I have an internal tenant A where I have internal resources (web api, functions, database, admin website etc).
Recently I created an external tenant B with Microsoft Entra External id for customers. There I have registered a SPA app where external customers can register and login with email and a code sent to their email. I use msal with the config:
auth: {
clientId: "xxxx",
authority: "https://xxxx.ciamlogin.com",
redirectUri: "/dashboard",
postLogoutRedirectUri: "/",
navigateToLoginRequestUrl: false,
},
Login works fine for all types of accounts on the external customer website but when I try to get an access token with aquireTokenSilent to get data from my web api in the internal tenant I get AADSTS500207: The account type can't be used for the resource you're trying to access.
If I change the authority in the msal config to https://login.microsoftonline.com/organizations/v2.0 I get a working access token with the right scope but then I can only login to the external customer website with my work account which is not what I want. I have also tried https://login.microsoftonline.com/common/v2.0 but cannot login with personal or other accounts there either.
I have set "signInAudience" to "AzureADandPersonalMicrosoftAccount" both the app registrations in tenant A and B. I have also added api permission which works correctly when I set authority to https://login.microsoftonline.com/organizations/v2.0
I have searched in the documentation and tried all sorts of possible solutions but nothing works. Is it possible to give external customer accounts access to the web api in my internal tenant?