Office 365: "The account needs to be added as an external user in the tenant first." error : CloudBlue Technical Support

Symptoms

Office 365 Sales Order/Synchronization attempt fails with the following error:

"error":"invalid_request","error_description":
"AADSTS50178: User account 'user@resellerDomainCSP.onmicrosoft.com' from identity provider 'https://sts.windows.net/a3831efe-...-8128a3717143/' does not exist in tenant 'End-customer organization' and cannot access the application 'cde22860-...-08622a196d0c' in that tenant. 
The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.'

The same error can be faced on attempt to use the readCSPAccounts.py script.

The following error can be seen in sitelog:

2018-09-03 00:03:40,604 [  65] ERROR aps_endpoint: Azure AD Graph API server returned an web exception 'The remote server returned an error: (400) Bad Request.'.
System.Net.WebException: The remote server returned an error: (400) Bad Request.
   at System.Net.HttpWebRequest.GetResponse()
   at Parallels.Office365.Gateway.Graph.AzureAdGraphHttpWebRequest.ExecuteAndHandleResponse[T](HttpWebRequest webRequest, String requestBodyForPrint) in c:\inetpub\wwwroot\O365App\App_Code\Graph\AzureAdGraphHttpWebRequest.cs:line 200
2018-09-03 00:03:40,619 [  65] DEBUG aps_endpoint: Azure AD Graph API request POST url: 'https://login.windows.net/5ff865a3-ed94-4d0b-b93e-1da92ac1b79b/oauth2/token',

Cause

Case could be caused by several reasons:

Software-related issue #APSA-20169 "MFA on Microsoft side breaks the O365 integration". Microsoft tenants with Multi-factor Authentication enabled were not supported by Office 365 application below 18.4.1 version.
Software-related issue #APSA-20976 "Provisioning subscription fail due to 'SetApplicationConsents' did not have time to propagate permission". Application sends request to propagate required permissions to customer's tenant on Microsoft side. After some time, application tried to perform next provisioning request. However, timeout between these two requests is too small and required changes are not yet propagated to customer's tenant. Next request fails because of that along with sales order.
Customer revoked delegated access permissions from provider.

Resolution

Case 1:

Multi-factor authentication is supported by Office 365 application since version 18.4.1 (implemented in scope of aforementioned request #APSA-20169). It is strongly recommended to upgrade Office 365 to 18.4.1 or above. Newer versions of the application support updated security policies set by Microsoft.

Case 2:

Issue #APSA-20976 was fixed in Office 365 19.1 version of the application.Consider to upgrade your application to newer versions. For currently affected orders, it is enough to resubmit order for provisioning. Order should be completed successfully upon second execution.

Case 3:

Provide customer with Invitation URL which can be obtained in Office 365 instance settings. Customer should accept delegation of all requested permissions.