Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
Issue: Cross-Tenant OBO with CIAM - Resource Resolved in Wrong Tenant
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 60%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPJ%3C/text%3E%3C/svg%3E)
Parth Jagani
0
Reputation points
Issue: Cross-Tenant OBO with CIAM - Resource Resolved in Wrong Tenant
Problem:
When requesting an access token for a custom API in an internal Azure AD tenant from a CIAM (external) tenant using On-Behalf-Of (OBO), Azure AD resolves the resource in the external tenant instead of the internal tenant, causing AADSTS500207: The account type can't be used for the resource you're trying to access.
Configuration:
- External tenant: CIAM tenant with a multi-tenant app registration
- Internal tenant: Azure AD tenant with a multi-tenant app registration exposing a custom API
- Flow: External users authenticate in CIAM and request tokens for the internal tenant's API
What happens:
- User authenticates in CIAM (external tenant)
- App requests a token for the internal tenant's API scope (
api://{internal-app-id}/access_as_user) - Azure AD resolves the resource in the external tenant instead of the internal tenant
- Sign-in logs show:
- Resource tenant ID = external tenant (incorrect)
- Resource owner tenant ID = internal tenant (correct)
- This mismatch causes
AADSTS500207
What we've verified:
- Internal app is multi-tenant
- External app is authorized in the internal app's "Authorized client applications"
- Admin consent granted in both tenants
- API permissions configured correctly
- Microsoft Graph token acquisition works from CIAM
- The issue is specific to cross-tenant custom API access
Question:
Is this a known CIAM limitation for cross-tenant OBO? If not, how should we configure the scope or authority so Azure AD resolves the resource in the correct tenant? Are there workarounds or alternative approaches for this scenario?
Additional context:
The internal app's service principal exists in the internal tenant, but Azure AD appears to look for it in the external tenant during token acquisition, suggesting a resource resolution issue in cross-tenant OBO flows with CIAM.
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shubham Sharma 3,430 Reputation points Microsoft External Staff Moderator2025-12-04T11:34:22.9933333+00:00 Hello Parth Jagani
Thank you for reaching out to Microsoft Q&A.
I understand that you would like to fix this > Message: AADSTS500207: The account type can't be used for the resource you're trying to access.
- If you are requesting tokens for a protected API, the first thing to check is your authority configuration. Make sure you are using the CIAM tenant-specific authority with v2.0, such as: https://{tenantSubdomain}.ciamlogin.com/{tenantId}/v2.0 If you miss the/v2.0 suffix or use the workforce endpoint (
login.microsoftonline.com), your request will fail with 500207. See Microsoft docs in this link - https://learn.microsoft.com/en-us/entra/external-id/customers/overview-customers-ciam - Another important step is to review the API app registration settings. For custom scopes to work in Entra External ID, the resource API app must be single-tenant. In the Azure portal, go to your API’s app registration, and under Supported account types, select Accounts in this organizational directory only (AzureAD MyOrg). Then under Expose an API, define your scope (e.g.,api://{api-client-id}/access_as_user`) and grant the client app permission to use it. - https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-expose-web-apis
- On the client app registration (your Flutter app - flutter_appauth), add this custom scope under API permissions, then in your code ensure the token request includes:
final result = await appAuth.authorizeAndExchangeCode(AuthorizationTokenRequest('{clientId}','{redirectUrl}',discoveryUrl: 'https://{tenantSubdomain}.ciamlogin.com/{tenantId}/v2.0/.well-known/openid-configuration?p={userFlowId}',scopes: ['openid', 'offline_access', 'api://{api-client-id}/access_as_user'],),); - Use the Sign-in logs in the Entra portal to confirm your fix. Enter your Correlation ID (
9c5d72ee-2dfa-4b85-8a8d-7b00b094baaa) and Timestamp (2025-08-21T13:43:59Z) to validate if the failure is resolved or if any scope/audience mismatch remains. See more guides here - https://learn.microsoft.com/en-us/entra/identity/conditional-access/troubleshoot-conditional-access
Though, the error occurs because the requested token’s account type doesn’t align with the API’s supported audience. By using the correct CIAM v2.0 authority, setting the API registration to single-tenant, and correctly requesting your custom scope, the AADSTS500207 issue will be resolved.
Please let us know if you need any further assistance.
Thanks
- If you are requesting tokens for a protected API, the first thing to check is your authority configuration. Make sure you are using the CIAM tenant-specific authority with v2.0, such as: https://{tenantSubdomain}.ciamlogin.com/{tenantId}/v2.0 If you miss the/v2.0 suffix or use the workforce endpoint (
-
Parth Jagani 0 Reputation points
2025-12-04T12:17:55.8233333+00:00 I have concerns about step 2 as below!
-
Parth Jagani 0 Reputation points
2025-12-04T12:18:38.3566667+00:00 I would like to raise a concern regarding step 2 of the recommended configuration. Specifically, when the workforce app registration is set to single-tenant, the Workforce API does not appear in the CIAM tenant’s API Permissions list. In our testing, the Workforce API can only be added when the app registration is configured as multi-tenant.
This creates a challenge because the guidance suggests that for custom scopes to work in Entra External ID (CIAM), the resource API app must be registered as single-tenant (“Accounts in this organizational directory only”). However, in that configuration, we are unable to discover or add the Workforce API from the CIAM tenant, which prevents us from granting the necessary permissions. As per other documentation, workforce app and its service principal need to exist in CIAM tenant too.
Could you clarify the correct approach for this scenario?
Is there a specific configuration or workaround that allows a CIAM tenant to reference a single-tenant Workforce API?
Should the API remain multi-tenant for visibility, and if so, how does that align with the requirement for single-tenant registration in CIAM?
Are there additional steps (such as service principal instantiation, explicit scope definition, or tenant-specific authority usage with the
ciamlogin.com/{tenantId}/v2.0endpoint) that would resolve this mismatch? -
Shubham Sharma 3,430 Reputation points Microsoft External Staff Moderator
2025-12-05T17:31:02.93+00:00 Hello Parth Jagani
I am checking internally with the team and will get back to you shortly.
Sign in to comment
Sign in to answer