Error: Personal Microsoft accounts are not supported for this application

Question

Hi, I'm trying to sign in to my web application using Microsoft SSO via the Oauth2 SDK provided by Steven Maguire (https://github.com/stevenmaguire/oauth2-microsoft). When I test this (in an incognito Chrome window) I get the error:

AADSTS500200: User account 'xxxxxxxxx*@*xxxxxx.com' is a personal Microsoft account. Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization. Try signing out and signing back in with an organizational account.

However, my application is set up so the signInAudience is AzureADandPersonalMicrosoftAccount i.e. "Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (such as Skype, Xbox)"

This is confirmed under Authentication which says:

Any ideas on how I can fix this?? Thank you!

James

Answer 1

Hi @James

Thank you for reaching Microsoft Q&A forum!

If I understand correctly, when you trying to login with the application using Microsoft SSO via the Oauth2 SDK you got the error AADSTS500200: User account 'xxxxxxxxx*@*xxxxxx.com' is a personal Microsoft account. Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization. Try signing out and signing back in with an organizational account. this has happened when you tried in an incognito Chrome window.

It might be the issue with the wrong endpoint, if your app registration's supported account type set to Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

If you use https://login.microsoftonline.com/<YourTenantNameOrID> the behavior is expected. because the authentication is expected to be run on your tenant only. This scenario causes the sign-in error if you expect users to sign in by using federation with another tenant or identity provider.
To fix this issue you need use the correct sign-in URL, since your application type is Multitenant and personal accounts, the Sign-in URL is https://login.microsoftonline.com/common
In your application code, apply this URL value in the Authority setting. For more information about Authority, see Microsoft identity platform application configuration options.
If the above solution is not work for you, please refer the Error AADSTS50020 - User account from identity provider does not exist in tenant

Hope this helps. Do let us know if you any further queries by responding in the comments section.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

@Akhilesh Vallamkonda

Hello @James I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue:

when you trying to sign in to my web application using Microsoft SSO via the Oauth2 SDK provided by Steven Maguire (https://github.com/stevenmaguire/oauth2-microsoft). When you test this (in an incognito Chrome window) I get the error: AADSTS500200

Solution:

You have fixed the issue Instead of using an SDK, I simply used cURL to call the https://login.microsoftonline.com/common/oauth2/v2.0/authorize endpoint.

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.