When using Azure AD authentication for your applications the user may receive the following error if they try to open your application when they are already signed in with a Microsoft account in a different tenant. As there is no 'logout' button on the page, it leaves the user unable to proceed.
Sign In
Sorry, but we’re having trouble signing you in.
We received a bad request.
AADSTS50020: User account 'xxx@xxx.com' from external identity provider 'live.com' is not supported for application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.
This issue can be resolved by specifying the 'domain_hint' parameter which tells Azure AD which domain the user account should be from. This will prevent the error page from showing if the user is logged in with a account from a different domain, also it will filter the list of accounts that have been remembered so the user will only be prompted to select ones ending with the domain that you have specified.
It is possible to configure this from both the client and server side, from the client '&domain_hint=foo.com' should be appended to the login.microsoftonline.com url.
If you are using adal-angular.js for your login you can specify the domain hint parameter by including it in the init method
adalProvider.init( { instance: auth.instance, tenant: auth.tenant, clientId: auth.clientId, endpoints: auth.endpoints, redirectUri: window.location.origin + '/login', postLogoutRedirectUri: window.location.origin, extraQueryParameter: 'domain_hint=foo.com', }, $httpProvider );
Other methods of including the domain hint are specified in this post:
