Sign in to web application with Microsoft
I have a nextjs app that allows users to sign in with Microsoft (using nextauth). I registered the app in AzureAD and everything works alright. But if I try to with any Microsoft account which is not registered in my organization, I get this error:
AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'orgdomain.com' and cannot access the application 'at0293-9999-999c-9999c-99999c9a299'(MyAppName) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I want any Microsoft account to have access to the app. They don't have to be in my organization. I have set the supported account types to "All Microsoft Account User" but that didn't fix it. I still have to explicitly add accounts to my organization before they can sign in. Is there any way around this?
Note that: To authenticate multi-tenant users and the Microsoft account users, you have to create Azure Ad application by selecting "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" option and the Sign-in URL must be
https://login.microsoftonline.com/common/Refer this MsDoc.
I registered a multi-tenant application:
For sample, to authorize users I used below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/user.read
&state=12345
When I tried to sign-in as Microsoft account user, I got the same error as below:
To resolve the error, pass common authorize endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/user.read
&state=12345
The Microsoft account user signed-in successfully:
Pass common as the value for tenantid in your code:
AZURE_AD_CLIENT_ID=ClientID
AZURE_AD_CLIENT_SECRET=ClientSecret
AZURE_AD_TENANT_ID=common
Reference:
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs
- REST API service when called from azure APIM returning empty response body with Status code 200
- How to register your Azure resource as an Application in Azure Active Directory?