question

Yongjin-4073 avatar image
0 Votes"
Yongjin-4073 asked Yongjin-4073 commented

Azure AD 404 error when login with Microsoft account

I created a Cognito userpool and an Azure AD b2c application. I connected Azure AD b2c to Cognito as a OpenID Connect identity provider.

I am able to login successfully with an authorized user configured under my Azure AD. And if I log in with another Azure account from another directory, the page shows a proper message telling me my account does not belong to the Azure AD.

However, if I login with my Microsoft account, I get an 404 error message as below. This issue looks like an Azure issue. Can anyone help me troubleshooting this?


9709-404.png


Instead, I was expecting a message like below

9872-proper-message.png



azure-ad-b2cazure-ad-authentication
404.png (334.3 KiB)
proper-message.png (235.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered Yongjin-4073 commented

HI @Yongjin-4073


This is not Azure error as the error is returned by login.live.com and not by login.microsoftonline.com. If you want to allow signup/signin with Microsoft Account, you would need to add Microsoft Accounts (MSA) IDP to Cognito. You can reference https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-microsoft-account or check if there is any Cognito documentation available to add MSA as IDP.




Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft,


Thanks for hopping in to help. I believe I am able to login with an MSA. The goal I am trying to achieve here, is to prevent people sign in with their MSA, but giving them a proper message. I have updated my description above, I am expecting to get a proper message as the second screenshot, instead of an error message in the first screenshot.


One thing to point out is, if I am trying to login with another Azure AD account (that hasn't been assigned to my app), I get the proper message. But if I am trying to login with an MSA, I don't get the proper message. So there is an inconsistency.


0 Votes 0 ·

@Yongjin-4073 ·Since MSAs are federated with Azure AD, you get redirected to login.live.com based on the UPN suffix which is expected. Now the AADSTS errors are thrown by Azure AD only and not by MSA endpoints. You cannot get AADSTS50020 from Login.live.com.

0 Votes 0 ·

@amanpreetsingh-msft, AADSTS50020 is what I expected. But currently what happened is I'm getting the error in the first screenshot instead of AADSTS50020. Which is not expected, is it?


0 Votes 0 ·