Windows Azure Active Directory message can be quite confusing for e.g. error code AADSTS50020
This might show up when user clicks the Sign in with ‘Windows Azure Active Directory’ in the AgilePoint NX-portal, the page is redirected to WAAD login. User is then able to sign-in using his external ID (non-organizational work/school user). At this point , an access token is supposed to be generated based on the strength of the enabled authentication setting declared in the NX-application tenant. This is where the breakdown occurs. Instead of saying it cannot generate an access token, it has thrown the obscure message below. It should have been more forthright or upfront in saying that it cannot generate an access token together with the basic information to pass along to NX-application because it (enabled authentication setting in NX tenant for Office-365) cannot navigate and is not allowed to access resources in ‘live.com’ identity provider.
Error Message:
{“Additional technical information:
Correlation ID: 0324d2f7-2a4f-4e7a-8768-ab73817c5c4e
Timestamp: 2016-05-14 20:36:14Z
AADSTS50020: User account ‘xyz©hotmail.com’ from identity provider ‘live.com’ does not exist in tenant ‘AgilePoint, Inc.’ and cannot access the application ’76da2944-23d5-4168-88b6-15cf3e6cde34′ in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.”}
Reason:
That is expected. User is trying to sign up with a live.com ID which is not a Windows Azure native org account and is limited to be used only for 4 Microsoft directories. We already have a KB article about this
This article refers to Microsoft documentation
https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users-external/
Which clearly says external users at this time can only access following services from Microsoft but no other external system like AgilePoint, Salesforce, Box etc.
Services that currently support access by Azure AD external users
- Azure classic portal: allows an external user who’s an administrator of multiple directories to manage each of those directories.
- SharePoint Online: if external sharing is enabled, allows an external user to access SharePoint Online authorized resources.
- Dynamics CRM: if the user is licensed via PowerShell, allows an external user to access authorized resources in Dynamics CRM.
- Dynamics AX: if the user is licensed via PowerShell, allows an external user to access authorized resources in Dynamics AX. The limitations for Azure AD external users apply to external users in Dynamics AX as well.
Pay special attention to this line
“External users can’t consent to multi-tenant applications in directories outside of their home directory”
So based on above, they cannot sign up for any cloud solution outside the 4 listed Microsoft services hence that is why they get error. This is a limitation put by Microsoft for external users in WAAD.
Clients can use Windows Azure AD for their internal users who are associated with a proper Windows Azure AD org in Azure but for external users, If external users need to have access to processes
- Sign up external users with AgilePoint ID
- If they need not be authenticated then you can use Anonymous forms feature