AADSTS165000 Error When Logging in with Google as an Identity Provider for Azure AD B2B Guest Users


By setting up federation with Google, you can allow invited users to sign in to your shared apps and resources, such as SharePoint, with their own Gmail accounts, without having to create Microsoft accounts.

In testing, I received an error of AADSTS165000 when trying to access a shared file with an invited external guest user with a Google Gmail account. The issue ended up being a case-sensitive issue when adding in authorized redirect URIs to the Google developer project. The directions from Microsoft on how to create the project are available here, and one of the redirect URIs needs to be https://login.microsoftonline.com/te/<tenant name>.onmicrosoft.com/oauth2/authresp (where <tenant name> is your tenant name). If you copy your tenant name right out of the Azure Active Directory Portal area, the name will likely have a mix of uppercase and lowercase letters. If you leave it as is when entering the URL, users will receive the error code above when trying to access the resource. This authorized redirect URI needs to be entered as completely lowercase to resolve the issue.

Share It!

Be the first to comment