User account does not exist in tenant ‘Default Directory’ and cannot access the application
The error you’re encountering, “User account does not exist in tenant ‘Default Directory’,” is due to a mismatch in the Microsoft Azure Active Directory (AAD) tenant configuration.
Cause
When using Microsoft’s AzureADProvider with NextAuth.js (or similar), the app registration you created in your personal Microsoft account tenant is trying to authenticate a user (your projects email) that belongs to a different tenant (typically a company, institution or organization’s Azure AD directory). This conflict arises because personal and organizational Microsoft accounts belong to separate Azure AD tenants, and each tenant controls access to its own user accounts and applications.
Solution
1. Use the Correct Azure Tenant for App Registration:
You need to register your application within the same Azure AD tenant that includes your project account. That means logging into the Azure portal with your Projects’s Microsoft account rather than your personal account. Logged in? Go to Azure Active Directory > App registrations and create a new app registration dedicated for the project’s tenant.
2. Change Multi-Tenant Configuration
If you want to allow both personal and organizational accounts, Go to the app registration settings on Azure somewhere under Authentication and change the “Supported account types” to include Accounts in any organizational directory (Any Azure AD directory - multitenant) and personal Microsoft accounts. This setting allows users from multiple Azure AD tenants and personal Microsoft accounts to log in, which should be exactly the fix you’re looking for.
3. Update your Development Frameworks Configuration
After creating the app in the correct tenant, update your NextAuth.js (or whatever framework your working on) configuration with the new client ID and tenant ID. You need the tenant ID
for ensuring the request is directed to the correct Azure AD instance associated with your project.
Once these changes are applied, clear your browser cache and check if it works now.
Still getting the error? Here is another solution.
Another Solution
If the “User account does not exist in tenant” error persists, despite configuring your app registration as described above, you might want to try this:
1. Ensure your redirect URI and the authorization endpoint use the correct tenant identifier.
If the app is intended only for a specific tenant (e.g., your project), update the authorization URL in NextAuth.js (or whatnot) to use the tenant ID explicitly:
js
authorization: `https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/authorize`
Replace YOUR_TENANT_ID
with the actual tenant ID of your project or organization.
2. Check User Account Type in Azure
Does the account type you set in Azure Active Directory matches your intended use? If you only need users from your projects’s directory to access the application, make sure the Supported account types in your Azure app registration is set to Accounts in this organizational directory only.
If you need to support multiple tenants, set it to Accounts in any organizational directory and personal Microsoft accounts. Save changes and proceed.
3. Add the User Account in Azure Active Directory
Sometimes the project’s account you’re trying to use needs explicit access to the application. In the Azure portal, go to Azure Active Directory > Users and verify that the user account (email) you’re logging in with exists in the directory. If not, you may need to add the user to this directory or ensure the account has permissions to access the app.
4. Adjust Permissions and Admin Consent
In API permissions for your app registration, ensure that the necessary permissions are set and that the admin consent has been granted. Missing permissions can sometimes cause hairy authentication errors if the app tries to access resources that haven’t been authorized.
5. Clear Browser Cache and Re-Authenticate
Authentication issues are often cached by the browser, so after updating settings, clear the cache and see how this whole thing behaves now.
6. Verify Redirect URI Match
Ensure that the redirect URI in the NextAuth.js (or similar) configuration exactly matches one of the authorized redirect URIs in the Azure portal. Any variation, even in the URL’s casing, can cause mismatch errors!
After verifying these steps, try logging in again. Error resolved?