Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

How can we improve Azure Active Directory?

← Azure Active Directory

Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application.

Currently if the logged in users doesnt exist in the Tenant Directory for a given application. The user is shown a very unhelpful page with the following:

Sorry, but we’re having trouble signing you in.
We received a bad request.

The debug error is :
AADSTS50020: User account 'some email address' from external identity provider 'https://sts.windows.net/someguid/' is not supported for application 'https://someappurl'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

196 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

61 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anon commented  ·   ·  Flag as inappropriate

    I'm using this as part of a choice for users with login providers from different vendors, on a web site I'm developing.

    My users are general public there needs to be an option for Azure AD to allow users to login to an app without invitation first.

    I have 6 login providers, all big name US companies, for now I'm going to have to disable "Login with your Microsoft account". I'll never know the users, they're the general public, and my web app is for e-commerce.

    There are many advantages to me (web developer) to have usernames and passwords managed by a 3rd party... and with 2 factor authentication too.

  • tao commented  ·   ·  Flag as inappropriate

    delete the cookies and browsing history in "Internet Explorer" (not Edge) worked for me

  • Roger commented  ·   ·  Flag as inappropriate

    That is expected. User is trying to sign up with a live.com ID which is not a Windows Azure native org account and is limited to be used only for 4 Microsoft directories. We already have a KB article about this

    This article refers to Microsoft documentation

    https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users-external/

    Which clearly says external users at this time can only access following services from Microsoft but no other external system like AgilePoint, Salesforce, Box etc.

    Services that currently support access by Azure AD external users
    Azure classic portal: allows an external user who’s an administrator of multiple directories to manage each of those directories.
    SharePoint Online: if external sharing is enabled, allows an external user to access SharePoint Online authorized resources.
    Dynamics CRM: if the user is licensed via PowerShell, allows an external user to access authorized resources in Dynamics CRM.
    Dynamics AX: if the user is licensed via PowerShell, allows an external user to access authorized resources in Dynamics AX. The limitations for Azure AD external users apply to external users in Dynamics AX as well.
    Pay special attention to this line

    “External users can’t consent to multi-tenant applications in directories outside of their home directory”

  • Matthew commented  ·   ·  Flag as inappropriate

    Not sure if this helps with this particular issue but I think it might be related. What I had was two accounts listed under the 'Accounts used by other apps' under the 'Email and accounts' settings, one of which was a Google account somehow. Since I could delete it directly there, I went to 'Access work or school' under 'Accounts' and disconnected the Google account. Then everything was able to work again. Hope that helps someone.

  • Imran commented  ·   ·  Flag as inappropriate

    Did anyone get the solution for this issue? I keep getting the issue whenever I restart my computer.

  • Michael commented  ·   ·  Flag as inappropriate

    I can give some information at least for the person who asked for the visio add-in. I had the same problem. I have an office 365 home subscription and I could not log into the visio add-in. What I learned from MS support is that the visio add-in doesn't work with a home subscription of office. You need a business license which is registered with an azure account. Therefore there is no solution. The only solution is to subscribe for a business license of office 365. To clarify you can still use the visio add-in without logging in but you only get the full functionality if you sign in.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Same error here please fix. It's just ridiculous that people using microsoft in one company are not able to use an other companys application which are also using microsoft.

  • Nikhil commented  ·   ·  Flag as inappropriate

    For those who are still getting this error, app requesting login should use v2 endpoints oauth2/v2.0/authorize and oauth2/v2.0/token.

  • Annoyed commented  ·   ·  Flag as inappropriate

    When trying to give assistance in Quick Assist, this error was appearing.

    The login was a Skype login, and the error message displayed the associated email address (on our own domain, not an MS related / controlled domain).

    Simply logging out and forgetting the login did not cure the error, however:

    The domain in the identity provider of the error was live.com. By going to that domain in a web browser, and logging in using the failing login (again the Skype ID as the username, not the associated email address), it appears to have created the linked database elements to make logging in successfully on Quick Assist possible again.

    This error is typical of Microsoft's ability to make something harder than it needs to be, as anyone who has compared and contrasted an error while writing C# in VS, and a stack trace in something like Python, will definitely recognise.

    Your mileage may vary, but hopefully it will stop someone from losing their hair early.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Anyone find solution. I’m having the same issue when trying to run the Visio add-in for Excel.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Been experiencing this problem too, any help fixing t would be greatly appreciated. I'm unable to finish the online training for my job because of this.

  • Willem commented  ·   ·  Flag as inappropriate

    I have this problem to when trying to sign in to Microsoft Whiteboard! PLEASE FIX THIS!!!!

  • Tyler commented  ·   ·  Flag as inappropriate

    @luis B all the way. This used to work for us - our guests would click a direct sign-on link, be asked for permission to share information to our tenant, and then they would SSO. Now, they click the link and it says their account does not exist in our tenant (the account does exist). The sign on link has not changed. This was working up to about one month ago.

  • Brandon commented  ·   ·  Flag as inappropriate

    This issue is causing big problems with my clients. We need a solution soon.

← Previous 1 3 4

Azure Active Directory: End user experiences

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice