![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 65%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
Hi @Damian Strycharczuk,
Thank you for posting your question on Microsoft Q&A.
As per our understanding, you are trying to enable login to your Nuxt.js application using Microsoft Entra External ID with the nuxt-oidc-auth package. While you can create new user accounts with email and OTP, login attempts fail with the error:
“AADSTS500207: The account type can't be used for the resource you're trying to access.”
You have tried different login URLs and configured API scopes and permissions but still face issues.
Please try the steps below to fix the issue:
- Set Up Your App Registration Properly
- In the Azure portal, go to Microsoft Entra ID (External ID) > App registrations, and select your Nuxt app.
- Under Authentication, ensure Supported account types is set to: “Accounts in any organizational directory or any identity provider (for authenticating users with user flows)”
- Add your app’s exact login redirect URI (e.g., https://yourapp.com/auth/callback) under Redirect URIs.
- Under Expose an API, define any custom scopes and grant admin consent.
- Use the Correct User Flow Endpoints
- Azure Entra External ID user flows (sign-up/sign-in) have unique URLs. You must use the URLs specific to your user flow, not generic endpoints like /common or /organizations.
- In the Azure portal, go to User flows (policies), select your sign-in or sign-up policy, and copy the OpenID Connect metadata document URL.
- Use the base URL of this policy (remove /.well-known/openid-configuration) as the “issuer” URL in your Nuxt app configuration.
- Configure Nuxt Application
- In your Nuxt app’s OIDC settings (e.g., nuxt.config.js), set the issuer to your user flow base URL.
- Use your app registration’s clientId.
- Ensure redirectUri matches your registered redirect URI exactly.
- Set scope to include openid profile offline_access and your API scopes.
- Use responseType: 'code' for secure authorization.
- Clear Cache and Test
- Clear browser cache or try a private browsing session to avoid cached failures.
- Set scope to include openid profile offline_access and your API scopes.
- Ensure redirectUri matches your registered redirect URI exactly.
- Use your app registration’s clientId.
- In your Nuxt app’s OIDC settings (e.g., nuxt.config.js), set the issuer to your user flow base URL.
- In the Azure portal, go to User flows (policies), select your sign-in or sign-up policy, and copy the OpenID Connect metadata document URL.
- Azure Entra External ID user flows (sign-up/sign-in) have unique URLs. You must use the URLs specific to your user flow, not generic endpoints like /common or /organizations.
Please refer to: https://learn.microsoft.com/en-us/graph/add-properties-profilecard
https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.