Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application.
Currently if the logged in users doesnt exist in the Tenant Directory for a given application. The user is shown a very unhelpful page with the following:
Sorry, but we’re having trouble signing you in.
We received a bad request.
The debug error is :
AADSTS50020: User account 'some email address' from external identity provider 'https://sts.windows.net/someguid/' is not supported for application 'https://someappurl'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

61 comments
-
Anon commented
I'm using this as part of a choice for users with login providers from different vendors, on a web site I'm developing.
My users are general public there needs to be an option for Azure AD to allow users to login to an app without invitation first.
I have 6 login providers, all big name US companies, for now I'm going to have to disable "Login with your Microsoft account". I'll never know the users, they're the general public, and my web app is for e-commerce.
There are many advantages to me (web developer) to have usernames and passwords managed by a 3rd party... and with 2 factor authentication too.
-
tao commented
delete the cookies and browsing history in "Internet Explorer" (not Edge) worked for me
-
[Deleted User] commented
I get this error when trying to use Quick Assist...
-
Roger commented
That is expected. User is trying to sign up with a live.com ID which is not a Windows Azure native org account and is limited to be used only for 4 Microsoft directories. We already have a KB article about this
This article refers to Microsoft documentation
https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users-external/
Which clearly says external users at this time can only access following services from Microsoft but no other external system like AgilePoint, Salesforce, Box etc.
Services that currently support access by Azure AD external users
Azure classic portal: allows an external user who’s an administrator of multiple directories to manage each of those directories.
SharePoint Online: if external sharing is enabled, allows an external user to access SharePoint Online authorized resources.
Dynamics CRM: if the user is licensed via PowerShell, allows an external user to access authorized resources in Dynamics CRM.
Dynamics AX: if the user is licensed via PowerShell, allows an external user to access authorized resources in Dynamics AX. The limitations for Azure AD external users apply to external users in Dynamics AX as well.
Pay special attention to this line“External users can’t consent to multi-tenant applications in directories outside of their home directory”
-
Matthew commented
Not sure if this helps with this particular issue but I think it might be related. What I had was two accounts listed under the 'Accounts used by other apps' under the 'Email and accounts' settings, one of which was a Google account somehow. Since I could delete it directly there, I went to 'Access work or school' under 'Accounts' and disconnected the Google account. Then everything was able to work again. Hope that helps someone.
-
Imran commented
Did anyone get the solution for this issue? I keep getting the issue whenever I restart my computer.
-
Abhishek commented
Anyone got the solution... I am facing the Same issue
-
Michael commented
I can give some information at least for the person who asked for the visio add-in. I had the same problem. I have an office 365 home subscription and I could not log into the visio add-in. What I learned from MS support is that the visio add-in doesn't work with a home subscription of office. You need a business license which is registered with an azure account. Therefore there is no solution. The only solution is to subscribe for a business license of office 365. To clarify you can still use the visio add-in without logging in but you only get the full functionality if you sign in.
-
Anonymous commented
Same error here please fix. It's just ridiculous that people using microsoft in one company are not able to use an other companys application which are also using microsoft.
-
Nikhil commented
For those who are still getting this error, app requesting login should use v2 endpoints oauth2/v2.0/authorize and oauth2/v2.0/token.
-
Annoyed commented
When trying to give assistance in Quick Assist, this error was appearing.
The login was a Skype login, and the error message displayed the associated email address (on our own domain, not an MS related / controlled domain).
Simply logging out and forgetting the login did not cure the error, however:
The domain in the identity provider of the error was live.com. By going to that domain in a web browser, and logging in using the failing login (again the Skype ID as the username, not the associated email address), it appears to have created the linked database elements to make logging in successfully on Quick Assist possible again.
This error is typical of Microsoft's ability to make something harder than it needs to be, as anyone who has compared and contrasted an error while writing C# in VS, and a stack trace in something like Python, will definitely recognise.
Your mileage may vary, but hopefully it will stop someone from losing their hair early.
-
Anonymous commented
Anyone find solution. I’m having the same issue when trying to run the Visio add-in for Excel.
-
Anonymous commented
Been experiencing this problem too, any help fixing t would be greatly appreciated. I'm unable to finish the online training for my job because of this.
-
Willem commented
I have this problem to when trying to sign in to Microsoft Whiteboard! PLEASE FIX THIS!!!!
-
Mandikro Islam commented
please fix this its so dum
-
Anonymous commented
Dito, i get the same Message....
-
MacroHard commented
Very unhelpful error and no fix anywhere :(
-
Tyler commented
@luis B all the way. This used to work for us - our guests would click a direct sign-on link, be asked for permission to share information to our tenant, and then they would SSO. Now, they click the link and it says their account does not exist in our tenant (the account does exist). The sign on link has not changed. This was working up to about one month ago.
-
Anonymous commented
Microsoft is a bloody joke. Fix this.
-
Brandon commented
This issue is causing big problems with my clients. We need a solution soon.