Security

Hi all,I'm hoping someone can point out what I'm missing here.

I'm configuring social logins in ClearPass Guest and have had good success with other providers, but Microsoft is causing problems. I'm referring here to consumer/public Microsoft accounts such as live.com, outlook.com, and hotmail.com, not just Microsoft Entra work or school accounts.

When I click the Microsoft login button, I'm redirected to the Microsoft sign-in page and can complete authentication, but I then receive the following error:

it was not possible to access the API call: it was returned an unexpected response status 400
Response: <h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>

What makes me suspect the consumer Microsoft flow is that the redirect appears to be going to login.live.com rather than login.microsoftonline.com. My understanding is that older Microsoft consumer auth flows used login.live.com, whereas current Microsoft identity platform guidance is centered around Entra app registrations and supported account types.

I have already created an app registration in Entra, and that works for corporate accounts. However, I also need this to work for public Microsoft accounts. If I change the social login provider from Microsoft to Microsoft Entra, corporate accounts authenticate correctly , but personal Microsoft accounts fail with AADSTS500200.

From what I can tell, AADSTS500200 usually indicates that the application or endpoint being used does not actually accept personal Microsoft accounts, even if the intention is to support them. Microsoft documents that personal accounts require the app registration to use a supported audience such as Personal Microsoft accounts only or Accounts in any organizational directory and personal Microsoft accounts.

I've tested this on 6.12.7, all other 6.12 releases, and also 6.11.13 and 6.11.14, with the same result throughout.

Has anyone managed to get consumer Microsoft social login working in ClearPass Guest recently, or is the built-in Microsoft social provider still tied to an older flow that no longer works reliably for public accounts?

Any guidance or known workaround would be appreciated.