I have created an user App Registration to enable authentication of both AD users and personal MS accounts with my app. I believe the most relevant settings in the manifest file are:
'signInAudience': 'AzureADandPersonalMicrosoftAccount', 'accessTokenAcceptedVersion': 2
I am able use my personal MS account to log in to the application, but only when the account is added as a guest user on the tenant (on which the App Registration is). Is there any way to enable this functionality without adding the personal MS accounts as guest users on the tenant?
The error message that I get when the Ms account is not added as a guest user:
It sounds like you are not using the v2 authorization endpoint. You need to use
https://login.microsoftonline.com/common/v2.0
as the authority. The new version of MSAL.js (@azure/msal-browser) uses that by default at least if you don't configure an authority for example. Using that authority should result in usinghttps://login.microsoftonline.com/common/oauth2/v2.0/authorize
as the login page. The older "common" endpoint supports any Azure AD tenant, but does not support personal accounts unless they are guests in an AAD tenant (like you see in your error).