You’re very close — the issue isn’t your Power Pages site settings, it’s how Microsoft Entra multi‑tenant authentication works. Even if your app registration is set to “Accounts in any organization directory (Multitenant)”, users from other tenants still cannot sign in unless they become guests in your tenant first.
That’s why you’re seeing:
AADSTS90072 – The account needs to be added as an external user in the tenant first
This is expected behaviour for Entra ID when using the standard OAuth/OpenID flow.
Why this happens
Power Pages uses your tenant as the home for the App Registration.
When an external user tries to sign in:
-
Their home tenant doesn’t know your app
-
Your tenant doesn’t know their user
-
So Entra blocks the login unless the user is added as a B2B guest in your tenant
This is not related to your site being private or restricted — even public sites behave the same way with Entra ID.
How to allow users from other organizations to sign in
You have two supported options:
Option 1 — Add external users as B2B guests (required for Entra ID multi‑tenant apps)
Invite them to your tenant:
Entra ID → Users → New guest user → Invite
Once they appear as guests, they can sign in to your Power Pages site.
This is the only supported method when using Entra ID (B2B) authentication.
Option 2 — Use Microsoft Entra External ID (B2C)
If you want true open multi‑tenant access without manually inviting users:
-
Switch your site to External ID (B2C)
-
Configure a user flow for sign‑in/sign‑up
-
Anyone with a Microsoft account or Entra account can authenticate without being added as a guest
This is the recommended approach for public‑facing Power Pages sites.
Important
Multi‑tenant App Registration does not mean “anyone can sign in”.
It only means “other tenants can consent to the app”, but Power Pages does not expose that consent flow — so B2B guest invitation is still required.
