Azure-docs: Message: AADSTS50020: User account from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '2793995e-0a7d-40d7-bd35-6968ba142197'(My Apps) in that tenant.

@ansred please link the document that you are following so that we can better assist.

I'm having the same issue. It only occurs with guest users. When the guest user tries to access the myapps portal, you see the old UI appear for a second, then the guest user receives the "Pick an Account" screen again. When they pick the account, they receive: "Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application '2793995e-0a7d-40d7-bd35-6968ba142197' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."

If they choose "User another account" the error "AADSTS50020: User account '' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '2793995e-0a7d-40d7-bd35-6968ba142197'(My Apps) in that tenant. The account needs to be added as an external user in the tenant first" appears."

Hi @jacksiergiej

That sound like exactly what I am facing. Have you figured out the steps/KB to use to get that user added as external in the tenant?

@MarileeTurscak-MSFT I am looking for a KB still to fix that issue as I asked above, please share one.

Thanks

@ansred I have not figured out the solution yet, but I have ticket open with support. To me, it seems like a Microsoft backend issue thats out of our control. I can access the classic UI fine, as well as my app proxied appilcations both from the UI and direct external URL.

This tells me that my guest user is fine. Once I click the "try it" button, I'm asked to pick my user again and then I receive the error.

The thing that is really bad is that all guest users seem to be automatically taken to the new experience UI during their invite process. This obviously causes the error and stops them in their tracks.

@jacksiergiej I totally agree with you and this is a big issue.

@MarileeTurscak-MSFT Please advise

@ansred I just got word from a contact at MS that this is a bug and should now be resolved. However, a new issue has arisen where you're MFA'd each time you access the new experience. For instance, just logging into the portal, you'll be MFA'd twice (once for classic and then as it switches to the new experience, you'll be bounced out at MFA'd again.) If you leave the new experience and return to the Classic UI and then click "Try It" to return to the new experience, you're bounced out again and MFA'd. This should not be happening.

"We had a bug introduced late last week which caused some B2B/guest accounts to not work correctly in the new My Apps. We fixed this bug on Monday (6/15), so users with guest accounts should now be able to click "Try it!" and access the new My Apps experience correctly."

@ansred I heard back from the MyApps product team and the double MFA prompt issue is now bug#2. According to the team "They put in a bug fix request for this and expect to have the double-prompt issue resolved by the end of next week."

@jacksiergiej that makes sense now, two bugs in one hit.
That is correct, user is configured with MFA.
Can you share the jira/bug #s for reference please.

Thanks

Hi @jacksiergiej , can you please share the bug? I've been trying to track down the right team for this.

I have reported this to my contacts as well! Will follow-up when I have a response.

@MarileeTurscak-MSFT Sounds like a plan. Thanks for your help too.

For now, I am only using the classic experience - https://account.activedirectory.windowsazure.com/

and not the new/modern https://myapplications.microsoft.com/

To avoid complains by the users.

Looking forward to hearing from you soon.

@ansred how do you stop the classic UI from automatically switching to the new experience? I tried to use https://account.activedirectory.windowsazure.com/, but as soon as I login, the portal automatically switches to the new experience and the URL changes to https://myapplications.microsoft.com/.

@ansred how do you stop the classic UI from automatically switching to the new experience? I tried to use https://account.activedirectory.windowsazure.com/, but as soon as I login, the portal automatically switches to the new experience and the URL changes to https://myapplications.microsoft.com/.

It just works by going directly to either link mentioned. I am not sure if there is an option that is maybe forcing users on your end to use the modern UI?

I have reported this to my contacts as well! Will follow-up when I have a response.

Any updates on your side? I can confirm the issue still persists.

As a workaround for now, I am only using the classic experience - https://account.activedirectory.windowsazure.com

and not the new/modern https://myapplications.microsoft.com

cc @MarileeTurscak-MSFT

Since MSA users do not have a home tenant, they will need to use the tenanted version of the url in order to log in to their correct guest tenant. The tenanted url is https://myapplications.microsoft.com/?tenant=