AADSTS500208 Error when user tries to login, I am using Microsoft Entra ID (Azure AD) with MSAL authentication for my web application.

Question

AADSTS500208 Error when user tries to login, I am using Microsoft Entra ID (Azure AD) with MSAL authentication for my web application.

Rishav Mahajan 0

I am using Microsoft Entra ID (Azure AD) with MSAL authentication for my web application.

Setup

I registered an application with Supported account types set to: All Microsoft account users.
I am using a CIAM authority ({tenant}.ciamlogin.com).
Required API permissions are configured.
Users are invited via Microsoft Graph API, and then they authenticate through MSAL and access my application.

Expected Behavior

After being invited, users should be able to log in successfully using MSAL.

Current Issues

1. Personal Microsoft Accounts Not Logging In

When I invite organizational users, they can log in without issues.
However, when I invite personal Microsoft accounts (e.g., Outlook, Hotmail) as guest users, they are unable to log in.

To handle this, I tried identifying the account type using the following endpoint:

POST https://login.microsoftonline.com/common/GetCredentialType

Based on the response:

If IfExistsResult is 0 or 6, I invite the user as a guest.
Otherwise, I create a local account in my tenant and send them a temporary password.

This approach worked for some time.

2. AADSTS500208 Error for Organizational User

I encountered a case where:
- The API indicated the user should be invited as a guest.
  - The user accepted the invitation.
    - But when trying to log in, they receive the error: AADSTS500208.

Questions

Why are personal Microsoft accounts failing to log in when invited as guests?
Is using the GetCredentialType endpoint a reliable way to determine how to onboard users?
What could be causing the AADSTS500208 error for an organizational account that was invited as a guest?
Am I missing any configuration in Microsoft Entra ID, MSAL setup, or CIAM authority that could resolve these issues?
Is there a recommended or official approach to handle mixed account types (personal + organizational) in this scenario?I am using Microsoft Entra ID (Azure AD) with MSAL authentication for my web application.
Setup

I registered an application with Supported account types set to: All Microsoft account users.
I am using a CIAM authority ({tenant}.ciamlogin.com).
Required API permissions are configured.
Users are invited via Microsoft Graph API, and then they authenticate through MSAL and access my application.
Expected Behavior
After being invited, users should be able to log in successfully using MSAL.
Current Issues

1. Personal Microsoft Accounts Not Logging In
When I invite organizational users, they can log in without issues.
However, when I invite personal Microsoft accounts (e.g., Outlook, Hotmail) as guest users, they are unable to log in. To handle this, I tried identifying the account type using the following endpoint:
```
   POST https://login.microsoftonline.com/common/GetCredentialType
```
```
Based on the response:
```
- If IfExistsResult is 0 or 6, I invite the user as a guest.
Otherwise, I create a local account in my tenant and send them a temporary password.
```
This approach worked for some time.

### 2. AADSTS500208 Error for Organizational User
```
- I encountered a case where:
The API indicated the user should be invited as a guest.
The user accepted the invitation.
But when trying to log in, they receive the error: AADSTS500208.
Questions
1. Why are personal Microsoft accounts failing to log in when invited as guests?
2. Is using the GetCredentialType endpoint a reliable way to determine how to onboard users?
3. What could be causing the AADSTS500208 error for an organizational account that was invited as a guest?
4. Am I missing any configuration in Microsoft Entra ID, MSAL setup, or CIAM authority that could resolve these issues?
5. Is there a recommended or official approach to handle mixed account types (personal + organizational) in this scenario?

VEMULA SRISAI 12,615 Reputation points Microsoft External Staff Moderator

2026-05-04T12:47:54.6166667+00:00
Hello Rishav Mahajan,

Based on your description, the issues you’re seeing are mainly due to mixing B2B guest invitation flows with a CIAM (External ID) sign‑in authority, which is not a supported or reliable design.

Why personal Microsoft accounts fail when invited as guests

Personal Microsoft accounts (Outlook/Hotmail/Live) can sign in as B2B guests when using the standard B2B collaboration model. However, when you authenticate those invited users through a CIAM authority ({tenant}.ciamlogin.com), the sign‑in flow expects a customer identity, not a B2B guest identity. Because of this mismatch, personal Microsoft accounts that redeemed an invitation are not able to complete sign‑in, even though the guest object exists in the tenant.

In short: B2B guest identities are not guaranteed to work with CIAM customer sign‑in flows.

Is GetCredentialType a reliable way to decide onboarding?

No. The GetCredentialType endpoint is not documented as an onboarding decision API and should not be used to determine whether a user should be invited as a guest or created as a local account.

This approach is fragile because:

The result does not guarantee how the user will actually authenticate.

The identity used during invitation redemption may differ from what GetCredentialType inferred.

Microsoft does not recommend mixing B2B invitations and local account creation dynamically based on this endpoint.

Recommendation: Decide onboarding based on your application scenario, not on account probing.

Cause of AADSTS500208 for an invited organizational user

AADSTS500208 typically occurs when:

A B2B guest user is trying to sign in using an authority or flow that doesn’t support their identity type (for example, CIAM customer flows).

There is a cross‑tenant access restriction or external collaboration policy blocking sign‑in for that specific organization.

The invitation was redeemed, but the user later tried to sign in with a different account (different home tenant or different identity than the one used during redemption).

This explains why it may happen for one organizational user while others continue to work.

Are you missing any configuration?

There may not be a single missing toggle. The core issue is architecture alignment:

CIAM / External tenant (ciamlogin.com) → Intended for customer identities using sign‑up/sign‑in flows.

B2B collaboration → Intended for guest users authenticating with their home Microsoft Entra ID or Microsoft account using standard tenant authorities.

Mixing these two models in the same sign‑in path leads to the exact failures you are observing.

Recommended and supported approach for mixed account types

You need to choose one primary model per application:

Option A – Customer / CIAM application (recommended for external tenants)

Use the external tenant as a CIAM tenant.

Onboard users through customer sign‑up/sign‑in flows (local accounts, email OTP, or configured identity providers).

Do not invite users as B2B guests for app access.

Option B – Partner / B2B collaboration application

Use B2B invitations only.

Allow users to sign in with their home organizational account or personal Microsoft account.

Use the standard Microsoft Entra tenant authority, and ensure cross‑tenant access settings allow collaboration.

Final recommendation

If your application is truly a CIAM/customer app, move fully to External ID customer onboarding and stop using guest invitations and GetCredentialType. If your application is meant for partner or external organizational access, use B2B guest collaboration only and avoid CIAM authorities for sign‑in.

This architectural correction should resolve both the personal Microsoft account sign‑in failures and the AADSTS500208 errors you’re encountering.

1 answer

Your answer

Answer 1

Reason personal Microsoft accounts fail as guests

For mixed account types, the sign‑in endpoint and app’s supported account type must match the account being used:

If the app registration is effectively single‑tenant or tied to a specific tenant endpoint like https://login.microsoftonline.com/<YourTenantNameOrID>, external users (including personal Microsoft accounts) cannot sign in directly and must exist as guests in that tenant.
For personal Microsoft accounts to sign in as guests, the app must be configured to support them and the correct “common/consumers/organizations” endpoints must be used.

If the wrong endpoint is used for the account type, Entra ID will reject the sign‑in. This is the same pattern as described for AADSTS50020 when the endpoint does not match the supported account types. For example, using a tenant‑specific authority instead of organizations, common, or consumers for an app that should accept personal accounts.

Reliability of GetCredentialType for onboarding decisions

GetCredentialType is not the supported mechanism for deciding how to onboard users (guest vs local account). It is an internal credential‑discovery endpoint and not documented as an official decision point for B2B/B2C/CIAM onboarding logic.

The supported way to control who can sign in is:

Configure the app registration’s signInAudience (supported account types) correctly.
Use the correct sign‑in authority URL in MSAL that matches that audience (for example organizations, common, or consumers as appropriate).
For B2B guests, ensure the user exists as a guest in the tenant and that cross‑tenant access settings allow the sign‑in.

Cause of AADSTS500208 for an invited organizational guest

From the External ID federation FAQ:

AADSTS500208: The domain is not a valid login domain for the account type means sign‑in failed because the account type isn’t permitted to use the login URL or tenant being accessed. The fix is to verify that the correct sign‑in endpoint is being used and that the account has access to the target tenant.

Applied to the described scenario:

The user is an organizational account invited as a guest.
The app or MSAL is likely using an authority URL that does not match the account type or tenant context (for example, a CIAM authority or tenant‑specific authority that does not accept that domain/account type for that app configuration).
This mismatch between:
- app’s signInAudience,
- the authority URL used in MSAL, and
- the user’s account type/domain
leads to AADSTS500208.

Configuration gaps in Entra ID / MSAL / CIAM authority

Based on the documented patterns, typical configuration issues that cause these symptoms are:

signInAudience not aligned with actual usage
- If the app is effectively single‑tenant, external users cannot sign in. The fix in the general case is to ensure signInAudience is one of:
  - AzureADandPersonalMicrosoftAccount
  - AzureADMultipleOrgs
  - PersonalMicrosoftAccount
- If it is not, the app registration must be recreated with the correct supported account type.
Wrong authority URL for the account type
- For multitenant organizational accounts: use https://login.microsoftonline.com/organizations.
- For multitenant + personal accounts: use https://login.microsoftonline.com/common.
- For personal accounts only: use https://login.microsoftonline.com/consumers.
- Using a tenant‑specific authority (…/<tenantId>) when expecting external org or personal accounts will block those accounts and can surface as AADSTS50020/500208.
External ID / federation configuration
- When using External ID federation (for example, adding another Entra tenant as an OIDC IdP), if the issuer URI or discovery endpoints are misconfigured, the IdP will not appear or tokens will be rejected.
- Error 40015 is raised when the external IdP configuration or returned tokens cannot be validated (issuer mismatch, wrong endpoints, missing required claims like subject or email).

Recommended approach for mixed personal + organizational accounts

The documented, supported patterns for mixed account types are:

Use an app registration whose signInAudience supports the desired mix:
- AzureADandPersonalMicrosoftAccount for both organizational and personal Microsoft accounts.
Use the corresponding sign‑in URL in MSAL:
- For multitenant + personal accounts: https://login.microsoftonline.com/common.
For B2B guests (organizational accounts from other tenants):
- Invite them as guests in the resource tenant.
- Ensure cross‑tenant access settings allow invitations and sign‑ins.
For External ID federation with Entra ID as an OIDC IdP:
- Ensure issuer URI, discovery endpoint, redirect URIs, and scopes are correctly configured.
- Add the IdP to the user flow, not just to the tenant.

In this model there is no need to call GetCredentialType to decide guest vs local account. Instead, rely on:

Correct app registration audience (signInAudience).
Correct authority URL (organizations/common/consumers) in MSAL.
Standard B2B guest invitations and External ID configuration.

Aligning the app’s supported account types with the correct authority URL and ensuring guests are properly provisioned in the tenant is the supported way to handle mixed personal and organizational Microsoft accounts and will prevent AADSTS500208 and related sign‑in errors.

References:

Share via

AADSTS500208 Error when user tries to login, I am using Microsoft Entra ID (Azure AD) with MSAL authentication for my web application.

Setup

Expected Behavior

Current Issues

1. Personal Microsoft Accounts Not Logging In

2. AADSTS500208 Error for Organizational User

Questions

Setup

Expected Behavior

Current Issues

1. Personal Microsoft Accounts Not Logging In

Questions

1 answer

Your answer