Search code examples
next.jsazure-active-directorynext-authazure-authentication

Next-Auth authentication with Azure AD multi tenant provider failing for external users (Guest Users)

I want to add Azure (Microsoft) authentication to my application along with Google as provider, in order to avoid email and password signup and signing.

Google login is working fine without any issue, whereas for Microsoft it is not working as I am getting the below error:

AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'f42685g2-3150-3t37-u4y2-392a0ec2775'(next-auth-dev) in that tenant.

I have created Multi-tenant application in Azure AD by selecting as Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

I have also provided "http://localhost:3000/api/auth/callback/azure-ad" as redirect URI for "Web Platform".

I have done all the things that are mentioned in the documentation of Next-Auth.js "https://next-auth.js.org/providers/azure-ad"

It is able to authenticate only the owner of the account but other than that any external user can not able to go through this process.

After searching, I found that user need to be added as "Guest User" in the Azure AD application, but that is not the intention, any random user can come to my application and get authenticated with "Microsoft (Azure AD)" authentication.

Can someone please help, if I am missing anything or if my understanding is not correct.

Solution

  • Created an Azure AD Multi-Tenant Application:

    enter image description here

    For sample, I used the below endpoint to authorize users:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/user.read 
&state=12345

    Now when I tried to authenticate the external user, I got the same error:

    enter image description here

    The error usually occurs if you are passing TenantID while authorizing the users.

    To resolve the error, make sure to pass common authorize endpoint.

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/user.read 
&state=12345

    By passing the common authorize endpoint, the external user authenticated successfully:

    enter image description here

    The External user redirected to the page:

    enter image description here

    Modify your code like below:

    AZURE_AD_CLIENT_ID=ClientID 
AZURE_AD_CLIENT_SECRET=ClientSecret 
AZURE_AD_TENANT_ID=common

    References:

    Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory

    AADSTS50020: User account does not exist in tenant - Stack Overflow by Allen Wu