AADSTS500208 "domain is not a valid login domain" error when migrating Blazor WASM from Azure AD B2C to Entra External ID

Problem

We're migrating a Blazor WebAssembly application from Azure AD B2C to Entra External ID and encountering authentication issues. Users can't sign in or sign up, receiving the error:

ServerError: invalid_request: AADSTS500208: The domain is not a valid login domain for the account type.

Current Setup

• Framework: Blazor WebAssembly with Microsoft.Authentication.WebAssembly.Msal package
• Previous: Azure AD B2C (working)
• Target: Entra External ID

Configuration Changes Made

1. Created Entra External ID tenant and app registration
2. Set up "Sign up and sign in" user flow with custom attributes
3. Updated Blazor WASM configuration:

   {
     "Authority": "https://login.microsoftonline.com/new-tenant-id",
     "ClientId": "new-client-id"
   }
   

4. App registration configured as multi-tenant with proper redirect URIs

Current Behavior

• ✅ Works: Accounts manually added to the tenant (with ExternalAzureAD identity)
• ❌ Fails: External personal accounts (@outlook.com, @gmail.com, etc.)
• ❌ Fails: Work/school accounts from external organizations
• ✅ Proven to be used: User flow executes (custom attributes are requested during signup)

Our goal is to allow users from any company to sign up using their work email addresses, with users grouped by organization/domain for data filtering purposes.

Environment

• Blazor WebAssembly
• Microsoft.Authentication.WebAssembly.Msal (latest version)
• Entra External ID tenant

Try:

1. Changing Authority to https://new-tenant-name.ciamlogin.com/new-tenant-id

2. If you're running this with localhost, make sure your Redirect URI contains the port number i.e. <https://localhost:8000/authentication/login-callback >instead of https://localhost/authentication/login-callback

Hope that helps!