🚨 Azure Entra External Login Issue (Post–July 25, 2025) — FAQ & Fix Guide

Published: July 25, 2025, for all the devs at copy-paste consultancies who find themselves working ER "site down" situations on July 26, 2025

Tags: Azure AD, Microsoft Entra, SignInAudience, AADSTS50020, External Tenant Access, OAuth2, Azure App Registration, Multitenant, JWT, Token Validation

⚠️ TL;DR — What Just Broke?

If your Azure-based app stopped accepting logins from external users or service principals after July 25, 2025, it’s because of a Microsoft Entra policy change affecting multitenant apps.

Apps previously marked (or defaulted) as multitenant now require explicit reconfiguration to allow access from external tenants.

🔍 Most Common Errors You’ll See

• AADSTS50020: User account from identity provider does not exist in tenant
• Access token request fails: access_denied, invalid_client, or invalid_grant
• Graph API or custom API errors: 403 Forbidden, 401 Unauthorized, or invalid audience

❓ Why Did This Happen?

Microsoft changed the rules around app registration sign-in audiences (signInAudience). Specifically:

• Apps marked as AzureADMyOrg (single-tenant) will no longer issue tokens to identities from external tenants
• Entra used to allow this under many scenarios (Office365 login, delegated Graph access, etc.)
• Now, unless explicitly marked AzureADMultipleOrgs, apps will be strictly tenant-bound

🧠 How Do I Know If My App Is Affected?

Run this PowerShell command:

Get-AzADApplication -DisplayName "YourAppName" | Select DisplayName, SignInAudience

If the result shows SignInAudience = AzureADMyOrg and you rely on external users or service principals, then you are affected.

But my Powershell ISE is stuck in a 2FA loop, refusing to accept my code

Even though Powershell ISE currently appears in Visual Studio Installer for Azure Powershell, ISE is deprecated and does not work with 2FA. You need to use normal (not ISE) Powershell. Try "Connect-AzAccount". If that doesn't work in regular Powershell, you need to add the "Az" module.

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force -AllowClobber

Beware that most Powershell Azure FAQs will tell you to authenticate as if you have only one Azure tenant. For those with more than one tenant in the subscription to which you attach (your) Powershell (machine code) during Azure authentication, you'll need to specify which tenant Id you want. Otherwise correct authentication via the web will still fail in your Powershell window.

🔐 What Is signInAudience?

💥 Real-World Symptoms

• Office 365 users can’t log in anymore
• External service principals fail token requests
• Graph or custom API calls return 403 or 401
• You received a Microsoft email:

  “External service principals are actively obtaining tokens for your app”

✅ How to Fix It

Option 1: Make Your App Multitenant

1. Go to Azure Portal → Entra ID → App registrations
2. Click your app
3. Click Authentication
4. Under Supported account types, select:

   ✔ Accounts in any organizational directory (Any Azure AD directory - Multitenant)

5. Click Save

Option 2: Keep It Single-Tenant + Validate in Code

1. Keep signInAudience = AzureADMyOrg
2. Add AddAuthentication().AddJwtBearer() to validate tokens
3. Restrict allowed tenant IDs by checking the tid claim

Example (ASP.NET Core):

options.Events = new JwtBearerEvents
{
    OnTokenValidated = context =>
    {
        var tid = context.Principal.FindFirst("tid")?.Value;
        if (tid != "your-tenant-guid")
            throw new SecurityTokenValidationException("External tenants not allowed.");
        return Task.CompletedTask;
    }
};
  

🔍 How to Inspect Incoming Tokens

• https://jwt.ms — decode tokens online
• Use User.Claims in middleware or controllers to log tid, appid, aud
• Enable Graph SDK logging for insight into failures

🧠 How You Could Have Prevented Your Site Getting Broken By Microsoft Fixing Their Entra Security Defect

• Explicitly set signInAudience on all apps
• Validate tenant ID (`tid`) in JWTs
• Use allowlists or Conditional Access if needed
• Regularly audit app registrations and external SP usage (behind Azure P1/P2 Paywall)
• Best idea: Hire Marietta.AI. We're in Marietta, GA, USA and normally focus on our local community, but we do also take remote jobs.

My Azure/Entra service identity's e-mail account, the account to which Microsoft sent me an April 2025 warning about this July 25 change, it keeps exploding when I try to log in

• Yeah. Microsoft allowed service identity accounts to be Outlook e-mail accounts. They sent the breaking-change warning notfication to these accounts. And now these accounts, accounts that are Azure service prinicpals, no longer work as Outlook.com e-mail accounts. You cannot currently re-read the warning e-mail to see what Microsoft suggested. Brilliant! Luckily, better suggestions are here and don't try to steer you toward paywalled Azure/Entra tools you probably don't already subscribe to.
• Is this some sort of cloud based extortion by Microsoft Azure/Entra? Extortion is a very strong word, so I won't say that. I will say "this whole situtation could have handled better (than its likely to be inferred dependency on Azure/Entra paywalled audit data)." IMO Microsoft probably didn't want to come out and admit they seriously messed up Azure's single tenancy OAuth security paradigm, so the e-mail they sent about the fixing their own stuff "after July 25, 2025" was rather vague and kind of implies you did something wrong in Azure. You didn't do anything wrong with your single tenant setup other than trusting that Azure handled it for you, having used the Azure portal to set your Azure app for single tenancy. Microsoft knew something you didn't know about single tenancy, and they did not tell you about it when you set up your single tenant app, expecting it to behave predictably as a single tenant app should behave (ie singularly!)

But but but ... The April 2025 notification e-mail from Microsoft Azure/Entra claimed that only service principals are affected by the change

Why I had flipped my single-tenant app to multitenant even though I was only calling Microsoft Graph

You might assume that if your app only calls Microsoft Graph API using a 3rd party user principal (which is the "secret" azure account associated with your client's Office 365 Business account) and doesn’t expose any endpoints or accept tokens for itself (for use as a service prinicipal), it’s fine to use a single-tenant app registration. That was true — until Microsoft enforced cross-tenant token boundaries in July 2025, claiming to enforce boundaries for service principals, yet also enforcing boundaries for user principals.

Starting July 26, 2025, Microsoft Entra began enforcing tenant policies at the token issuance level. That means your single-tenant app cannot request tokens on behalf of users from other tenants, even if the token is only for use as a user principal with Microsoft Graph or some other 3rd party app. Note: Microsoft Office 365 Business accounts do in fact have an associated Azure account, and thus qualify as a prinicpal from another tenant. Office 365 Business users typically do not have any idea they also have an Azure acccount. They usually aren't sure what Azure even is. They will steadfastly insist they do not have an Azure account. While it's true they never wnet and created an Azure account, if they have an Office 365 Business account, they do in fact have an Azure account and will break when using your single tenant app under the new ("after July 25th, 2025") Entra boundary paradigm. No, you can't delete their unknown and "never used it" Azure account, as it's used by Microsoft behind-the-scenes. No, adding the office 365 Business (and Azure) account as an app "ower" in your azure config does not help. Having your client's O365Business/Azure account being a "guest" or "member" of your single-tenant account also does not help.

The reasoning? Your app is initiating a cross-tenant trust relationship by requesting a delegated token — and external tenants never explicitly consented to that. Microsoft Azure/Entra now blocks this unless your app is marked as multitenant.

The fix is simple: I flipped the app registration’s SignInAudience setting from AzureADMyOrg to AzureADMultipleOrgs. This allowed tokens to be issued for external users again — without changing my code — and I optionally enforce a tenant allowlist to limit access.

🙋‍♀️ Still Confused?

If you're seeing errors like:

• AADSTS50020
• External logins failing after July 25
• Office365 login loops in your app

Then your app is almost certainly affected by Microsoft Entra’s sign-in audience enforcement.

What do I do?

• Fix it yourself using info provided here
• Hire Marietta.AI. We're in Marietta, GA, USA and normally focus on our local community, but we do also take remote jobs.

📎 Notes

Microsoft frequently updates its Entra ID documentation, and many relevant pages change URLs or disappear. For the most up-to-date information, we recommend:

• Starting at Microsoft Entra Identity Platform documentation
• Searching for terms like "signInAudience", "multitenant apps", or "AADSTS50020" via DuckDuckGo or your favorite search engine
• Using Microsoft Graph Explorer for real-time token testing