Unable to get OAuth token for external account


  • Hi!
    So I'm setting up an OAuth application in my company directory to integrate with another web app. When I perform the OAuth flow with a user inside of my org, it works ok and I get an access token. If I try to use an account outside the org, it fails with "InvalidGrantError
    (invalid_grant) AADSTS50020: User account '' from identity provider ' ' does not exist in tenant 'Default Directory' and cannot access the application '5551f14e-3833-4cf5-a83b-1706d3f042a3' in that tenant.  The account needs to be added as an external user in the tenant first.  Sign out and sign in again with a different Azure Active Directory user account.
    Trace ID: b93c3f9b-b157-47f9-83dd-985a27640200
    Correlation ID: 26d2b475-e957-4df6-8157-5eb4d322683e
    Timestamp: 2017-03-20 20:38:03Z"
    I'm following v1 endpoints. 

    I've tried also with OAuth v2 endpoints, but you do not allow yet to specify permissions for Service Management Resource, only Microsoft Graph permissions. Or at least I have tried to edit the manifest with the GUIDs from the v1 but with no luck, looks like they have changed. With this application I do not get an access_token, only the id_token :(

    Note: this account is the testing one (account outside of the organization).

    Can you help me with this? Thanks!



    • Edited by saas-cloud Tuesday, March 21, 2017 7:45 PM
    Tuesday, March 21, 2017 7:44 PM

All replies

  • Have you checked the External User Settings in your Azure AD Tenant ?
    The Guest User Limitation setting should be set to NO.
    You may check this setting from either Azure Portal or the Management Portal.

    Azure Portal:
    - In your Azure AD Tenant, go to the User Settings
    - Under External Users, Guest users permissions are limited should be set to NO

    Management Portal:
    - In your Azure AD Tenant, go to the Configure Tab on the top.
    - Under the User Access section, Limit Guest Access should be set to NO

    Wednesday, March 22, 2017 11:35 AM
  • Thanks for your response Neelesh.

    I wonder what implications this setting has. How can this setting compromise the data of my organisation?
    Should I have a different Azure Active Directory / account for this OAuth app?

    Thursday, March 23, 2017 4:03 PM