Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Microsoft identity platform fails to authenticate personal Microsoft accounts with Office 365 subscr

Copper Contributor

Hi, This is my first posting here so apologies if I am breaking any blog rules unknowingly.

I registered an office add-in app in Azure portal. The add-in uses single sign-on (SSO) to authorize users. I obtain an authorization code from https://login.microsoftonline.com/common/oauth2/v2.0/authorize  then redeem it for an access token with a post to https://login.microsoftonline.com/common/oauth2/v2.0/token. The SSO works for users with work or school accounts but fails for users with personal email accounts such as live.com and hotmail.com despite having current personal office 365 subscription.  Here is a typical response received from the token server: 

 

{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: f351e59c-dc4f-4b10-8293-4e6fe8c8c600\r\nCorrelation ID: 196c96ec-1310-4afb-8d4b-ab70d77bb816\r\nTimestamp: 2021-02-22 00:34:40Z","error_codes":[9002313],"timestamp":"2021-02-22 00:34:40Z","trace_id":"f351e59c-dc4f-4b10-8293-4e6fe8c8c600","correlation_id":"196c96ec-1310-4afb-8d4b-ab70d77bb816","error_uri":"https://login.microsoftonline.com/error?code=9002313"} 

 

Users have sent us proofs of their valid personal office 365 subscriptions but still cannot use SSO. The App is configured in Azure portal to support Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox). It seems to me Microsoft identity platform does not recognize some personal Microsoft accounts and I am  not sure how to resolve the error from our end or if there is any  thing users could do to refresh their accounts with Microsoft identity platform.

 

This issue is been blocking for many users so any help to understand and resolve this error is greatly appreciated.

 

1 Reply

I did figure out the error eventually. The auth. code should be decoded before redeeming. Some codes apparently did not require decoding while others did. Hopefully this will help someone who might run into this problem. I wish the server response was a bit more verbose about what was malformed.