CSP failed to connect to customer: User account from identity provider does not exist in tenant

Last week I encountered a strange issue while connecting to a customer it’s tenant via CSP (Partner Center). It seemed to start since I’ve migrated DAP to GDAP permissions but I’m not 100 percent sure about this.

While trying to connect to whatever Service management, like Microsoft Azure Management Portal, Endpoint Manager, Exchange, Teams or Microsoft 365 this problem happened. The problem only existed with one particular customer. The other ones worked fine! What could be the issue!?

Note: This is a very specific issue in the customer tenant. I don’t expect so many people to experience the same issue. Still decided to write a blog about it. Maybe it helps just a few of you 🙂

The Azure AD Sign-in logs, showed the following error:

Sign-in error code: 50178
Failure reason: User account ‘{user}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Additional Details: The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

This made me crazy.. Why do I need a existing guest in the customer it’s tenant when using CSP? This is not required for CSP. The error made me search for things which where not the issue! Lost quite some time on this..

The problem and solution

For testing purposes I disabled ALL the Conditional Access (CA) policies in the customer tenant. I’ve waited for 10 minutes and CSP started to work again. What!? So my issue is related to a CA policy while the error in Sign-in logs tells me a something totally different.

Took me a while to sort out which Conditional Access policy was causing this issue. In the end I found the one causing this issue and still did not understand why..

Conditional Access Policy causing the issue

We’re using a policy which prevents All users from downloading data, from All cloud apps on unmanaged devices.

1: Policy is assigned to All users. No users, groups or roles excluded.

2: Policy is assigned to All cloud apps.

3: Exclude managed devices from the Conditional Access policies using a filter.

4: Use Conditional Access App Control -> Block downloads (Preview)

So far nothing strange to see in this Conditional Access policy. Why is this policy preventing CSP from accessing the customer tenant!?

The solution!

As shown above, the issue is related to a Conditional Access policy. When disabling the policy above it started to work again. What specific setting caused CSP to break? Well, it is the All cloud apps setting. I’ve changed this setting to Office 365 and my CSP access to this customer started to work again!

Unless the idea was to block downloads from Office 365, I decided to assign the policy to All cloud apps. I expected nothing to break and so did not matter about this setting. My CA policy is still doing what I expected it to do, but CSP works! 🙂

Note: I still have no idea why blocking downloads on All cloud apps would break CSP to work. Contacted Microsoft on this but they have no idea to. The error message shown in the customer tenant’s sign-in logs are totally different from what I expected and that made it difficult to find the solution.

I’m pretty sure not many people would experience this issue. For the ones that do, I hope this helps you. Probably disable all CA policies -> wait for 10 minutes and try again. Does it work? There you go. Enable your CA policies one by one and figure out when CSP stops working for this customer.

Related Posts

Leave a Reply

Your email address will not be published.

5 − one =