Overview
This article provides steps to resolve an issue where an attempt to log in via a Microsoft Azure Active Directory (AD) connection results in an error. This occurs when an enterprise connection is configured in a tenant to connect Auth0 to Azure AD, supporting logins from the primary Azure AD domain and downstream customer Azure AD domains. If a user is not a member of the primary business organization, the login attempt fails. The authentication flow halts, and the user is presented with an error message similar to:
- AADSTS50020: User account from identity provider does not exist in tenant ‘’ and cannot access the application ‘<app_name>’ in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
This is often accompanied by an access_denied message. As a result, users cannot log in via the Azure AD connection.
Applies To
- Microsoft Azure Active Directory (AD)
- Multitenant organization
- Login error
Cause
This issue may be due to a Microsoft Azure Active Directory (AD) configuration issue. By default, provisioning an Azure AD connection restricts logins to users within the Azure AD configured at the time of connection creation. This security measure prevents users from unassociated Azure AD domains from accessing resources, maintaining logical separation between organizations. For example, a user from a domain such as example.com would not be able to view resources intended for users from okta.com.
- General guidance for troubleshooting error AADSTS50020 can be found in the Microsoft document: Error AADSTS50020 - User account from identity provider does not exist in tenant
Solution
To permit users to log in with an Azure Active Directory (AD) connection even if the user is not associated with the primary Azure AD domain, a multitenant Azure AD solution can be created. This allows login with accounts from different instances of Azure AD. The suitability of this approach depends on specific business use case details.
If pursuing a multitenant strategy, enable the Use common endpoint option in the Azure AD application configuration.
- When enabled, the application will dynamically accept users from new directories. This is typically enabled if a multitenant option was selected for Supported account types during the application registration in Azure AD.
- Enabling this option redirects users to Azure’s common login endpoint. Azure then performs Home Realm Discovery based on the user’s email address domain.
Failure to enable the Use common endpoint option may result in the AADSTS50020 error. Enabling this option should resolve the problem and allow users to successfully sign in with an Azure account associated with a different organization.
Considerations for alternative solutions:
- Individual Azure AD Connections: Creating new Azure AD connections for each customer is a possible solution. However, Auth0 subscription plans impose limits on the number of Enterprise connections available (e.g., a B2B-Essentials plan currently permits only three). For a Software as a Service (SaaS) company with numerous customers, this may not be viable.
- Configuration Data Sharing: Security concerns regarding the sharing of configuration data, such as client IDs and client secrets, may further constrain the option of individual connections.