CSP failed to connect to customer: User account from identity provider does not exist in tenant

Last week I encountered a strange issue while connecting to a customer it’s tenant via CSP (Partner Center). It seemed to start since I’ve migrated DAP to GDAP permissions but I’m not 100 percent sure about this.

While trying to connect to whatever Service management, like Microsoft Azure Management Portal, Endpoint Manager, Exchange, Teams or Microsoft 365 this problem happened. The problem only existed with one particular customer. The other ones worked fine! What could be the issue!?

Note: This is a very specific issue in the customer tenant. I don’t expect so many people to experience the same issue. Still decided to write a blog about it. Maybe it helps just a few of you 🙂

The Azure AD Sign-in logs, showed the following error:

Sign-in error code: 50178
Failure reason: User account ‘{user}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Additional Details: The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

This made me crazy.. Why do I need a existing guest in the customer it’s tenant when using CSP? This is not required for CSP. The error made me search for things which where not the issue! Lost quite some time on this..

The problem and solution

For testing purposes I disabled ALL the Conditional Access (CA) policies in the customer tenant. I’ve waited for 10 minutes and CSP started to work again. What!? So my issue is related to a CA policy while the error in Sign-in logs tells me a something totally different.

Took me a while to sort out which Conditional Access policy was causing this issue. In the end I found the one causing this issue and still did not understand why..

Conditional Access Policies causing the issue

First policy

We’re using a policy which prevents All users from downloading data, from All cloud apps on unmanaged devices.

1: Policy is assigned to All users. No users, groups or roles excluded.

2: Policy is assigned to All cloud apps.

3: Exclude managed devices from the Conditional Access policies using a filter.

4: Use Conditional Access App Control -> Block downloads (Preview)

So far nothing strange to see in this Conditional Access policy. Why is this policy preventing CSP from accessing the customer tenant!?

As shown above, the issue is related to a Conditional Access policy. When disabling the policy above it started to work again. What specific setting caused CSP to break? Well, it is the All cloud apps setting. I’ve changed this setting to Office 365 and my CSP access to this customer started to work again!

Unless the idea was to block downloads from Office 365, I decided to assign the policy to All cloud apps. I expected nothing to break and so did not matter about this setting. My CA policy is still doing what I expected it to do, but CSP works! 🙂

Note: I still have no idea why blocking downloads on All cloud apps would break CSP to work. Contacted Microsoft on this but they have no idea to. The error message shown in the customer tenant’s sign-in logs are totally different from what I expected and that made it difficult to find the solution.

Second policy

Customer/Relation required terms of use for all guest users. We removed “Service provider users” from the policy which lead to the solution. Authentications coming from Microsoft CSP/Partner Center are flagged as Service provider users. By de-selecting this guest type the problem was solved.

I’m pretty sure not many people would experience this issue. For the ones that do, I hope this helps you. Probably disable all CA policies -> wait for 10 minutes and try again. Does it work? There you go. Enable your CA policies one by one and figure out when CSP stops working for this customer.

Related Posts

One thought on “CSP failed to connect to customer: User account from identity provider does not exist in tenant

  1. Thanks!
    This has solved our AADSTS50177 issue with our CSP access stopping for one client.

    The culprit was a CA policy requiring *Duo MFA* for all accounts, when external accounts as you might expect, tend towards Azure MFA.

    Excluding Guest>ServiceProviderUsers from the Duo CA and creating an additional policy including only Guest>ServiceProviderUsers that requires Duo *OR* Azure MFA has reinstated our CSP access.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × three =