This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 76%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Hello,
I am having issues when trying to sign into my External tenant and specifying a custom scope. The error happens when I am making use of the MSAL library but also when attempting to authenticate with Postman or Insomnia.
I have set my authority to be https://{domain-name}.ciamlogin.com/ and when attempting to sign in with an external user in that tenant and specifying one of the scopes to be a custom scope that I have defined, it returns the AADSTS500207 error. If I don't specify this scope and only specify standard MS Graph scopes such as openid & offline_access, it logs in fine however I require this custom scope for authentication to my own api.
I have configured the application ID url to be api://... and I have included the full path in the scope however it fails regardless. If I don't include the full path and just include the name of the scope itself, I get another error stating the scope could not be found.
I have also attempted trying to sign in with an internal account however it states that my email cannot be found as I am trying to use this as public client.
Any help would be greatly appreciated as currently.
Kind Regards,
Sam
Thank you James.
Just to provide an update on some further testing that I've done. It seems that I don't encounter this error if I set the the Supported Account Types for the App Registration to single tenant. Under this scenario, all of my accounts login successfully including internal accounts and external accounts in the tenant.
As soon as I swap it back to a multi-tenant option, none of them can sign in again. I have the intention of integrating it with another tenant at some point so keeping it as single-tenant isn't really an option unfortunately.
Many thanks,
Sam