Error "unauthorized_client" when using Microsoft as authentication provider

[saikumaru]

I am setting up my app and AD as per the steps provided, but when the web app link is entered I get the below error on the browser, instead of taking me to the Login screen.

We're unable to complete your request unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.

Moreover this topic also doesn't mention what is the relevant "Supported account types" that is to be selected while building the AD app.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 65d2b8ea-9a87-1ebf-173c-d7fbd9fd5f47
• Version Independent ID: 0c41c52b-58bf-dee3-a913-9e237cc02709
• Content: Configure Microsoft Account authentication - Azure App Service
• Content Source: articles/app-service/configure-authentication-provider-microsoft.md
• Service: app-service
• GitHub Login: @mattchenderson
• Microsoft Alias: mahender

[RyanHill-MSFT]

Thanks for the feedback! We are currently investigating and will update you shortly.

[RyanHill-MSFT]

@saikumaru I was able to reproduce your issue. I have assigned the issue to the content author as we investigate further so that we can correct the document as appropriate.

[markjourdan]

@RyanHill-MSFT I'm experiencing the same problem. Please let me know as well when the document is corrected. Thanks

[naveed-ahmad-is]

I am experiencing the same issue as well.

[yuvalyitz]

Looking forward for the fix

[MaximRouiller]

Question. Are you configuring Microsoft or Azure Active Directory?

If you are using Microsoft, it means that you need to be using the right setting. By default, it will register by AAD as shown in the following screenshot.

If your AD application is properly configured, it should show the following.

I think our documentation might not be up to date with the identity flow. Please tell me what works so that I can do a PR on the docs.

[dbosak01]

Anyone find a fix for this yet? I'm getting the same error in November 2019.

[AminMkh]

yep same here, my app was working just fine till November 2019

[ekalyvio]

Anyone has a fix for that issue?
Dec 26th 2019 and the issue still exists (4 months old).
Right now I am wondering if it worth using Azure instead of Google cloud.

[RyanHill-MSFT]

I'll follow up with the team and post any updates.

[AminMkh]

On my end, i created new app and followed their PHP tutorial, all works.

Repo is here if you want to try it:
https://github.com/AminMkh/outlook-rest-laravel/

[ekalyvio]

I ended up deleting the app registration and recreating all the settings ensuring to select on the supported account types the multi-tenant account types & personal Microsoft accounts (as this option was missing in my last app registration and I couldn't select it). Then it worked!
Hoping that I will not need to delete a database in the future!

[stvansolano]

Hey folks, I'm having the same problem across MSFT docs and GitHub examples. Any ideas?

I will be re-creating my tenant in case it works like @ekalyvio did.

[stvansolano]

It didn't work after second attempt @mattchenderson @RyanHill-MSFT here are some findings so far:

• When I run through the examples from GitHub most of them seems to have the same issue with my tenant. I reuse the AzureAd settings that I got from the Azure Portal/docs indications.

• I double checked and everything seems fine. I may be able to collect/share them in case anyone want to take a look on the tenant I made.

• When I run the examples and debug from ASP.NET Core I get the same output below:

Failure message: Ticket expired Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Information: AzureADCookie was not authenticated. Failure message: Ticket expired

Sample output:

Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET https://localhost:5001/Identity/Account/Login  
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[7]
      AzureADCookie was not authenticated. Failure message: Ticket expired
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Information: AzureADCookie was not authenticated. Failure message: Ticket expired
info: Microsoft.AspNetCore.Mvc.RazorPages.Internal.PageActionInvoker[3]
      Route matched with {page = "/Account/Login", area = "Identity", action = "", controller = ""}. Executing page /Account/Login
Microsoft.AspNetCore.Mvc.RazorPages.Internal.PageActionInvoker:Information: Route matched with {page = "/Account/Login", area = "Identity", action = "", controller = ""}. Executing page /Account/Login
info: Microsoft.AspNetCore.Mvc.RazorPages.Internal.PageActionInvoker[101]
      Executing handler method OnDefend2FC.Areas.Identity.Pages.Account.LoginModel.OnGetAsync - ModelState is Valid
Microsoft.AspNetCore.Mvc.RazorPages.Internal.PageActionInvoker:Information: Executing handler method OnDefend2FC.Areas.Identity.Pages.Account.LoginModel.OnGetAsync - ModelState is Valid
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[11]

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "<MyTenantName>",
    "ClientId": "<Client ID from the portal>",
    "TenantId": "common",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath ": "/signout-callback-oidc",
    "ClientSecret": "<Secret obtained from app registration>"
  }

[gregorvilkner]

when I select organizational accounts - this doesn't work and return the error described above. unauthorized_client: The client does not exist or is not enabled for consumers.

when i select multi-tenant+personal windows accounts - it auto-selects my windows account, and doesn't let me select. i have both, live and aad org accounts - i can't use the org account? what if i want to use multiple aad tenants?

this should be easier.

[koo9]

Getting the same error here. any update on this issue?

[RyanHill-MSFT]

@koo9, check the recent update made to the doc in b402177. The reply URLs were updated to alleviate the confusion. If you did follow the updated tutorial, let me know and post any logs/traces you have around the error.

[koo9]

@RyanHill-MSFT turned out to be the supported account type was not set to any directory. it works now. thx

[RyanHill-MSFT]

Thanks for letting us know @koo9. Feel free to reopen this thread if the updated doc doesn't help.

[saf-itpro]

I was getting the same exact error while using this Microsoft Graph Official Tutorial. After deleting the previous App Registration and re-creating the new one exactly as explained in step 2 of the tutorial, I was able to login. If I recall correctly, I had used Accounts in this organization only option the first time. Although my Microsoft account is actually an admin in my Azure portal but I was not able to login using that same account as a login. Second time in the app registration process, I chose Accounts in any organizational directory and personal Microsoft accounts. Then the login with the same Microsoft account worked.

[AkshayKangotra]

I was getting the same error but on my side i have fixed this by correcting the app id in config json files.

[Satyala]

Specifying the tenant Id of the organization instead of default value "common" worked fro me.
Note: We have multiple tenants

[pravindahal]

@Satyala Where do you do that?

[pravindahal]

@gregorvilkner Hi Gregor! I am having the same issue as you i.e. when I allow multi-tenant+personal windows accounts, I can't select the right account and when I limit it to my organization, I get "unauthorized client".

Were you able to get around this problem?

I found limited success by using "OpenID Connect" as the provider instead of "Microsoft". That lets me login using my organization account but I'm stuck with AADB2C90238, which I'm assuming has to do with incorrect mapping of the fields. I'm using the following configuration:

MetaData URL: https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
Scope: openid
Response type: code
Response mode: form_post
User ID: sub
Display name: name

Update: I have managed to get it working by following the instructions here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant

[gregorvilkner]

@pravindahal yes: I don't allow windows personal accounts ;)

[cxvoth]

I haven't had any luck using my own client id.
https://rclone.org/onedrive/#getting-your-own-client-id-and-key
Verified the callback url and that all account types are supported.
Always get the same error message about "unauthorized client'

I noticed the following message:
Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers.

https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview

I know this is a new constraint. I think prior to this most problems were a result of the wrong account type being selected.

[nin-o]

My issue was that I used the Client secret ID instead of 'Application (client) ID'.

[haoxi911]

My issue was that I used the Client secret ID instead of 'Application (client) ID'.

Exactly same here.. A warning message should be added besides the secret ID, most of OAuth developers will assume the client ID and client secret are besides each other.

[JeremyPouyet]

My issue was that I used the Client secret ID instead of 'Application (client) ID'.

Same here, a thousand thanks to you

[AdilSarwarNU]

My issue was that I used the Client secret ID instead of 'Application (client) ID'.

Same here, thanks a bunch.

[deadbeef-development]

My issue was that I used the Client secret ID instead of 'Application (client) ID'.

Wasn't the case for me, for I triple checked that all my IDs were correct...

[Klexus1]

In my case, I was working on a single-tenant app and forgot to include MICROSOFT_AUTH_TENANT_ID in settings (Django).

[davidjb99]

Exactly same here.. A warning message should be added besides the secret ID, most of OAuth developers will assume the client ID and client secret are besides each other.

Me too, it would be helpful if the docs were more consistent with naming, but then there are so many docs doing so would take a small army.

[unckleg]

Thanks @nin-o 🚀

[tmishutin]

Thank's @nin-o

[joaopedromatias]

I can't believe this was the issue... thank you @nin-o

[3kh0]

Still getting this error, even with the steps provided.

I am following a guide on setting up a fileshare with onedrive, found here

[pestsov]

well I've got this issue when trying to login in personal teams account on android device :)