Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides resolutions for the InvalidConnectionCredentials or WindowsIdentityIncorrect errors that might occur when you run a desktop flow using a Microsoft Entra account. These errors typically indicate issues with device join status, account synchronization, or credential mismatches between the desktop flow connection and the target machine.
This article also covers the AADSTS50126 error, which occurs when credential validation fails because of an invalid username or password, particularly in scenarios involving federated users.
Applies to: Power Automate
Original KB number: 4555623
Symptoms
When you run a desktop flow using a Microsoft Entra account, it fails with the InvalidConnectionCredentials or WindowsIdentityIncorrect error code.
{
"error":{
"code": "InvalidConnectionCredentials",
"message": "Could not connect to the Power Automate UI flows Agent. Please make sure that the UI flows connection credentials are valid."
}
}
{
"error":{
"code": "WindowsIdentityIncorrect",
"message": "The credentials provided with the request are invalid."
}
}
You might also receive the following error message:
AADSTS50126: Error validating credentials due to invalid username or password
Cause
You might encounter the error when using a Microsoft Entra account for several reasons:
- You enter account credentials into the connection that don't match the credentials on the machine.
- The device isn't Microsoft Entra joined or Microsoft Entra hybrid joined to support Microsoft Entra authentication.
- The Microsoft Entra account isn't synchronized to the machine.
- The user account attempting to connect is a federated user (ADFS) while the tenant is configured to run on Microsoft Entra ID.
Solution
Ensure that the device is Microsoft Entra joined or domain-joined:
Open a command prompt.
Run the
dsregcmd /statuscommand.Check the
Device Statesection.
Make sure that one of the
DomainJoinedorAzureAdJoinedvalues isYES.If this condition isn't true, you can't use a Microsoft Entra account unless the device is joined. For more information, see How to join a device.
Identify the Microsoft Entra account to use in the machine configuration:
Open Settings and select Accounts.
Select Access work or school.
Make sure you see text like "Connected to <your_organization> Microsoft Entra ID." The account it's connected to can be used in the connection.
Synchronize the Microsoft Entra account on the device:
Select the Info button when selecting your Microsoft Entra connection on the Access work or school page.
This action opens a page that describes your connection information and device synchronization status. Select the Sync button at the end of the page, and wait for this process to complete.
Verify that the configured Microsoft Entra account can sign in to the device:
- Try to sign in to the machine by using the Microsoft Entra account you identified in step 2.
- The device authentication must be successful to use the account in a connection.
Make sure the flow is configured properly with the right username and password. This information must match the account on your computer.
AADSTS50126 error
To resolve an AADSTS50126 error, the preferred and most secure method is to configure Certificate-Based Authentication (CBA).
If you can't configure CBA, federated users can use an alternative approach when administrators of the on-premises Identity Provider (IdP) configure password hash synchronization (PHS) to synchronize password hashes to the cloud. In this scenario, federated users can authenticate directly against Microsoft Entra ID (ESTS) by configuring a Home Realm Discovery (HRD) policy that explicitly allows cloud password validation.
To enable this configuration, set the following HRD policy value:
"AllowCloudPasswordValidation": true
For detailed instructions, see Enable direct ROPC authentication of federated users for legacy applications.