This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 34%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello,
I've completed the steps necessary to create the profiles (including certificate) and identity validation necessary to utilize the 'trusted' code signing process (with the 'signtool.exe' option). I've configured the json file as instructed and everything seems to be working right up until 'Submitting digest for signing' step as reported by signtool.
At that point, my web browser (Edge) opens and I am prompted to log in with my username and password. I had set up my account with the various parameters specified in the help documentation, so I enter in the same values I have used for the Azure/Entra systems and the standard Microsoft account log in. I am then presented with this error message:
"Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application '[number omitted]' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."
I have searched extensively and could find no steps or instructions in any Microsoft help documentation, StackOverflow, or other discussion forums that solved this problem. I appear to have every permission applied, account linked, and 'tenant' condition available to me. So I'd simply like to know what I need to do in order to make my account an 'external user' in the tenant 'Microsoft Services' so I can code sign using SignTool. Thank you for any assistance you can offer.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)**)", I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)**)" the answer.
Issue:
Unable to complete code signing process due to 'tenant' account error
Solution:
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
I was finally able to sort it out and successfully code sign. It apparently related to needing a different authorization approach than what was described (ie mostly omitted) in the Microsoft help documentation. Turned out the best route was to create an additional tenant account through Entra Admin Center > Users > New User as a 'Member' with its own e-mail address as the 'Identity', then also create an app in Azure > Search > 'app registrations' > New Registration. The latter provided a client ID, tenant ID, and 'secret' value necessary to complete the steps for authorization that SignTool would accept. From there, three environment variables needed to be created within Windows (search > advanced system settings > Environment Variables). The three value names are AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_CLIENT_SECRET and then each respective value needs to be assigned under each name. From there, a reboot is required to apply the new environment variables and with all of the other pieces in place as needed (certificate, signing profile, prerequisites, dlib, etc, etc, etc), SignTool could then code sign.