Share via

Issue with Microsoft OAuth for Outlook: AADSTS50020 - User does not exist in tenant

Nicolas 0 Reputation points
2025-03-10T11:43:59.4833333+00:00

Hello,

I'm developing an application that integrates with Microsoft Outlook via the Microsoft Graph API to fetch unread emails. The authentication flow is based on OAuth 2.0 using the /common/ endpoint to allow both personal Microsoft accounts (Hotmail, Outlook, Live, etc.) and work/school accounts (Microsoft Entra ID, formerly Azure AD).

Despite configuring my Azure Entra ID app to accept both work/school and personal accounts, I consistently get the following error when trying to authenticate a personal Hotmail account (******@hotmail.fr):

AADSTS50020: User account '******@hotmail.fr' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '05cc6cdc-507a-42b8-9017-694ae86c6657' (Copernic Outlook Connector) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

What I've done so far :

  1. Created an Azure App Registration
    • Configured Authentication > Supported Account Types to: ✅ "Accounts in any organizational directory (Multitenant) and personal Microsoft accounts (Skype, Xbox, etc.)"
    • Redirect URIs:
    • https://myapp.com/auth/callback/outlook
    • http://localhost:5001/auth/callback/outlook
    Updated Manifest Settings 
        "signInAudience": "AzureADandPersonalMicrosoftAccount",

"accessTokenAcceptedVersion": 2 ```

**Updated OAuth Endpoints in Code**

```yaml
AUTH_URL = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"

TOKEN_URL = "https://login.microsoftonline.com/common/oauth2/v2.0/token" ```

**Granted API Permissions in Azure**

   - `Mail.Read`
   
      - `Mail.Send`
      
         - `offline_access`
         
            - Admin consent granted
            
            **Cleared Cache & Retried in Incognito Mode**
            
               - Still the same **AADSTS50020** error.

Expected behavior :

  • Any Microsoft personal account (Hotmail, Outlook, Live, etc.) should be able to authenticate successfully.
  • Users should not have to be manually added to an Entra ID tenant just to authenticate.

Questions

  • Why does my app still reject personal Microsoft accounts, even though signInAudience is correctly set?
  • Is there an additional step required to fully enable personal accounts?
  • Is this a known limitation or an issue with my Azure AD configuration?

Any insights or suggestions would be greatly appreciated!

Thanks in advance for your help!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,630 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harshitha Eligeti 1,930 Reputation points Microsoft External Staff
    2025-03-13T09:49:07.2533333+00:00

    Hello @Nicolas
    The error AADSTS50020: User account '******@hotmail.fr' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '05cc6cdc-507a-42b8-9017-694ae86c6657' (Copernic Outlook Connector) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

    Since you are connected to the tenant as a standard user with restricted access, you cannot perform actions such as creating new users, groups, enterprise applications, and so on. To perform administrative actions, you must have administrative access to the tenant.

    For this purpose, you need to create your own tenant. When you create a new tenant, you by default become the Global Administrator of the new tenant and have full access to all the options in that tenant.

    To create a new tenant, open in-private/incognito browser window (just to avoid SSO), access https://azure.microsoft.com/en-us/free/ to create a free Azure account.

    Once the new account is created, you should be able to see and switch to the new tenant by clicking on the settings icon as highlighted below:

    174999-image.png

    Alternatively, you can ask the global administrator or any existing Azure AD/Microsoft Entra tenant to invite you as a guest user as mentioned here: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/add-users-administrator#add-guest-users-to-the-directory.
    Once you are added to an Entra tenant and you accept the invite sent to you via email, you can use https://portal.azure.com/#create/Microsoft.AzureActiveDirectory URL to create your own tenant as well.

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.