Authentication API + AzureAD Connector + Customer MFA

We have a scenario with a custom application. The application uses the Auth0 authentication API to handle all back-end authentication/session management. We have an Auth0 connector pointing to the customer’s AzureAD environment.

When an end user tries to authenticate, they get the following error:

AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.

I’m assuming the customer has MFA required on their end but since we’re using the API to authenticate, we aren’t able to perform the MFA steps.

The question is, based on our setup, is there a way to get MFA to work so the end user is able to successfully authenticate? Would we need to look into using Auth0’s MFA API/settings instead of the customer’s? I’m just not 100% sure how to relay that information back to Azure to indicate the user has performed all necessary steps.

Hi @jrothamel,

Welcome to the Auth0 Community!

Can you please elaborate on your setup? What do you mean by:

Do you have MFA configured in Auth0? Do you still see this error if you turn it off?

Sure thing.

We have a home-grown application that uses the Auth0’s authentication API to handle the authentication logic. We’re not using the universal login feature. We have an enterprise connector that points to the customer’s AzureAD environment. They have a policy that says anyone authenticating from outside their internal network must use MFA to complete the process. They use DUO as their MFA client.

The problem is that we get an error message back from Azure when authenticating…probably because we didn’t enforce any MFA into our process.

At this point, we think we need to use the Auth0 MFA Api to force the user to enter their DUO code as part of the process to satisfy the customer’s setup requirements. It looks like we will also need to make sure the end user has already gone through the DUO enrollment process before using our application as the MFA API doesn’t support DUO enrollment.

Thanks for the additional info.

To summarize, your IdP (AzureAD) has MFA required via DUO. Because you are not authenticating with DUO, you are seeing this error.

If I understand your flow correctly, setting up MFA in Auth0 will not satisfy IdP request for MFA. You will need to be prompted by the IdP and complete their challenge for MFA.

Hope this helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.