Overview
One or more users suddenly cannot log in with the Azure AD IDP connection after being able to sign in. After trying to sign in, they receive the following error message:
Error AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access.
Cause
If trying to access the application outside of the original network, the application will deny access.
In Azure AD, if an initial login is made in one location and then made from another location, conditions on the AD flag this as a “risky activity”.
So, for an account, there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA.
In this situation, a grant flow might also be in use that does not support MFA, which will not permit the flagged users to use MFA in their Azure AD authentication.
Solution
The issue is coming from the Azure AD IdP directly. There are no Auth0 changes that can help solve this. To make this connection work properly in the situation where this error occurs, some configuration on the Azure AD side needs to be changed.
There are a couple of places to look into regarding this error. It is recommended to check four things:
- Check if security defaults are turned on (which enforces MFA).
- Check whether the account has a sign-in risk. If there is a sign-in risk policy that enforces MFA, then this could be the issue.
- Check for Conditional Access Policies that enforce MFA on the account.
- Check the Grant Flow and make sure that one that allows MFA is used.
Also, examine the sign-in logs in Azure Active Directory more closely to get more details on the message.