Question
Common error messages include:
“Unexpected application exception, please report an issue”
“Sorry, but we’re having trouble signing you in”
“AADSTS50020”
“The account needs to be added as an external user in the tenant first”
Answer
Important to know
You must sign in using your company Microsoft account.
The new Entitlement Portal does not use the same DHI sign-in credentials as the legacy internet licence system.
If you are asked for a password, use your company Microsoft account password.
Most users do not need access to the Entitlement Portal.
- In most cases, only your company Administrator needs portal access.
Why this happens
The new Entitlement Portal uses Microsoft Entra for sign-in.
In some cases, sign-in issues may be caused by an older or more complex single sign-on setup that is not fully compatible with Microsoft Entra.
This may be more common in larger organisations with dedicated or more complex SSO environments.
Recommended checks
Make sure you are using the correct company Microsoft account
Make sure you are entering your company Microsoft password
Sign out of Microsoft completely and try again in a private or incognito browser
Ask your IT team to check whether your account has been set up correctly
If needed, ask your IT team to check whether your account needs to be added as an external user in the tenant
Workaround
Use an alternative administrator email address that can sign in successfully, for example a personal email address, or
Ask your IT team to create a dedicated shared software admin mailbox that can sign in through a different sign-in path and use that mailbox for portal administration tasks
For the time being, our Customer Care team can also help onboard an alternative administrator, so this issue should not affect the use of MIKE software within your organisation.
Ongoing investigation
This issue is still being investigated by Microsoft, and DHI currently has an open support case with Microsoft
- The new Entitlement Portal uses the newest SSO protocols from Microsoft Entra. Often, the sign in problem appears to be related to the use of an older Active Directory Federation Service (ADFS) issuing SAML 1.1 tokens instead of SAML 2.0 tokens. The problem is that Microsoft Entra does not trust SAML 1.1 tokens from ADFS. The tokens lack tenant IDs which Entra expects, and they are not signed with certificates that Entra can verify.
An ADFS federation metadata URL is a publicly accessible HTTPS endpoint on an ADFS server that provides a machine‑readable XML document describing how other systems can trust and communicate with that ADFS instance. See example generated by Co-Pilet in figure 1.
Fig 1, an ADFS URL example
Additional Microsoft guidance
For customers seeing the AADSTS50020 error, Microsoft’s guidance may also be helpful: Error AADSTS50020 - User account from identity provider does not exist in tenant
Microsoft notes that AADSTS50020 can happen for several reasons, including using the wrong account, signing in to the wrong tenant, the guest user not being invited, or the app requiring user assignment.