We would like our customers to be able to authenticate using either personal or work accounts. We have set up a seperate AD in Azure to which customers are invited which should grant them access to our application.
In the ASP.NET Core application https://login.microsoftonline.com/{myTenantID}/v2.0 is used as authentication endpoint. A client id and secret from an application registered in the preview app registration through the portal is provided with the request. Authenticating our work accounts works smoothly, but when attempting to authenticate most personal accounts an error message is returned: An error was encountered while handling the remote login. AADSTS50020: MSA guest token redemption attempt on v2 common endpoint.
Should it not be possible to authenticate a MSA using a tenant-specific endpoint (only /common)?
Similar problem: Azure AD B2B Authentication error for users with custom domains - AADSTS65005: Using application 'My Application' is currently not supported
Also, this comment points out that authenticating MSAs in multi-tenant apps will not work, however, ours should be sigle-tenant: https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims/issues/10#issuecomment-145125080
You need to use common endpoint if you are targeting both B2C and B2B using v2 endpoint for both work and personal emails to be able to call Azure AD protected endpoints.