Share via

AADSTS500207: The account type can't be used for the resource you're trying to access.

Parth Jagani 0 Reputation points
2025-11-30T21:57:35.3933333+00:00

External tenant (CIAM) users cannot acquire access tokens for an API exposed by an app in the internal tenant. The error is:AADSTS500207: The account type can't be used for the resource you're trying to access.
**
What is the setup?
**Cross-tenant On-Behalf-Of (OBO) flow:

  • External tenant (CIAM/Entra External ID): users authenticate here
  • Internal tenant (Azure AD): API app registration and Power BI resources
  • Flow: External users authenticate → request token for internal tenant API → backend uses OBO to exchange for Power BI tokenCross-tenant On-Behalf-Of (OBO) flow:
    • External tenant (CIAM/Entra External ID): users authenticate here
    • Internal tenant (Azure AD): API app registration and Power BI resources
    • Flow: External users authenticate → request token for internal tenant API → backend uses OBO to exchange for Power BI token.

What is the authentication flow?

  1. User authenticates in external tenant (CIAM) → gets ID token
  2. Frontend requests access token for api://[internal-tenant-app-id]/[scope-name]
  3. Backend receives token and uses OBO to exchange for guest user's Power BI token
  4. Frontend uses Power BI token to access Power BI resources
  5. User authenticates in external tenant (CIAM) → gets ID token
    1. Frontend requests access token for api://[internal-tenant-app-id]/[scope-name]
      1. Backend receives token and uses OBO to exchange for guest user's Power BI token
    2. Frontend uses Power BI token to access Power BI resources

with this setup, can yoiu please help what is missing that is causing the above error.

In internal tenant, the app is multitenant with permission granted, scope defined and external tenant application added to authorized app list.

in external tenant, the app uses correct api and granted the api permission to use.

Please help me to understand in detaile how to configure this setup properly.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 3,430 Reputation points Microsoft External Staff Moderator
    2025-12-02T12:42:22.6233333+00:00

    Hello Parth Jagani

    Welcome to the Microsoft Q&A.

    I understand that you would like to fix this > Message: AADSTS500207: The account type can't be used for the resource you're trying to access.

    1. If you are requesting tokens for a protected API, the first thing to check is your authority configuration. Make sure you are using the CIAM tenant-specific authority with v2.0, such as: https://{tenantSubdomain}.ciamlogin.com/{tenantId}/v2.0 If you miss the/v2.0 suffix or use the workforce endpoint (login.microsoftonline.com), your request will fail with 500207. See Microsoft docs in this link - https://learn.microsoft.com/en-us/entra/external-id/customers/overview-customers-ciam
    2. Another important step is to review the API app registration settings. For custom scopes to work in Entra External ID, the resource API app must be single-tenant. In the Azure portal, go to your API’s app registration, and under Supported account types, select Accounts in this organizational directory only (AzureAD MyOrg). Then under Expose an API, define your scope (e.g.,api://{api-client-id}/access_as_user`) and grant the client app permission to use it. - https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-expose-web-apis
    3. On the client app registration (your Flutter app - flutter_appauth), add this custom scope under API permissions, then in your code ensure the token request includes: final result = await appAuth.authorizeAndExchangeCode( AuthorizationTokenRequest( '{clientId}', '{redirectUrl}', discoveryUrl: 'https://{tenantSubdomain}.ciamlogin.com/{tenantId}/v2.0/.well-known/openid-configuration?p={userFlowId}', scopes: ['openid', 'offline_access', 'api://{api-client-id}/access_as_user'], ), );
    4. Use the Sign-in logs in the Entra portal to confirm your fix. Enter your Correlation ID (9c5d72ee-2dfa-4b85-8a8d-7b00b094baaa) and Timestamp (2025-08-21T13:43:59Z) to validate if the failure is resolved or if any scope/audience mismatch remains. See more guides here - https://learn.microsoft.com/en-us/entra/identity/conditional-access/troubleshoot-conditional-access

    Though, the error occurs because the requested token’s account type doesn’t align with the API’s supported audience. By using the correct CIAM v2.0 authority, setting the API registration to single-tenant, and correctly requesting your custom scope, the AADSTS500207 issue will be resolved.

    Please let us know if you need any further assistance.

    Thanks

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.