Next-Auth authentication with Azure AD multi tenant provider failing for external users (Guest Users)
I want to add Azure (Microsoft) authentication to my application along with Google as provider, in order to avoid email and password signup and signing.
Google login is working fine without any issue, whereas for Microsoft it is not working as I am getting the below error:
AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'f42685g2-3150-3t37-u4y2-392a0ec2775'(next-auth-dev) in that tenant.
I have created Multi-tenant application in Azure AD by selecting as Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
I have also provided "http://localhost:3000/api/auth/callback/azure-ad" as redirect URI for "Web Platform".
I have done all the things that are mentioned in the documentation of Next-Auth.js "https://next-auth.js.org/providers/azure-ad"
It is able to authenticate only the owner of the account but other than that any external user can not able to go through this process.
After searching, I found that user need to be added as "Guest User" in the Azure AD application, but that is not the intention, any random user can come to my application and get authenticated with "Microsoft (Azure AD)" authentication.
Can someone please help, if I am missing anything or if my understanding is not correct.
Created an Azure AD Multi-Tenant Application:
For sample, I used the below endpoint to authorize users:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/user.read
&state=12345
Now when I tried to authenticate the external user, I got the same error:
The error usually occurs if you are passing TenantID while authorizing the users.
To resolve the error, make sure to pass common authorize endpoint.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/user.read
&state=12345
By passing the common authorize endpoint, the external user authenticated successfully:
The External user redirected to the page:
Modify your code like below:
AZURE_AD_CLIENT_ID=ClientID
AZURE_AD_CLIENT_SECRET=ClientSecret
AZURE_AD_TENANT_ID=common
References:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory
AADSTS50020: User account does not exist in tenant - Stack Overflow by Allen Wu
- Why does process.env.BACKEND_URL log undefined in the console but display correctly in a button in my Next.js app?
- Err Only plain objects, and a few built-ins, can be passed to Client Components from Server Components. Classes or null prototypes are not supported
- Text Stroke (-webkit-text-stroke) css Problem
- Tailwindcss not working with next.js; what is wrong with the configuration?
- PrismJS package not automatically highlighting markdown
- Run of a next js app stuck, npm run dev doesn't work
- how to rate limit next.js server actions?
- Comparing statically imported image file vs. path string for NextJS Image component
- localhost:300/api is not working : "This page isn’t working"
- Vercel error | ENOENT: no such file or directory
- How to use different .env files with nextjs?
- TypeScript "No overload matches this call"
- How to access FastAPI backend from a different machine/IP on the same local network?
- Pass data from server action to server component
- Using Web Crypto API in NextJS, but getting error 'crypto is not defined'
- Nextjs MDX doesn't show strikethrough in App Router
- React Loader Spinner color not change
- Fetching Next.js API Route in the app directory gives 404 Not Found
- Update react context without refreshing page on state update
- Create a zip file from an array of png files
- production server can't pass npm run build
- Rewrite rule not working in NextJS Config
- Next-auth redirect to localhost in my login page
- How to test a component rendered using React.createportal?
- Nodemailer in vercel not sending email in production
- Next.js Application error: a client-side exception has occurred (see the browser console for more information)
- Next 14 Hydration failed error on my custom stroke text component
- want to make custom toolbar work using apexcharts
- Next auth middleware { default } is not working
- I want change favicon.ico in nextjs