Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application.
Currently if the logged in users doesnt exist in the Tenant Directory for a given application. The user is shown a very unhelpful page with the following:
Sorry, but we’re having trouble signing you in.
We received a bad request.
The debug error is :
AADSTS50020: User account 'some email address' from external identity provider 'https://sts.windows.net/someguid/'; is not supported for application 'https://someappurl'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.
Anonymous
shared this idea
37 comments
-
Anonymous
commented
Getting the same, what i need to do? just created the premium trail and so far not looking good, need to test the Azure AD capabilities for SSO usage with API and need to confirm it can be taken as part of the infrastructure
-
Nawaz Shareef
commented
i am also facing the same issue
when i log in AAD and try to do anything i get this notification error and there seems to be no solution to it.
see the image.
I am kind of stuck in this .
any help regarding the mentioned error will be appreciated.
Thanks -
Ravi Kumar
commented
I am also facing the same issue. Please help me how to resolve this issue.
-
Anonymous
commented
oh's
-
erez
commented
I would never use microsoft for any project. Trying to create a project and this time, Wunderlist made the mistake of affiliating itself with their tech, here is the result that led me here: http://prntscr.com/o29fj2
I even put a masked email, that's how much I trust them.
-
Billie Maitland
commented
When i was asked which state i lived in , it would not accept Tennessee. So therefore i cant continue. Billie Maitland. 11741 Hwy22 Martin Tn. 38237
-
Spencer C commented
4 years later! wonder if this will actually fix the problem
-
Tre`Von McKay
commented
Microsoft should allow tenant admins to customize this message to make it more user friendly for their users and provide whatever organizational process they have in place to address this scenario. I also suggest adding a "Switch account" button when this error is for the scenarios where users may be signed into multiple work accounts.
-
Himanshu
commented
AADSTS50020: User account 'emailaddress@example.com' from identity provider 'live.com' does not exist in tenant 'Our AzureAd.com' and cannot access the application 'guid' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Any idea to resolve the above issue by redirecting the user back to application with specific error code so that he could be notified properly. Else any other solution which could be handled by AAD account itself.
Actually it stuck on HTML page provided by microsoft and user can do nothing except typing the application address again in the browser.
-
Peter Selch Dahl commented
-
Hi Luis,
Just some feedback from me. I also see this as an issue a lot.
I will be happy to have a call :) You have my contact details
/Peter Selch Dahl
Azure MVP -
Kristi
commented
The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I am getting the above error when trying to log into a site
How do I fix? -
Robert Hyde
commented
Azure AD team, It is now showing the complete error:
AADSTS50020: User account 'emailaddress@example.com' from identity provider 'live.com' does not exist in tenant 'Our AzureAd.com' and cannot access the application 'guid' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
However I feel it should be better, i.e. I would give the users a next step
For example:
Instead of just saying "Please sign out and sing in again" which really is quite hard to do as you need to type an address in... could you instead provide two links on the error page:
Sign Out >Signs the user out and takes them back to the login page
Use another account > Takes them back to the login page where they can pick or add a different account
This would allow the user to unblock themselves.
-
Anonymous
commented
Given that it's 2018 I'd like to re-iterate something from below. I have an ASP.Net web app using Azure AD authentication and when a user expecting to login can't because they haven't yet been added to Azure AD they get an inscrutable result. Two things should be easily available:
I (as web developer) should be able to log the email that tried to get into the web app so I can follow up if that person should have access.
The user should be able to get a kinder, gentler message saying that although the login is a Microsoft / O365 Account it is not authorized for the application they attempted a logon to (or something else I want to tell them)
This is web 1989 kind of stuff ... is there any guidance to intercept this error in an ASP.Net app or other Azure AD authenticated app?
-
Wayne Cornish
commented
I'd go with:
D) I'm logged in with O365, but try to access an application with a 3rd party that requires I auth with them. I know exactly what the issue is, but it's a useless error message, as I *do* have access to the application, just not with the account I'm currently signed in with. The UI provides no way to log out, or constructively deal with the 'issue'.
-
M Moles
commented
My issue is the same as Ron Pitts, I believe for my situation it is when a user is already signed in with an Office 365 account
I would add that now the situation is better when going between our two Azure AD B2C instances in our control (live and test). You now get the option to pick which account you wish to sign in with if you are already signed in, and if you chose the wrong account you get the error below and have the option to use anther account without having to discover how to sign out then log back in with the correct account. In my view this alternative does provide a much better user experience, though as others have said the message is still not very user friendly. Also we do still get reports of the bad request when users are signed in to their organisation Office 365 account and try and log into our application.
The option to have the revised experience in all cases as well as have a custom error would be good, even better would be for the login screen to not show signed in accounts which would generate this error upon trying to use them.
New error that is sometimes shown: "Selected user account does not exist in tenant 'tenant name' and cannot access the application 'GUID' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."
-
Anonymous
commented
It is NOT A) or B) listed above.
It is:
C) End users have no idea what the error message means and it looks like something is broken instead of them understanding that they do not have access to an application.It would be nice to have a customizable message that we could display to end users to let them know that they do not have access, and to contact our helpdesk or IT department to request access to the application if they believe they should have it.
-
Ron Pitts commented
IT people understand the error however general users will have no idea how to resolve this.
The solution is to support a callback request informing the application that user doesnt exist in the tenant directory hence allow the calling application to support some custom message.
-
I am also fighting this issue. And it is causing a bad experience for our users. domain_hint is not a solution either as we are external users coming from many different domains.
-
Anonymous
commented
how???
