• I think I am missing something. I wanted to use it for registration, I set new registration to allow all, even personal, accounts. But it is spitting this error during log in process

    AADSTS50020: User account 'xxx from identity provider 'live.com' does not exist in tenant 'xxxx' and cannot access the application 'xxx'(xxx register) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

    Am I missing something?

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Marco

    (@qlcvea)

    Have you set the Tenant ID option in the plugin settings? Try changing it to the literal common, if it is set to an actual ID it may override the app configuration in Azure AD (which I assume is set to allow all accounts, including personal/consumer MSA).

    Thread Starter kamilcz

    (@kamilcz)

    Thank you, seems like there is further issue. Now it allowed me to go through with login until it redirected me to ?code=M.R3_BL2.8c56af13-bb21-1356-5a71-36426c3c60b1&state={“redirect_to”:”https:\/\/xxxxxx.xx\/wp-admin\/”%2c”nonce”:”cb481d5f74″}

    Seems like I am still missing something

    Plugin Author Marco

    (@qlcvea)

    Those query parameters look correct. They should be at the end of the URL for the “callback” page (/sso-for-azure-ad/callback or ?sso-for-azure-ad=callback). From that page you should end up getting redirected to the page you were trying to access before logging in.

    Do you see an error message?

    Thread Starter kamilcz

    (@kamilcz)

    I see just 404 and I am not logged in

    Plugin Author Marco

    (@qlcvea)

    Do rewrites work on your host?

    If https://<your site>/?sso-for-azure-ad=start redirects to the MS sign in page and https://<your site>/sso-for-azure-ad/start does not you probably do not have rewrites working.

    The plugin does not support environments without rewrites when support for MSA is needed, as Microsoft requires callback URLs without query parameters when MSA users can sign into an app (not required when only AAD account support is needed).

    Thread Starter kamilcz

    (@kamilcz)

    Trouble is, it both goes to 404. I can only log in (or try) frow /wp-admin page using button. The button has following link https://xxx.xx/wp/?sso_for_azure_ad=start&redirect_to=https%3A%2F%2Fxxx.xx%2Fwp%2Fwp-admin%2F
    It redirects me to microsoft where I can log to my account but returning fails on 404. Rewrite works normally with pages and posts. I can give you access to my dev evironment so you can try yourself if it helps

    Plugin Author Marco

    (@qlcvea)

    Sorry, your comment made me realize that my examples were incorrect since I used - instead of _.

    Please try https://<your site>/?sso_for_azure_ad=start and https://<your site>/sso_for_azure_ad/start. I have my doubts that this will make any difference though.

    The correct callback URL should be https://<your site>/sso_for_azure_ad/callback?code=...&state=...

    Thread Starter kamilcz

    (@kamilcz)

    Yes, no difference. I had it correctly set in my azure

    Plugin Author Marco

    (@qlcvea)

    If the URLs I previously mentioned are correctly being rewritten to be handled by WordPress I honestly do not have any ideas on why it does not work.

    I might test my plugin again in the next few days on the latest WordPress to ensure that it did not break in a way that I missed.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘User account from identity provider ‘live.com’ does not exist’ is closed to new replies.