Access to My Account fails with Sign-in error code 50192, Failure reason Invalid request

Tilman Schmidt 120 Reputation points
2025-01-06T09:41:19.2933333+00:00

I have configured Conditional Access for my tenant to require MFA for all users except when they come from a compliant device, and to require a compliant device for registering an authentication method. When new users are onboarded, they are instructed to visit the Microsoft My Account page at myaccount.microsoft.com from their (compliant) company laptop and click on Security information in order to register their smartphone with Microsoft Authenticator as an authentication method.

Now I have a user who cannot complete that procedure because he is refused access the Security information page. When he clicks on Security information he receives a message (translated from German as he uses German language setting):

Certificate verification failed

Try again as follows:

  1. Close current browser
  2. Open a new browser to log in
  3. Select certificate

If you are using a smartcard make sure it is inserted correctly.

We do not use smartcards or client certificates for login, so I have no idea which certificate Microsoft Entra would want to verify here.

In the user's sign-in logs I see:

  1. two events "Authentication requirement: Single-factor authentication / Status: Success" for applications "My Signins" and "Microsoft Account Controls V2"
  2. an event "Authentication requirement: Multifactor authentication / Status: Interrupted" for application "My Signins" but which says "Compliant: Yes" under "Device Info" and "Success" or "Not Applied" to all policies under "Conditional Access" so I don't understand why it would require MFA
  3. an event "Authentication requirement: Multifactor authentication / Status: Failure" with Sign-in error code 50192 and Failure reason "Invalid request", but again "Device Info - Compliant: Yes" and all Conditional Access policies "Success" or "Not Applied"

The error code 50192 is not mentioned on the Microsoft Entra ID troubleshooting page.

I am at a loss how to debug this.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other
Microsoft Security | Microsoft Entra | Other
{count} votes

Accepted answer
  1. Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
    2025-01-07T11:25:18.11+00:00

    Hi @Tilman Schmidt

    I understand that you are trying to register the Microsoft Authenticator app as an authentication method, but you're encountering sign-in error code 50192 when you click on "Security information."

    To resolve this, first check if the user has Certificate-Based Authentication (CBA) enabled. To do this, Microsoft Entra admin center > Protection > Authentication methods > Policies and check whether CBA is indeed enabled for a specific, limited group in which you have your desired user.

    If CBA is enabled, it may be causing the issue, as the system is prompting for CBA during the "Security information" sign-in process.

    To fix the issue, try disabling the CBA authentication method for the user and also exclude the user from any Conditional Access policies that are being triggered, as indicated in the sign-in logs.

    Hope this helps. Do let us know if you have any further queries.


    If this answers your query, do click `Accept Answer` and `Yes`.

    Thanks,

    B. Siri Chandana.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Ki-lianK-7341 1,010 Reputation points
    2025-01-06T09:48:19.5633333+00:00
    1. Certificate Verification: The message about certificate verification suggests that the browser might be attempting to use a cached certificate or a client certificate for authentication. This can happen if the browser has previously cached a certificate or if there is a misconfiguration in the Conditional Access policies2.
    2. Conditional Access Policies: Double-check your Conditional Access policies to ensure there are no conflicting rules that might be causing this issue. Specifically, verify that the policies related to MFA and compliant devices are correctly configured and not inadvertently requiring a certificate3.
    3. Browser and Device: Ensure that the user’s browser and device are up-to-date and compliant with your organization’s security policies. Sometimes, clearing the browser cache or trying a different browser can resolve such issues.
    4. Smartcard and Client Certificates: Even though you mentioned that you do not use smartcards or client certificates, it’s worth checking if there are any residual configurations or policies that might be causing the system to expect a certificate. This could be a leftover setting from a previous configuration.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.