This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 47%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
I have an internal tenant A where I have internal resources (web api, functions, database, admin website etc).
Recently I created an external tenant B with Microsoft Entra External id for customers. There I have registered a SPA app where external customers can register and login with email and a code sent to their email. I use msal with the config:
auth: {
clientId: "xxxx",
authority: "https://xxxx.ciamlogin.com",
redirectUri: "/dashboard",
postLogoutRedirectUri: "/",
navigateToLoginRequestUrl: false,
},
Login works fine for all types of accounts on the external customer website but when I try to get an access token with aquireTokenSilent to get data from my web api in the internal tenant I get AADSTS500207: The account type can't be used for the resource you're trying to access.
If I change the authority in the msal config to https://login.microsoftonline.com/organizations/v2.0 I get a working access token with the right scope but then I can only login to the external customer website with my work account which is not what I want. I have also tried https://login.microsoftonline.com/common/v2.0 but cannot login with personal or other accounts there either.
I have set "signInAudience" to "AzureADandPersonalMicrosoftAccount" both the app registrations in tenant A and B. I have also added api permission which works correctly when I set authority to https://login.microsoftonline.com/organizations/v2.0
I have searched in the documentation and tried all sorts of possible solutions but nothing works. Is it possible to give external customer accounts access to the web api in my internal tenant?
Thank you for posting your query on Microsoft Q&A, currently I am reviewing this issue and will get back to you with further inputs.
Thanks,
Akshay Kaushik
Thanks for your time and patience on this. I was able to validate the behavior with my resources and got to know that as of today accessing API of workforce tenant from external tenant (CIAM User) is not supported.
However considering the feature to be new, we are open for feedback and request you to post this as an idea on our feedback forum so that it could be visible to the service engineering team.
Let me know once this is posted with the link so that I could vote for it and notify the team to have a look.
If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik
Ok, I am surprised and disappointed to hear that. Really don't understand the developer value of external id for customers if I can't access resources (api, database etc) in my internal tenant. It’s not even on a roadmap to fix?
So what is my best option if I want to keep the infrastructure within Azure and make sure external users can login with email and code?
Really don't understand the developer value of external id for customers if I can't access resources (api, database etc) in my internal tenant. It’s not even on a roadmap to fix?
As this is a feature in development, we are open for feedback and request you to post this as an idea on our feedback forum so that it could be visible to the service engineering team. also I would notify the team and could follow-up on the updates.
Apart from this, you may use External ID in Workforce tenants i.e., B2B collaboration. This would be same as External ID in External tenants (CIAM) but the users will be hosted in the same production tenant as guest users.
Thanks,
Akshay Kaushik
Please do let me know if you have any queries in the comments section. If you don't have any further queries and my suggestion answers your business query, please "Accept the answer". This will help us and others in the community as well.
Thanks,
Akshay Kaushik
Ok thanks, I posted this as an idea https://feedback.azure.com/d365community/idea/a02a5bb4-4b13-ef11-9899-6045bd824b24
I'll go with B2B collaboration for now. Main disadvantage with that path seems to be that there is no way to brand the sign in experience and the code email :( Confusing and not very user friendly for a new external customers.
Thank you following the suggestion and posting the idea. I have upvoted for it. Would recommend you to share more details in the idea. Here are few key points:
Thank you,
Akshay Kaushik