Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Documentation] AcquireTokenByUsernamePassword throws AADSTS50020 error

See original GitHub issue

Documentation Related To Component:

MSAL AcquireTokenByUsernamePassword

Please check those that apply

typo
documentation doesn’t exist
documentation needs clarification
error(s) in example
needs example

Description Of The Issue

I am trying out AcquireTokenByUsernamePassword to get an access token but I get the following error:

Microsoft.Identity.Client.MsalUiRequiredException
  HResult=0x80131500
  Message=AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/4e2c9ebc-13a3-4967-a599-8269be6d22f6/' does not exist in tenant 'Carlintveld' and cannot access the application '4f381a56-a3b1-419a-a2ca-89a6f52f0e7b'(Azure DevOps Sample) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Trace ID: 39765221-a26a-4792-a51b-19416a219d01
Correlation ID: f6985690-724a-453d-a4f8-4ebfe4cc4d00
Timestamp: 2020-11-30 16:01:14Z

I am using the following program.cs:

using Microsoft.Identity.Client;
using System;
using System.Net;
using System.Security;
using System.Threading.Tasks;

namespace NonInteractivePatGenerationSampleMsal
{
    class Program
    {
        async static Task Main(string[] args)
        {
            var username = "testuser@carlintveld.onmicrosoft.com";
            var password = new NetworkCredential("", "password").SecurePassword;
            var aadApplicationID = "<guid; redacted>"
            var client = PublicClientApplicationBuilder.Create(aadApplicationID).WithAuthority("https://login.microsoftonline.com/carlintveld.onmicrosoft.com").Build();        
            var scopes = new string[] { "user.read" };
            var result = await client.AcquireTokenByUsernamePassword(scopes, username, password).ExecuteAsync();
        }
    }
}

Where is the guid 4e2c9ebc-13a3-4967-a599-8269be6d22f6 coming from? How do I resolve this AADSTS50020 error?

Issue Analytics

State:
Created 3 years ago
Comments:11 (8 by maintainers)

Top GitHub Comments

1reaction

cveldcommented, Dec 2, 2020

AAD / ESTS is not in the list. I have access to two tenants and neither are providing this. Maybe I don’t have the authorization? Many other Azure services are there. One is providing “Active Directory Domain Services”.

I reread this page and there are some interesting parts to note:

Never let users enter their username and password into your app.
Microsoft accounts are apparently not supported. Only work or school accounts.
The common authority is not supported because it is combining Microsoft accounts with work or school accounts. Therefore one should choose organizations for multi-tenancy.
ROPC is being used as a term, but explained outside the page: it stands for Resource Owner Password Credentials, i.e. the AcquireTokenByUsernamePassword flow.

Ad 1. Indeed, we never ask users to enter their username and password into our apps. We are using the AcquireTokenByUsernamePassword flow solely with service accounts. Ad 3. I will try the organizations authority.

1reaction

bgavrilMScommented, Dec 1, 2020

To go back to your point around external users, I just tried this out. It looks like AcquireTokenByUsernamePassword is unable to login a guest user, however AcquireTokenIntreactive does allow this login.

My setup was:

authority: https://login.microsoftonline.com/TenantA with a user who a guest in TenantA

This seems to be a service limitation or a bug. AcquireTokenByUsernamePassoword is strongly discouraged, so I would not be surprised if some of these advanced scenarios do not work. Still, please feel free to open a issue via the Azure Portal to the AAD service, as this is not an SDK bug.

If you have problems getting AcquireTokenIntreactive to work, let’s discuss further.

Top Results From Across the Web

User account from identity provider does not exist in tenant ...

If a user tries to use the resource owner password credentials (ROPC) flow for personal accounts, error AADSTS50020 occurs. The Microsoft ...

Azure AD authentication & authorization error codes

AADSTS500021 indicates that the tenant restriction feature is configured and that the user is trying to access a tenant that isn't in the...

Azure Active Directory forum - RSSing.com

I am trying an sample to test function AcquireTokenByUsernamePassword(). Following is the code example.I am getting error. Error Acquiring Token: Microsoft.

AcquireTokenByUsernamePass...

AcquireTokenByUsernamePassword throws System.AggregateException and MsalServiceException ... Have you checked your password? Is it correct?

Why do I see an "AADSTS50020" error when using ...

This error can occur if your username in Azure Active Directory does not have an associated email address. Additional Information. Related documentation: Duo ......