Overview
This article addresses an error encountered when a user attempts to sign in using a Microsoft Azure Active Directory (Azure AD) enterprise connection, despite having previously signed in successfully with the same connection:
Error AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access ‘<>’
Applies To
- Microsoft Azure AD
- Enterprise Connection
- Error AADSTS50076
Cause
This error can occur for any of the following reasons:
- Azure Active Directory (Azure AD) risky sign-in detection flags sign-ins from new or significantly different geographical locations as potentially risky. This detection automatically enforces Conditional Access policies, which may require Multi-Factor Authentication (MFA) for access.
- The administrator account is blocked by an MFA requirement or a Conditional Access Policy. An exception exists if an IP address exclusion is configured for the account that bypasses the MFA requirement.
- MFA is enforced on the Microsoft Entra ID instance.
Solution
The issue originates from the Microsoft Azure Active Directory (Azure AD) Identity Provider (IdP) configuration. Updating the Auth0 configuration will not help resolve the issue.
Resolving this involves confirming the correct configuration on Azure AD:
- Risky sign-in detection flags that enforce MFA:
- Review the grant flow to confirm if it does not support MFA, which will not allow flagged users to use MFA in their Azure AD authentication.
- Conditional Access (CA) Policies that enforce MFA on the account:
- Exclude the application from the conflicting CA rule. Create a new CA rule explicitly targeted to this application that requires MFA for all access (without IP address exclusions).
- If the business use case allows, ensure that Microsoft Azure Security Defaults are disabled, as they can conflict with granular CA policies.
- MFA is enforced on the Microsoft Entra ID instance:
- If the business use case allows it, disable MFA enforcement policies for the account used for the AAD sync under security management.
Also, examine the sign-in logs in Azure Active Directory for more details.