Runbook — LumisCare "Unable to load your account" (Entra B2B + JIT/DB mapping) — 2026-06-02

Runbook — LumisCare "Unable to load your account" (Entra B2B + JIT/DB user mapping)

Date: 2026-06-02 · Evidence: /tmp/evidence-session-fe5379ce/ · Env: ALAI demo (Azure tenant 3454a03f, rg-lumiscare-demo) · App: app.lumiscare.com, appId e422174a-24a6-4889-b66c-f6c483b8631f

Symptom

After login, the backoffice shows "Unable to load your account — We could not retrieve your user information." Rendered by frontend/packages/shared-ui/src/components/layout/AccountInfoLoader.tsx when the GET /users/about-me query (in useAccountStore.ts) errors.

Root cause (NOT a password problem)

A Microsoft Entra B2B / admin-consent / backend user-mapping problem. A logged-in guest (alem@alai.no, Entra OID f9275cf4-…) authenticated, but was not correctly provisioned/mapped to a LumisCare DB user + org, so /users/about-me could not return a usable account.

What is NOT the cause (verified, do not chase again)

• Backend GET /api/v1/users/about-me returns HTTP 200 with a valid shape for a correct token.
• CORS is fine — CorsConfig uses allowedHeaders("*"), app.lumiscare.com allowed, credentials true; OPTIONS preflight → 200.
• Frontend env is correct — LUMISCARE_CLIENT_ID / LUMISCARE_BACKEND_CUSTOMER_CLIENT_ID = e422174a, scope api://e422174a/api.
• Data exists — /service-users = 15, /hr/employees = 10 for org f714cc2f.
• Deployed tree = frontend/packages/backoffice + shared-ui (NOT legacy frontend/web/).

Fix (live, in order)

1. Entra B2B invite (re)issued for alem@alai.no — lumiscare-b2b-invite.json / alem-fresh-invite.txt.
2. MSAL config confirmed correct for app.lumiscare.com — uat-login-diagnosis.md.
3. Admin consent grant repaired for the LumisCare app:
   • scope: api openid profile offline_access, consentType=AllPrincipals
   • Grant ID: Tucgg8C0XUKt_DONAFF0Tk7nIIPAtF1CrfwzjQBRdE4
4. Backend BFF/JIT + DB user mapping (the decisive step — frontend deploy/JIT merge alone was NOT enough):
   • alem@alai.no promoted directly in Postgres: DB id eccfeb0c-0b12-4439-9b99-33a12f9110c5, status ACTIVE, org f714cc2f-a0fc-4e47-9164-baa540fd820f (Sunshine Home Care LLC), role system_admin.
   • JWT linkage: Entra OID f9275cf4-… → DB user UUID (via JIT).
   • Backend revs: identity --0000008 (issuer URI + audience GUID match), web-bff --0000032 (audience-permissive + /users alias), Hibernate ddl-auto=update for schema drift.

Proof

• bff-about-me-success.txt → HTTP=200, org f714cc2f, account eccfeb0c…, email mapped from OID.
• alem-user-record-promoted.txt → promoted DB record.

Key lesson

For a new Entra guest, a frontend deploy / JIT merge is not sufficient. A working login requires the backend chain: Entra B2B membership + admin consent + identity-service JIT + an ACTIVE DB user mapped to an org. When "Unable to load account" recurs for a new user → check the DB user + org mapping and admin consent, not the password or the frontend.

Related security debt

• Demo enablement temporarily relaxed identity-service security; track revert + proper app-roles (MC #102747).