Application is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.

I was getting this error message when trying to sign into Azure Active Directory in a .Net Core 2.x app. It was written by someone else so I wasn't sure where exactly our code ends and framework code begins.

The error reads thus:

Application '[id]' is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.  

Which doesn't sound too bad, until you can't find common anywhere in your code. So then you have to find out what that means. So apparently there's a bit of history behind the common endpoint. As detailed here, it was created to allow users from multiple Active Directory accounts to sign into a single application. With it, you can let the user sign in, and then figure out the tenant later on.

Similarly, there is an organizations endpoint, which only allows users with organizational AD accounts to sign in. Or there is the tenant-specific endpoint, which allows only a single AD account to sign in. There is a decent SO explanation here, or the docs.

Sidenote: I suspect this is why Microsoft had that login form for a couple of years where it showed a username and password field, except whenever you filled out your username and started typing your password, it would destroy that field and do some xhr thing for a few seconds before asking whether it was a work or personal account and continuing to allow you to fill out your password.

So where do you make the change in your code? I'm not sure if this is the best way to do it, but I did it in Startup.cs and set the AuthorizationEndpoint and TokenEndpoint manually.

public class Startup {

    public void ConfigureServices(IServiceCollection services) {


        MicrosoftAccountOptions authOpts = new MicrosoftAccountOptions();
        authOpts.ClientId = Configuration["Azure:ClientId"];
        authOpts.ClientSecret = Configuration["Azure:ClientSecret"];

        // Override the default multi-tenant identity option of 'common', and set the
        // auth to only allow users from a single active directory (use the
        // tenant-specific endpoint).
        var activeDirectoryTenantId = Configuration["Azure:TenantId"];
        var baseUrl = "https: //" + activeDirectoryTenantId +
        authOpts.AuthorizationEndpoint = baseUrl + "/authorize";
        authOpts.TokenEndpoint = baseUrl + "/token";
        authOpts.SaveTokens = true;
        app.UseMicrosoftAccountAuthentication( authOpts );

Most of the answers on Google and SO seemed to suggest making the app multi-tenant on Azure. A lot of that was from people using AD as an OpenID source. That's not what was happening to me, but it could be your issue if this isn't what you are looking for.