Azure AD AADSTS50076 Error

auth0.knowledge2 · June 17, 2024, 9:49pm

Overview

This article addresses an error encountered when a user attempts to sign in using a Microsoft Azure Active Directory (Azure AD) enterprise connection, despite having previously signed in successfully with the same connection:

Error AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access ‘<>’

Applies To

Microsoft Azure AD
Enterprise Connection
Error AADSTS50076

Cause

This error can occur for any of the following reasons:

Azure Active Directory (Azure AD) risky sign-in detection flags sign-ins from new or significantly different geographical locations as potentially risky. This detection automatically enforces Conditional Access policies, which may require Multi-Factor Authentication (MFA) for access.
The administrator account is blocked by an MFA requirement or a Conditional Access Policy. An exception exists if an IP address exclusion is configured for the account that bypasses the MFA requirement.
MFA is enforced on the Microsoft Entra ID instance.

Solution

The issue originates from the Microsoft Azure Active Directory (Azure AD) Identity Provider (IdP) configuration. Updating the Auth0 configuration will not help resolve the issue.

Resolving this involves confirming the correct configuration on Azure AD:

Risky sign-in detection flags that enforce MFA:
- Review the grant flow to confirm if it does not support MFA, which will not allow flagged users to use MFA in their Azure AD authentication.
Conditional Access (CA) Policies that enforce MFA on the account:
- Exclude the application from the conflicting CA rule. Create a new CA rule explicitly targeted to this application that requires MFA for all access (without IP address exclusions).
- If the business use case allows, ensure that Microsoft Azure Security Defaults are disabled, as they can conflict with granular CA policies.
MFA is enforced on the Microsoft Entra ID instance:
- If the business use case allows it, disable MFA enforcement policies for the account used for the AAD sync under security management.

Also, examine the sign-in logs in Azure Active Directory for more details.

Topic		Replies	Views
Azure Active Directory Multi Factor Authentication Get Help	0	3270	October 29, 2019
Error Logging Into Azure AD Connection: "AADSTS50020 User account from identity provider does not exist in tenant" Knowledge Articles azure-ad	1	7934	February 6, 2024
Azure AD Connection Error: "strServiceExceptionMessage":"AADSTS50011" Knowledge Articles error , azure-ad , azure , connection , redirect-uri	1	1625	August 22, 2023
New Universal Login does not work with home realm discovery Get Help login-experience , new-universal-login-experience	0	959	April 21, 2023
Authentication API + AzureAD Connector + Customer MFA Get Help connections , azure-ad-enterprise-connection	4	1177	October 25, 2023

Azure AD AADSTS50076 Error

Overview

Applies To

Cause

Solution

Related topics