Azure AD token obtaining for guest

Question

In my Web API application registered on Azure I obtain token for the users in Active Directory this way:

    var result = await client.PostAsync(oauthEndpoint, new FormUrlEncodedContent(new[]
    {
        new KeyValuePair<string, string>("client_id", _azureOptions.ClientId),
        new KeyValuePair<string, string>("grant_type", "password"),
        new KeyValuePair<string, string>("username", userName),
        new KeyValuePair<string, string>("password", password),
        new KeyValuePair<string, string>("client_secret", _azureOptions.ClientSecret),
        new KeyValuePair<string, string>("client_info", "1"),
        new KeyValuePair<string, string>("scope",
                                    "openid offline_access profile api://xxxxxxx-xxxxxxxxx-xxxxxxxxxxx/access_as_user"),
                            })).ConfigureAwait(false);
...

And I work well. I added a gmail.com guest account and now I get a error

{"error":"invalid_grant","error_description":"AADSTS50034: The user account Microsoft.AzureAD.Telemetry.Diagnostics.PII does not exist in the gmail.com directory. To sign into this application, the account must be added to the directory.\\r\\nTrace ID: c0a3f945-d446-430c-8e4e-fd77c95a5500\\r\\nCorrelation ID: 6cd071f3-b5b0-4ed2-98a2-292f45863e1a\\r\\nTimestamp: 2019-04-26 12:31:28Z","error_codes":[50034],"timestamp":"2019-04-26 12:31:28Z","trace_id":"c0a3f945-d446-430c-8e4e-fd77c95a5500","correlation_id":"6cd071f3-b5b0-4ed2-98a2-292f45863e1a"}

How can I fix that? If I create basic ASP.NET MVC Core application with azure authentiacation, which redirects to microsoft page, the basic application works avan with guest.

But in my "silent authentication" case guest users don't work

Answer 1

You can't use the ROPC flow (which you used here) with Guests. It does not work with federated accounts. Neither does it work for users with MFA or an expired password. I usually advise people to stay away from this flow.