当提示=同意并且用户是真实帐户时，Azure SSO错误：AADSTS50020

Question

I've a MUTITENAT app on my Azure ActiveDirectory. I'm using it to log in users on my web site.

When redirecting the user, We were using no 'prompt' parameter. We don't like this because if the user is already log in azure and then he click the link: is redirected to azure and then is automatically redirected to my site without accepting anything.

So now, we want the user to accept the permissions. So we are adding 'prompt=consent' parameter when redirecting the user.

The problem is that now every live account that tries to log in, receives an Azure error page with this error message:

AADSTS50020: User account 'xxx@outlook.com' from identity provider 'live.com' does not exist in tenant 'XXX' and cannot access the application 'xxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

More details about the error and my actual configuration:

• I'm using common endpoints to call the api(/common/oauth2/authorize and /common/oauth2/token)
• I've also try to log in even when a live account that was on my tenant. It's also failing
• Also, when I try to log in with an Azure account (whether is on my tenant or a different tenant) it works fine (redirecting the user to my website with code parameter).

Answer 1

Support for LiveIDs is only available in the v2 endpoint.

Based on what you've posted, you're hitting the v1 endpoint. In order to move over to v2, you'd need to be calling

/common/oauth2/v2.0/authorize
/common/oauth2/v2.0/token

Or if you are using the metadata endpoint to discover the auth endpoints:

https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

There's a few other things you'd need to tweak as part of using the v2 endpoint like using scopes instead of resources. Also, the v2 endpoint doesn't support all flows yet.

You can find more info in the Azure AD App Model V2 documentation .