How can we improve Azure Active Directory?

Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application.

Currently if the logged in users doesnt exist in the Tenant Directory for a given application. The user is shown a very unhelpful page with the following:

Sorry, but we’re having trouble signing you in.
We received a bad request.

The debug error is :
AADSTS50020: User account 'some email address' from external identity provider 'https://sts.windows.net/someguid/'; is not supported for application 'https://someappurl'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

126 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

33 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • erez commented  ·   ·  Flag as inappropriate

    I would never use microsoft for any project. Trying to create a project and this time, Wunderlist made the mistake of affiliating itself with their tech, here is the result that led me here: http://prntscr.com/o29fj2

    I even put a masked email, that's how much I trust them.

  • Billie Maitland commented  ·   ·  Flag as inappropriate

    When i was asked which state i lived in , it would not accept Tennessee. So therefore i cant continue. Billie Maitland. 11741 Hwy22 Martin Tn. 38237

  • Tre`Von McKay commented  ·   ·  Flag as inappropriate

    Microsoft should allow tenant admins to customize this message to make it more user friendly for their users and provide whatever organizational process they have in place to address this scenario. I also suggest adding a "Switch account" button when this error is for the scenarios where users may be signed into multiple work accounts.

  • Himanshu commented  ·   ·  Flag as inappropriate

    AADSTS50020: User account 'emailaddress@example.com' from identity provider 'live.com' does not exist in tenant 'Our AzureAd.com' and cannot access the application 'guid' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

    Any idea to resolve the above issue by redirecting the user back to application with specific error code so that he could be notified properly. Else any other solution which could be handled by AAD account itself.

    Actually it stuck on HTML page provided by microsoft and user can do nothing except typing the application address again in the browser.

  • Peter Selch Dahl commented  ·   ·  Flag as inappropriate
  • Kristi commented  ·   ·  Flag as inappropriate

    The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
    I am getting the above error when trying to log into a site
    How do I fix?

  • Robert Hyde commented  ·   ·  Flag as inappropriate

    Azure AD team, It is now showing the complete error:

    AADSTS50020: User account 'emailaddress@example.com' from identity provider 'live.com' does not exist in tenant 'Our AzureAd.com' and cannot access the application 'guid' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

    However I feel it should be better, i.e. I would give the users a next step

    For example:

    Instead of just saying "Please sign out and sing in again" which really is quite hard to do as you need to type an address in... could you instead provide two links on the error page:

    Sign Out >Signs the user out and takes them back to the login page

    Use another account > Takes them back to the login page where they can pick or add a different account

    This would allow the user to unblock themselves.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Given that it's 2018 I'd like to re-iterate something from below. I have an ASP.Net web app using Azure AD authentication and when a user expecting to login can't because they haven't yet been added to Azure AD they get an inscrutable result. Two things should be easily available:

    I (as web developer) should be able to log the email that tried to get into the web app so I can follow up if that person should have access.

    The user should be able to get a kinder, gentler message saying that although the login is a Microsoft / O365 Account it is not authorized for the application they attempted a logon to (or something else I want to tell them)

    This is web 1989 kind of stuff ... is there any guidance to intercept this error in an ASP.Net app or other Azure AD authenticated app?

  • Wayne Cornish commented  ·   ·  Flag as inappropriate

    I'd go with:

    D) I'm logged in with O365, but try to access an application with a 3rd party that requires I auth with them. I know exactly what the issue is, but it's a useless error message, as I *do* have access to the application, just not with the account I'm currently signed in with. The UI provides no way to log out, or constructively deal with the 'issue'.

  • M Moles commented  ·   ·  Flag as inappropriate

    My issue is the same as Ron Pitts, I believe for my situation it is when a user is already signed in with an Office 365 account

    I would add that now the situation is better when going between our two Azure AD B2C instances in our control (live and test). You now get the option to pick which account you wish to sign in with if you are already signed in, and if you chose the wrong account you get the error below and have the option to use anther account without having to discover how to sign out then log back in with the correct account. In my view this alternative does provide a much better user experience, though as others have said the message is still not very user friendly. Also we do still get reports of the bad request when users are signed in to their organisation Office 365 account and try and log into our application.

    The option to have the revised experience in all cases as well as have a custom error would be good, even better would be for the login screen to not show signed in accounts which would generate this error upon trying to use them.

    New error that is sometimes shown: "Selected user account does not exist in tenant 'tenant name' and cannot access the application 'GUID' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."

  • Anonymous commented  ·   ·  Flag as inappropriate

    It is NOT A) or B) listed above.

    It is:
    C) End users have no idea what the error message means and it looks like something is broken instead of them understanding that they do not have access to an application.

    It would be nice to have a customizable message that we could display to end users to let them know that they do not have access, and to contact our helpdesk or IT department to request access to the application if they believe they should have it.

  • Ron Pitts commented  ·   ·  Flag as inappropriate

    IT people understand the error however general users will have no idea how to resolve this.

    The solution is to support a callback request informing the application that user doesnt exist in the tenant directory hence allow the calling application to support some custom message.

  • Spencer C commented  ·   ·  Flag as inappropriate

    I am also fighting this issue. And it is causing a bad experience for our users. domain_hint is not a solution either as we are external users coming from many different domains.

  • lpm commented  ·   ·  Flag as inappropriate

    Hello? this requires attention. I see no workaround possible when using the authorization / authentication of azure application. This is giving horrible customer experience to end users.

  • Hiren Gajra commented  ·   ·  Flag as inappropriate

    Please help with solving the following:
    I have a office365 subscription. I created application in azure Active Directory for Access users outlook calendar event from iOS application.I am using graph api for this. I am getting successfully Event of user which is added in azure active directory tenant user list. But I am not able to get the Event of user's calendar which is not added in azure active directory tenant and got the error in response "user not added in azure active directory tenant" so how to resolve this issue and allow all user to access outlook event api which are not added in azure active directory tenant list.

  • Grant Bowering commented  ·   ·  Flag as inappropriate

    YES. This is ludicrous. It's been a year and a half since this ticket was opened and this is still an issue. This is an entirely reasonable error and no one is expecting magic, it's just that there's literally *nowhere* to click and no way to know where one could go to resolve it. The end of the fine print still says "Sign out and sign in again with an Azure Active Directory user account", but if it knows that's the problem, it needs to show a Sign Out button!

← Previous 1

Feedback and Knowledge Base