<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Office 365 API Error "The account needs to be added as an external user in the tenant first"
Dec 5, 2025
Okta Integration Network
Overview

Office 365 Graph API authentication flow fails with the following error visible in the Okta dashboard:

AADSTS50020: User account <usename> from identity provider <identity provider> does not exist in tenant <tenant name> and cannot access the application <application ID> (Okta Microsoft Graph Client) in tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

 

Error message

Applies To
  • Office 365
  • Provisioning
  • Graph Client
  • Error
Cause

The Microsoft Admin Account used to Authenticate the API does not belong to the Microsoft domain configured in the Office 365 Okta Integration General tab.

General settings

Solution

Authenticate the API with a Microsoft Account belonging to the Microsoft domain defined in the General tab of the Office 365 Okta Integration.


 

Related References

Recommended content

Still looking for help?
Loading
Office 365 API Error "The account needs to be added as an external user in the tenant first"