Error AADSTS500208 in Entra External ID (CIAM)

Logo_CIAM.jpg from Wikimedia

The full error is :

AADSTS500208: The domain is not a valid login domain for the account

This happens when you create an app. registration in CIAM and use the quick start samples:

In my case, I used the .NET Core sample.

When you run the sample, you authenticate with a user in CIAM and then get this error.

After opening a ticket and a number of calls with Microsoft, we got to the bottom of it.

The problem is that the quick starts you get from the portal are wrong. They point to Azure AD samples using MSAL.

They use login.microsoft.com as the authority in the appsettings that points to Azure AD, not CIAM, hence the domain error.

This sample works for my CIAM tenant:

An ASP.NET Core web app authenticating users against Azure AD for Customers using Microsoft Identity Web — Code Samples | Microsoft Learn

This uses the Identity.Web platform not MSAL, and the authority is https://[ciam tenant].ciamlogin.com/.

I suspect that the samples in the documentation are also wrong?

There only appear to be two samples for CIAM. I found them using the search:

https://github.com/search?q=org%3AAzure-Samples+ms-identity-ciam&type=repositories

which shows:

Note: See this post for MSAL samples.

All good!