"AADSTS50034: To log into this application, an account must be added to the <GUID> directory
Situation with getting a list of user tenants. When a user logs on to the directory where he is a member, no exception is thrown. Otherwise, it happens, but this user is assigned to this directory as a Guest.
Exception: {
"error":"invalid_grant",
"error_description":"AADSTS50034: To sign into this application the account must be added to the GUID directory.\r\nTrace ID: GUID\r\nCorrelation ID: GUID\r\nTimestamp: 2017-08-03 14:32:32Z",
"error_codes":[50034],
"timestamp":"2017-08-03 14:32:32Z",
"trace_id":"GUID",
"correlation_id":"GUID"
}
The stack points to AcquireTokenSilentAsync.
source to share
Ok, so I was very curious about what was wrong - and it was actually a mistake I made in the sample (I didn't even notice from the Fiddler logs, what a shame). The problem was that I was using the endpoint common
everywhere for token cache and fetching new tokens. This is similar to working with a Microsoft account, but not for B2B users. I updated the sample code to include fixes for the permissions url to always accept the tenant ID instead of the shared namespace, which really shouldn't be used anyway. Read more on this on the Vittorio Blog .
source to share
If you have not developed a multi-tenant application, the user must register with that tenant to receive a token from Azure AD.
And if you were developing an application with multiple tenants, we have to replace the tenant common
with an authorization / token request (see this link ).
Update
source to share