Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application

Greg B 5 Reputation points
2024-11-19T21:17:21.3233333+00:00

I am trying to use with Azure Trusted Signing. I have completed identity validation and created a public trust certificate. I am trying to use it via command line:

C:\Windows\System32>"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\Users\admin\AppData\Local\Microsoft\MicrosoftTrustedSigningClientTools\Azure.CodeSigning.Dlib.dll" /dmdf ".....\azureSigningInfo.json" ".....\myApp.exe"

I am getting this error:

Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application 'XXXXXXXXXXXX' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

I suspect any of the following may be the issue, but am unclear:

  1. When I did Identity Validation, I submitted two emails which do not match the login I use for Azure.
  2. The login I have for Azure was originally created outside of Azure for other personal use with Microsoft (such as Skype). While I can view Azure just fine, perhaps there is a conflict there.
  3. Something other Azure administrative setting I do not understand. I find this process unbelievably complicated. I am a single-person user in the account who is just trying to set up Trusted Signing.

Can you please provide some guidance as to what the error above really means and what steps are required to resolve it?

Azure Trusted Signing
Azure Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the certificate signing process and helps partner developers more easily build and distribute applications.
138 questions
{count} votes

5 answers

Sort by: Most helpful
  1. Meha-MSFT 490 Reputation points Microsoft Employee
    2024-11-19T21:43:50.17+00:00

    Were you able to do reference your Trusted Signing account in metadata.json: To invoke SignTool to sign a file:

    1. Make a note of where your SDK Build Tools, the extracted Azure.CodeSigning.Dlib, and your metadata.json file are located (from earlier sections).
    2. Replace the placeholders in the following path with the specific values that you noted in step 1:

    What it is looking for is the Trusted Signing account to pull the certificates from within it. An email address is not required to pass here.


  2. Meha-MSFT 490 Reputation points Microsoft Employee
    2024-11-19T21:58:11.2766667+00:00

    Try this to see the list of accounts, and maybe log out and log back in to the account where you have your Trusted Signing resources created before you execute the commands.

    az account list Get a list of subscriptions for the logged in account. By default, only 'Enabled' subscriptions from the current cloud is shown. Core GA
    az account list Get a list of subscriptions for the logged in account. By default, only 'Enabled' subscriptions from the current cloud is shown. Core GA

  3. Navya 14,205 Reputation points Microsoft Vendor
    2024-11-20T03:30:12.6633333+00:00

    Hi @Greg B

    Thank you for posting this in Microsoft Q&A.

    I understand you are trying to use Azure Trusted Signing using cli command but getting error while authenticating from browser.

    Based on the information you provided, it seems that you are trying to log in to the Microsoft Entra admin center using a personal account (Outlook, Hotmail, or OneDrive). However, when you use a personal Microsoft account to log in, you are connected to the Microsoft Services tenant by default, which does not have a linked directory for performing any actions. This behavior is expected.

    As Azure Trusted Signing Service is a part of Azure, it is asking you to authenticate with Entra/Azure while executing commands in azure cli.

    To resolve this issue, you can try creating an Azure account on https://azure.microsoft.com/en-us/free/. This will automatically designate you as the Global Administrator, granting you full access to all options within this tenant.

    For your reference: https://zcusa.951200.xyz/en-us/troubleshoot/entra/entra-id/app-integration/error-code-aadsts50020-user-account-identity-provider-does-not-exist#cause-1-users-log-in-to-microsoft-entra-admin-center-by-using-personal-microsoft-accounts

    If you are still encountering the issue, please send an email as my colleague Givary shared the details to connect offline and discuss further on this.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


  4. Meha-MSFT 490 Reputation points Microsoft Employee
    2024-11-22T18:40:44.9633333+00:00

    @Greg the issue here is not being able to recognize the right Azure tenant, so it's not even hitting Trusted Signing yet.

    Trusted Signing cert profiles don't include email addresses, nor does the email address come into picture when call dlib to sing your files. To clarify and not confuse you further. Do give it a try to log out and log back into your Azure tenant, before executing any commands to sign your file.


  5. Greg B 5 Reputation points
    2024-12-12T19:48:48.4066667+00:00

    Just to close this out... I connected with a senior tech who was able to get things resolved. The underlying issue is that the signtool was redirecting to authenticate on a web browser and this does not work.

    The correct method required installing the Azure CLI and using it to authenticate before using signtool.exe.

    This process was significantly complicated by a couple of factors. The required authentication mechanism is not documented on the support docs for Trusted Signing, and the error messages shown in the browser authentication were vague / misleading. It took weeks of troubleshooting just to find that the solution was a single CLI command.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.