I am attempting to implement Interactive Browser Credential with Azure Identity (JS) in my app so that users can authenticate to their own Azure accounts for my dev tool. I got advice that app registration in Azure AD would be required on a Reddit thread (https://www.reddit.com/r/AZURE/comments/smcl15/azure_identity_sdk_js_how_to_authenticate_to/). I have now done so.
I have registered localhost:8083 and localhost:8085 as redirect URIs and selected the option to allow Account in any organizational directory. However, I am still getting the error "You can't sign in here with a personal account. Use your work or school account instead." Every answer(Access with personal account to multi-tenant application AAD) I have read on the topic says that I need to set "signInAudience": "AzureADandPersonalMicrosoftAccount" in the manifest. However, that is how my manifest already is and has been since the beginning. How do I fix the error?
This error may occur in one of the below two scenarios.
1. Resource being different from client application
Please ensure the request resource is added to the applications required API permissions and the resource API has been consented to .Resource for which you want an access token, you can pass either the Resource URI of a Web APP, or the client Id of the target Web API. It's important to note that the token contains the resource as requested (audience).
If you have a permission something like user_impersonation, try by giving scope as https://management.azure.com/user_impersonation
Please check if you need to add api version as query string as per Azure REST API reference documentation | Microsoft Docs.
Make sure you see the app in the app registrations >all applications blade while Searching for the appId present in the error provided.
2: Resource and client is the same app registration
In app registrations ,after exposing the api and adding permissions and scope, Ensure the app has been consented to permission.
For example: