nonce=9278f424-6858-4e22-bb13-7b13894abda7

When I select an account, I'm getting the following error:

Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application 'ca146462-8880-424c-b629-cc7c0d0fb1b3' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

I've added Redirect URIs

Why am I getting the error?

Update:

I changed the authority in application.properties to https://login.microsoftonline.com/common, so now I'm getting the "Pick an account" page. But when I choose an account, I'm getting 403 Forbidden error.

Since you are trying to sign in to your Azure AD tenant, is that Outlook account in that Azure AD tenant? If you intend for your app to be multi-tenant, your authority should be https://login.microsoftonline.com/common/v2.0 — juunas
@juunas The outlook account is not in that Azure AD tenant. I want to access any user's calendar. I changed the authority in application.properties to: https://login.microsoftonline.com/common/v2.0/my-tenant-id/ but then I get the error in browser: No webpage was found for the web address: login.microsoftonline.com/common/v2.0...... — user5155835
Don't add your tenant id there. Set the authority to https://login.microsoftonline.com/common/v2.0 — juunas
@juunas I removed the tenant id from authority, but I get: https://login.microsoftonline.com/common/v2.0/oauth2/v2.0/authorize?response_type=code&response_mode=form_post&redirect_uri=... — user5155835
This was a problem with the tutorial you were following. Due to samesite updates in some browsers, response_mode needs to be query (instead of form_post). If you try to run the sample again it should work. — sgonzalez

sgonzalez sgonzalez · Accepted Answer · 2020-05-12T18:03:19

The 403 Forbidden was an issue with the tutorial you were following. Due to samesite updates in some browsers, response_mode needs to be query (instead of form_post). If you try to run the sample again it should work

Microsoft Graph Identity Java - Selected user account does not exist in tenant 'Microsoft Services'

2 Answers