Forum Discussion
Microsoft Entra ID App not accessible to other organisations
Hi all,
I have an external PHP-based application that allows users to send emails via the Microsoft Graph API instead of SMTP which will be deprecated soon. For this, I registered an application under Entra App registrations with delegated permission scopes Mail.Send and offline_access. The app is configured to allow all types of Microsoft accounts, and during testing with personal and internal company Microsoft accounts, everything works perfectly. I'm using the authorization code flow for authentication:
- The user logs in.
- The user consents to the required permissions (prompt=consent).
- The user is redirected back to the application with an access and refresh token.
However, when a user with a external company (organizational) account tries to authorize the app, they encounter the following error after logging in:
AADSTS650053: The application 'My App Name' requested scope 'offline_access, Mail.Send' which doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
I’ve tried various configurations but haven’t been able to resolve the issue. My question is: does the external company tenant require any specific configuration, or am I missing something on my end? How can I get this working for organizational accounts if it's already functioning for personal Microsoft accounts?
Any help or suggestions would be greatly appreciated.
Best regards,
Ricardas Kauneckas
kyazaferr I am very thankful for your answer. However, I was already able to solve my problem.
It turned out to be as simple as using the wrong separator for the scope. I have used comma instead of empty space
The error invalid_user was extremely misleading, especially since Microsoft also has an error like invalid_permission_scope (or something similar), which I would have expected in this case.
What made this even more confusing was the fact that for private accounts, the permission scope in the URL is either ignored or handled differently, allowing them to work even with the wrong separator. However, for organizational tenants, it caused a fatal error.
Thank you again for your informative answer!
The error you're encountering, AADSTS650053: The application 'My App Name' requested scope 'offline_access, Mail.Send' which doesn't exist on the resource '00000003-0000-0000-c000-000000000000', suggests that the issue lies in the configuration of your Entra ID (Azure AD) app permissions and its ability to interact with organizational accounts (users from external companies).
Here’s a breakdown of potential issues and solutions:
API Permissions and Tenant Settings
- Application Permissions for Organizational Accounts: The error indicates that the required scopes (offline_access, Mail.Send) are not recognized for the organizational account. This could mean the app is not configured correctly to allow consent for organizational accounts in the external tenant.
- Ensure API Permissions are Correct:
- When you're using the Microsoft Graph API, you need to make sure that your application has the correct API permissions.
- For external users, Mail.Send requires delegated permission and should be configured properly in your app's API permissions.
- Mail.Send permission under Delegated Permissions (since you're using the authorization code flow).
- offline_access is also a standard permission required for refresh tokens, but ensure it is correctly included and consented for all users.
- Verify Permissions for External Tenants: For users in external organizations (i.e., Azure AD B2B users or accounts from different tenants), those tenants must allow the app to request consent. You can request that the external organization grants consent to the app using admin consent or individual user consent.
Cross-Tenant Access Configuration
- External Collaboration Settings: Ensure that the external tenant allows external access to your application. Specifically, check the settings for external collaboration and make sure that users from other tenants can authenticate and consent to applications.
- Go to Azure AD > External Identities > External collaboration settings and ensure that Allow invitations to be sent to any domain or Allow only specific domains (if restricted) is configured properly.
- Cross-Tenant Access Settings: If the external users are from another Azure AD tenant, ensure that the Cross-Tenant Access settings are configured to allow them to authenticate. This is especially important if the organization has strict policies regarding external applications and third-party access.
3. Admin Consent for External Tenants
- Admin Consent Required: Some external tenants might have stricter policies regarding which applications can access their users' data. The application may require admin consent from the external tenant’s Azure AD administrator to grant permissions to external users.
- To facilitate this, the administrator of the external organization needs to consent to the app. This can be done via a URL like:
Check Supported Account Types for the Application
- When configuring your app in App Registrations, make sure the Supported account types setting is correct. For external accounts (from other organizations), you should select Accounts in any organizational directory (Any Azure AD directory - Multitenant) or Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox), depending on the level of access you want to allow.
You can check and update this setting under Authentication in your app registration.
5. Update and Test Token Scopes
- When external users consent to the app, make sure that the correct scopes are requested, such as:
- Mail.Send
- offline_access
6. Test Consent Flow with External Accounts
- Test the login and consent flow with an external organizational account by manually triggering the OAuth flow and checking for any issues related to consent or token generation. Sometimes external users need explicit consent for each scope requested by the application, and the error may point to missing permissions in the external tenant.
- External Collaboration Settings: Ensure that the external tenant allows external access to your application. Specifically, check the settings for external collaboration and make sure that users from other tenants can authenticate and consent to applications.
kyazaferr I am very thankful for your answer. However, I was already able to solve my problem.
It turned out to be as simple as using the wrong separator for the scope. I have used comma instead of empty space
The error invalid_user was extremely misleading, especially since Microsoft also has an error like invalid_permission_scope (or something similar), which I would have expected in this case.
What made this even more confusing was the fact that for private accounts, the permission scope in the URL is either ignored or handled differently, allowing them to work even with the wrong separator. However, for organizational tenants, it caused a fatal error.
Thank you again for your informative answer!
