| title | description | ms.date | author | ms.author | ms.editor | ms.reviewer | ms.service | ms.subservice | keywords |
|---|---|---|---|---|---|---|---|---|---|
|
Error AADSTS50020 — User account from identity provider does not exist in tenant |
Troubleshoot scenarios in which a guest user unsuccessfully tries to sign in to the resource tenant and error code AADSTS50020 is returned. |
04/15/2022 |
DennisLee-DennisLee |
v-dele |
v-jsitser |
rrajan,haelshab,sungow |
active-directory |
app-mgmt |
Error AADSTS50020 — User account from identity provider does not exist in tenant
This article helps you troubleshoot error code AADSTS50020 that’s returned if a guest user from an identity provider (IdP) can’t sign in to a resource tenant in Azure Active Directory (Azure AD).
Symptoms
When a guest user tries to access an application or resource in the resource tenant, the sign-in fails, and the following error message is displayed:
AADSTS50020: User account ‘user@domain.com’ from identity provider {IdentityProviderURL} does not exist in tenant {ResourceTenantName}.
When an administrator reviews the sign-in logs on the home tenant, a «90072» error code entry indicates a sign-in failure. The error message states:
User account {email} from identity provider {idp} does not exist in tenant {tenant} and cannot access the application {appId}({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Cause 1: Used unsupported account type (multitenant and personal accounts)
If your app registration is set to a single-tenant account type, users from other directories or identity providers can’t sign in to that application.
Solution: Change the sign-in audience setting in the app registration manifest
To make sure that your app registration isn’t a single-tenant account type, perform the following steps:
-
In the Azure portal, search for and select App registrations.
-
Select the name of your app registration.
-
In the sidebar, select Manifest.
-
In the JSON code, find the signInAudience setting.
-
Check whether the setting contains one of the following values:
- AzureADandPersonalMicrosoftAccount
- AzureADMultipleOrgs
- PersonalMicrosoftAccount
If the signInAudience setting doesn’t contain one of these values, re-create the app registration by having the correct account type selected. You currently can’t change signInAudience in the manifest.
For more information about how to register applications, see Quickstart: Register an application with the Microsoft identity platform.
Cause 2: Used the wrong endpoint (personal and organization accounts)
Your authentication call must target a URL that matches your selection if your app registration’s supported account type was set to one of the following values:
-
Accounts in any organizational directory (Any Azure AD directory — Multitenant)
-
Accounts in any organizational directory (Any Azure AD directory — Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
-
Personal Microsoft accounts only
If you use https://login.microsoftonline.com/<YourTenantNameOrID>, users from other organizations can’t access the application. You have to add these users as guests in the tenant that’s specified in the request. In that case, the authentication is expected to be run on your tenant only. This scenario causes the sign-in error if you expect users to sign in by using federation with another tenant or identity provider.
Solution: Use the correct sign-in URL
Use the corresponding sign-in URL for the specific application type, as listed in the following table:
| Application type | Sign-in URL |
|---|---|
| Multitenant applications | https://login.microsoftonline.com/organizations |
| Multitenant and personal accounts | https://login.microsoftonline.com/common |
| Personal accounts only | https://login.microsoftonline.com/consumers |
In your application code, apply this URL value in the Authority setting. For more information about Authority, see Microsoft identity platform application configuration options.
Cause 3: Signed in to the wrong tenant
When users try to access your application, either they’re sent a direct link to the application, or they try to gain access through https://myapps.microsoft.com. In either situation, users are redirected to sign in to the application. In some cases, the user might already have an active session that uses a different personal account than the one that’s intended to be used. Or they have a session that uses their organization account although they intended to use a personal guest account (or vice versa).
To make sure that this scenario is the issue, look for the User account and Identity provider values in the error message. Do those values match the expected combination or not? For example, did a user sign in by using their organization account to your tenant instead of their home tenant? Or did a user sign in to the live.com identity provider by using a different personal account than the one that was already invited?
Solution: Sign out, then sign in again from a different browser or a private browser session
Instruct the user to open a new in-private browser session or have the user try to access from a different browser. In this case, users must sign out from their active session, and then try to sign in again.
Cause 4: Guest user wasn’t invited
The guest user who tried to sign in was not invited to the tenant.
Solution: Invite the guest user
Make sure that you follow the steps in Quickstart: Add guest users to your directory in the Azure portal to invite the guest user.
Cause 5: App requires user assignment
If your application is an enterprise application that requires user assignment, error AADSTS50020 occurs if the user isn’t on the list of allowed users who are assigned access to the application. To check whether your enterprise application requires user assignment:
-
In the Azure portal, search for and select Enterprise applications.
-
Select your enterprise application.
-
In the sidebar, select Properties.
-
Check whether the Assignment required option is set to Yes.
Solution: Assign access to users individually or as part of a group
Use one of the following options to assign access to users:
-
To individually assign the user access to the application, see Assign a user account to an enterprise application.
-
To assign users if they’re a member of an assigned group or a dynamic group, see Manage access to an application.
Cause 6: Tried to use a resource owner password credentials flow for personal accounts
If a user tries to use the resource owner password credentials (ROPC) flow for personal accounts, error AADSTS50020 occurs. The Microsoft identity platform supports ROPC only within Azure AD tenants, not personal accounts.
Solution: Use an endpoint that’s specific to the tenant or organization
Use a tenant-specific endpoint (https://login.microsoftonline.com/<TenantIDOrName>) or the organization’s endpoint. Personal accounts that are invited to an Azure AD tenant can’t use ROPC. For more information, see Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials.
Cause 7: A previously deleted user name was re-created by the home tenant administrator
Error AADSTS50020 might occur if the name of a guest user who was deleted in a resource tenant is re-created by the administrator of the home tenant. To verify that the guest user account in the resource tenant isn’t associated with a user account in the home tenant, use one of the following options:
Verification option 1: Check whether the resource tenant’s guest user is older than the home tenant’s user account
The first verification option involves comparing the age of the resource tenant’s guest user against the home tenant’s user account. You can make this verification by using Microsoft Graph or MSOnline PowerShell.
Microsoft Graph
Issue a request to the MS Graph API to review the user creation date, as follows:
GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/createdDateTime
Then, check the creation date of the guest user in the resource tenant against the creation date of the user account in the home tenant. The scenario is confirmed if the guest user was created before the home tenant’s user account was created.
MSOnline PowerShell
[!NOTE]
The MSOnline PowerShell module is set to be deprecated.
Because it’s also incompatible with PowerShell Core, make sure that you’re using a compatible PowerShell version so that you can run the following commands.
Run the Get-MsolUser PowerShell cmdlet to review the user creation date, as follows:
Get-MsolUser -SearchString user@contoso.com | Format-List whenCreated
Then, check the creation date of the guest user in the resource tenant against the creation date of the user account in the home tenant. The scenario is confirmed if the guest user was created before the home tenant’s user account was created.
Verification option 2: Check whether the resource tenant’s guest alternative security ID differs from the home tenant’s user net ID
[!NOTE]
The MSOnline PowerShell module is set to be deprecated.
Because it’s also incompatible with PowerShell Core, make sure that you’re using a compatible PowerShell version so that you can run the following commands.
When a guest user accepts an invitation, the user’s LiveID attribute (the unique sign-in ID of the user) is stored within AlternativeSecurityIds in the key attribute. Because the user account was deleted and created in the home tenant, the NetID value for the account will have changed for the user in the home tenant. Compare the NetID value of the user account in the home tenant against the key value that’s stored within AlternativeSecurityIds of the guest account in the resource tenant, as follows:
-
In the home tenant, retrieve the value of the
LiveIDattribute using theGet-MsolUserPowerShell cmdlet:Get-MsolUser -SearchString tuser1 | Select-Object -ExpandProperty LiveID -
In the resource tenant, convert the value of the
keyattribute withinAlternativeSecurityIdsto a base64-encoded string:[convert]::ToBase64String((Get-MsolUser -ObjectId 01234567-89ab-cdef-0123-456789abcdef ).AlternativeSecurityIds.key) -
Convert the base64-encoded string to a hexadecimal value by using an online converter (such as base64.guru).
-
Compare the values from step 1 and step 3 to verify that they’re different. The
NetIDof the user account in the home tenant changed when the account was deleted and re-created.
Solution: Reset the redemption status of the guest user account
Reset the redemption status of the guest user account in the resource tenant. Then, you can keep the guest user object without having to delete and then re-create the guest account. You can reset the redemption status by using the Azure portal, Azure PowerShell, or the Microsoft Graph API. For instructions, see Reset redemption status for a guest user.
[!INCLUDE Azure Help Support]
Microsoft Teams is indispensable in our work life these days. Nothing is more annoying than an error message like ‘aadsts50020’, when you need Microsoft Teams the most.
Tech Support 24/7
Ask a Tech Specialist Online
Connect with the Expert via email, text or phone. Include photos, documents, and more. Get step-by-step instructions from verified Tech Support Specialists.
On this page, you will find more information about the most common causes and most relevant solutions for the Microsoft Teams error ‘aadsts50020’. Do you need help straight away? Visit our support page.
Error information
How to solve Microsoft Teams error aadsts50020
We’ve created a list of solutions which you can follow if you want to solve this Microsoft Teams problem yourself. Do you need more help? Visit our support page if you need professional support with Microsoft Teams right away.
Tech Support 24/7
Ask a Tech Specialist Online
Connect with the Expert via email, text or phone. Include photos, documents, and more. Get step-by-step instructions from verified Tech Support Specialists.
Have you found a solution yourself, but it is not in the list? Share your solution in the comments below.
Need more help?
Do you need more help?
Tech experts are ready to answer your questions.
Ask a question
- Remove From My Forums
-
Вопрос
-
Hi Team,
I am working on Asp.net based application and try to configuring single sign on with multi Tenant domain login but not working.
Error Message:
AADSTS50020: User account ‘abc@outlook.com’ from identity provider ‘live.com’ does not exist in tenant ‘xyz’ and cannot access the application ‘1b4fd1d3-2255-4318-af43-b2d813405280’ in that tenant. The account needs to be added as an external user in the
tenant first. Sign out and sign in again with a different Azure Active Directory user account.kindly look into this case.
Thanks in advance.
Ответы
-
I was having the same problem, my issue is fixed after changing Tenant ID value from specific tenant ID to ‘common’ in OAuth service provider connection settings in Azure portal for Bot Configuration.
My app is asp.net bot, but if your app is UWP, you need to pass right AadAuthorityAudience value to MSAL call in your code , it should be 2 or 3.
//
// Summary:
// Specifies which Microsoft accounts can be used for sign-in with a given application.
// See https://aka.ms/msal-net-application-configuration
public enum AadAuthorityAudience
{
//
// Summary:
// The sign-in audience was not specified
None = 0,
//
// Summary:
// Users with a Microsoft work or school account in my organization’s Azure AD tenant
// (i.e. single tenant). Maps to https://[instance]/[tenantId]
AzureAdMyOrg = 1,
//
// Summary:
// Users with a personal Microsoft account, or a work or school account in any organization’s
// Azure AD tenant Maps to https://[instance]/common/
AzureAdAndPersonalMicrosoftAccount = 2,
//
// Summary:
// Users with a Microsoft work or school account in any organization’s Azure AD
// tenant (i.e. multi-tenant). Maps to https://[instance]/organizations/
AzureAdMultipleOrgs = 3,
//
// Summary:
// Users with a personal Microsoft account. Maps to https://[instance]/consumers/
PersonalMicrosoftAccount = 4
}I hope this helps
Snekithan
- Помечено в качестве ответа
24 октября 2019 г. 4:46
- Помечено в качестве ответа
Привет,
У меня возникла эта проблема, с которой я столкнулся при тестировании нового интерфейса для MyApps на портале Azure.
Поэтому, когда я пытаюсь войти на портал, используя классический интерфейс, он работает нормально.
https://account.activedirectory.windowsazure.com/r#/applications
Ниже приведен снимок экрана, на котором показана успешная попытка входа в систему.
Однако, когда я пытаюсь использовать портал опыта MyApps,
https://myapplications.microsoft.com/
. Выдает следующую ошибку:
Request Id: e3b964ed-44a5-4c32-a731-c8dc8b979b00
Correlation Id: 4d9e6ecb-4c6d-41c1-8ad6-28b8a39edb91
Timestamp: 2020-06-10T07:38:50Z
Message: AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '2793995e-0a7d-40d7-bd35-6968ba142197'(My Apps) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Примечание. Когда я попытался использовать другой пользователь, созданный в Azure, он отлично работает как для нового, так и для классического пользовательского интерфейса.
Может кто-нибудь объяснить, что нужно, чтобы предоставить доступ первому пользователю к новому порталу пользовательского интерфейса?
Примечание: у меня это включено для всех доменов.
https://docs.microsoft.com/en-us/azure/active-directory/b2b/delegate-invitations
Примечание. Тип пользователя:
У пользователя возникла проблема с новым пользовательским интерфейсом.
Пользователи отлично работают с новым пользовательским интерфейсом.
Спасибо!
Анас
Pri3
awaiting-product-team-response
cxp
needs-more-info
product-question
triaged
Все 15 Комментарий
@ansred, пожалуйста, свяжите документ, на который вы подписаны, чтобы мы могли лучше помочь.
У меня такая же проблема. Это происходит только с гостевыми пользователями. Когда гостевой пользователь пытается получить доступ к порталу myapps, вы видите, что на секунду появляется старый пользовательский интерфейс, затем гостевой пользователь снова получает экран «Выберите учетную запись». Когда они выбирают учетную запись, они получают: «Выбранная учетная запись пользователя не существует в клиенте« Службы Microsoft »и не может получить доступ к приложению« 2793995e-0a7d-40d7-bd35-6968ba142197 »в этом клиенте. Учетная запись должна быть добавлена как сначала внешний пользователь в клиенте. Используйте другую учетную запись «.
Если они выберут «Пользователь другой учетной записи», появится ошибка «AADSTS50020: Пользовательская учетная запись».«от поставщика удостоверений» live.com »не существует в клиенте« Службы Microsoft »и не может получить доступ к приложению« 2793995e-0a7d-40d7-bd35-6968ba142197 »(« Мои приложения ») в этом клиенте. Учетная запись должна быть добавлена как внешний пользователь в клиенте сначала «появляется».
Привет @jacksiergiej
Это похоже на то, с чем я столкнулся. Вы выяснили, какие шаги / КБ нужно использовать для добавления этого пользователя в качестве внешнего в арендаторе?
@ MarileeTurscak-MSFT Я ищу КБ, чтобы исправить эту проблему, как я просил выше, поделитесь, пожалуйста.
Спасибо
@ansred Я еще не заявка в службу поддержки. Мне кажется, что проблема с серверной частью Microsoft находится вне нашего контроля. Я могу получить доступ к классическому пользовательскому интерфейсу, а также к прокси-приложениям моего приложения как из пользовательского интерфейса, так и по прямому внешнему URL-адресу.
Это говорит мне, что с моим гостевым пользователем все в порядке. Как только я нажимаю кнопку «попробовать», меня снова просят выбрать моего пользователя, а затем я получаю сообщение об ошибке.
Что действительно плохо, так это то, что все гостевые пользователи, кажется, автоматически переводятся в новый интерфейс во время процесса приглашения. Это, очевидно, вызывает ошибку и останавливает их.
@jacksiergiej Я полностью с вами согласен, и это большая проблема.
@ MarileeTurscak-MSFT Пожалуйста, сообщите
@ansred Я только что получил сообщение от контактного
«В конце прошлой недели у нас появилась ошибка, из-за которой некоторые учетные записи B2B / гостевые не работали должным образом в новых Моих приложениях. Мы исправили эту ошибку в понедельник (15.06), поэтому теперь пользователи с гостевыми учетными записями должны иметь возможность нажимать» Попробуйте! «И получите правильный доступ к новому интерфейсу» Мои приложения «.
@ansred Я получил ответ от команды разработчиков MyApps, и проблема с двойным запросом MFA теперь является ошибкой №2. По словам команды, «они отправили запрос на исправление ошибки и ожидают, что проблема с двойным запросом будет решена к концу следующей недели».
@jacksiergiej, что теперь имеет смысл, две ошибки в одном
Это правильно, пользователь настроен с MFA.
Не могли бы вы поделиться номерами jira / bug #s для справки, пожалуйста.
Спасибо
Привет, @jacksiergiej , не могли бы вы рассказать об ошибке? Я пытался найти для этого подходящую команду.
Я тоже сообщил об этом своим контактам! Мы свяжемся с вами, когда у меня будет ответ.
@ansred, как предотвратить автоматическое переключение классического пользовательского интерфейса на новый интерфейс? Я пытался использовать https://account.activedirectory.windowsazure.com/ , но как только я вхожу в систему, портал автоматически переключается на новый интерфейс, а URL-адрес меняется на https://myapplications.microsoft.com/.
Он просто работает при прямом переходе по любой из упомянутых ссылок. Я не уверен, есть ли вариант, который, возможно, заставляет пользователей на вашей стороне использовать современный пользовательский интерфейс?
Поскольку у пользователей MSA нет домашнего клиента, им нужно будет использовать арендованную версию URL-адреса, чтобы войти в свой правильный гостевой клиент. Арендованный URL-адрес: https://myapplications.microsoft.com/?tenant=
Была ли эта страница полезной?
0 / 5 — 0 рейтинги
I was able to register an app created by another tenant as an enterprise app of my own tenant.
I signed in to the app as a user, but I got the following error.
AADSTS50020: User account ‘test001@testdomain001.onmicrosoft.com’ from identity provider ‘https://sts.windows.net/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/’ does not exist in tenant ‘testdomain002’ and cannot access the application ‘55555555-6666-7777-8888-999999999999′(OneDriveAPIBrowser_test001) in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
How can a user of another tenant use it without the application creator tenant performing any processing?
asked Oct 15, 2020 at 5:56
2
If the Azure AD app is registered in Tenant A and you have add it as an enterprise app into Tenant B, you should use a user from Tenant B to sign in.
In your case, if the registered app is in testdomain001 and added into testdomain002, you need to use a user from testdomain002. User «test001@testdomain001.onmicrosoft.com» is not allowed to sign in to the app in testdomain002 unless it is a guest user of testdomain002.
answered Oct 15, 2020 at 6:08
Allen WuAllen Wu
15k1 gold badge8 silver badges19 bronze badges
9
I tried the steps below and it worked for me.
-
Go to azure.microsoft.com
-
Select Free Account.
-
Sign in with your email.
-
It will detect that you already have a subscription and give you the option to use it.
answered Sep 24, 2021 at 8:00
