Access to My Account fails with Sign-in error code 50192, Failure reason Invalid request

Question

Access to My Account fails with Sign-in error code 50192, Failure reason Invalid request

Tilman Schmidt 120

I have configured Conditional Access for my tenant to require MFA for all users except when they come from a compliant device, and to require a compliant device for registering an authentication method. When new users are onboarded, they are instructed to visit the Microsoft My Account page at myaccount.microsoft.com from their (compliant) company laptop and click on Security information in order to register their smartphone with Microsoft Authenticator as an authentication method.

Now I have a user who cannot complete that procedure because he is refused access the Security information page. When he clicks on Security information he receives a message (translated from German as he uses German language setting):

Certificate verification failed

Try again as follows:

Close current browser
Open a new browser to log in
Select certificate

If you are using a smartcard make sure it is inserted correctly.

We do not use smartcards or client certificates for login, so I have no idea which certificate Microsoft Entra would want to verify here.

In the user's sign-in logs I see:

two events "Authentication requirement: Single-factor authentication / Status: Success" for applications "My Signins" and "Microsoft Account Controls V2"
an event "Authentication requirement: Multifactor authentication / Status: Interrupted" for application "My Signins" but which says "Compliant: Yes" under "Device Info" and "Success" or "Not Applied" to all policies under "Conditional Access" so I don't understand why it would require MFA
an event "Authentication requirement: Multifactor authentication / Status: Failure" with Sign-in error code 50192 and Failure reason "Invalid request", but again "Device Info - Compliant: Yes" and all Conditional Access policies "Success" or "Not Applied"

The error code 50192 is not mentioned on the Microsoft Entra ID troubleshooting page.

I am at a loss how to debug this.

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-01-07T07:18:19.4766667+00:00

Hi @Tilman Schmidt
Thank you for posting your query on Microsoft Q&A.

I understand that you are encountering certificate-based authentication error page. Certificate-based authentication can fail for reasons such as the certificate being invalid, or the user selected the wrong certificate or an expired certificate, or because of a Certificate Revocation List (CRL) issue.

The users have enabled to use CBA for MFA. That is why users are prompted to use CBA while signing in. Microsoft Entra certificate-based authentication (CBA) enables customers to allow or require users to authenticate directly with X.509 certificates against their Microsoft Entra ID for applications and browser sign-in. This feature enables customers to adopt a phishing resistant authentication and authenticate with an X.509 certificate against their Public Key Infrastructure (PKI).

To solve the issue the user's MostRecentlyUsed (MRU) authentication method is set to CBA. To reset the MRU method, the user needs to cancel the certificate picker, select other ways to sign in, and select another method available to the user and authenticate successfully. Password as an authentication method can't be disabled and the option to sign in using a password is displayed even with Microsoft Entra CBA method available to the user.

Please refer the source document for more information: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication-technical-deep-dive#understanding-issuer-hints-preview

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.

Accepted answer

1 additional answer

Your answer

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-01-07T07:18:19.4766667+00:00

Hi @Tilman Schmidt
Thank you for posting your query on Microsoft Q&A.

I understand that you are encountering certificate-based authentication error page. Certificate-based authentication can fail for reasons such as the certificate being invalid, or the user selected the wrong certificate or an expired certificate, or because of a Certificate Revocation List (CRL) issue.

The users have enabled to use CBA for MFA. That is why users are prompted to use CBA while signing in. Microsoft Entra certificate-based authentication (CBA) enables customers to allow or require users to authenticate directly with X.509 certificates against their Microsoft Entra ID for applications and browser sign-in. This feature enables customers to adopt a phishing resistant authentication and authenticate with an X.509 certificate against their Public Key Infrastructure (PKI).

To solve the issue the user's MostRecentlyUsed (MRU) authentication method is set to CBA. To reset the MRU method, the user needs to cancel the certificate picker, select other ways to sign in, and select another method available to the user and authenticate successfully. Password as an authentication method can't be disabled and the option to sign in using a password is displayed even with Microsoft Entra CBA method available to the user.

Please refer the source document for more information: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication-technical-deep-dive#understanding-issuer-hints-preview

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.

Answer 1

Hi @Tilman Schmidt

I understand that you are trying to register the Microsoft Authenticator app as an authentication method, but you're encountering sign-in error code 50192 when you click on "Security information."

To resolve this, first check if the user has Certificate-Based Authentication (CBA) enabled. To do this, Microsoft Entra admin center > Protection > Authentication methods > Policies and check whether CBA is indeed enabled for a specific, limited group in which you have your desired user.

If CBA is enabled, it may be causing the issue, as the system is prompting for CBA during the "Security information" sign-in process.

To fix the issue, try disabling the CBA authentication method for the user and also exclude the user from any Conditional Access policies that are being triggered, as indicated in the sign-in logs.

Hope this helps. Do let us know if you have any further queries.

If this answers your query, do click `Accept Answer` and `Yes`.

Thanks,

B. Siri Chandana.

Answer 2

Ki-lianK-7341 1,010

Certificate Verification: The message about certificate verification suggests that the browser might be attempting to use a cached certificate or a client certificate for authentication. This can happen if the browser has previously cached a certificate or if there is a misconfiguration in the Conditional Access policies 2.
Conditional Access Policies: Double-check your Conditional Access policies to ensure there are no conflicting rules that might be causing this issue. Specifically, verify that the policies related to MFA and compliant devices are correctly configured and not inadvertently requiring a certificate 3.
Browser and Device: Ensure that the user’s browser and device are up-to-date and compliant with your organization’s security policies. Sometimes, clearing the browser cache or trying a different browser can resolve such issues.
Smartcard and Client Certificates: Even though you mentioned that you do not use smartcards or client certificates, it’s worth checking if there are any residual configurations or policies that might be causing the system to expect a certificate. This could be a leftover setting from a previous configuration.

Tilman Schmidt 120 Reputation points

2025-01-06T13:13:21.0666667+00:00

Thanks for the quick reply. Meanwhile I have received more calls from users encountering the same error, so it seems to be a more widespread problem. It does not affect all users, though. In particular, I cannot reproduce it with the test account I have for investigating Microsoft Entra problems.

I have asked one of the affected users to try a different browser (Firefox instead of Edge) and the behaviour was the same.

I have double-checked my Conditional Access policies (which worked fine until a few days ago) and there is nothing changed, nor do they contain any setting referring to certificates. Also, as I wrote, all applied Conditional Access policies report Success in the sign-in log.

I can't imagine where a leftover setting might have come from since we never used smartcards or certificates in the past.

That said, how exactly would I go about checking what you proposed to check?

Re 1., how can I check whether those browsers have indeed suddenly started attempting to use a client certificate for authentication, and if so, what client certificate they are using and where that came from?

Re 2., does the fact that the sign-in log reports no Conditional Access failures prove sufficiently that Conditional Access is not at fault, or should I dig deeper into my Conditional Access policies? If so, what exactly should I look for?

Re 3., is there anything more I should check on the browser side when the issue manifests itself with two different browsers? Anything on the OS level?

Re 4., where would I look for such residual configurations?

AtDhVaAnNkCsE,

Tilman
Tilman Schmidt 120 Reputation points

2025-01-07T09:17:03.9333333+00:00

Hi @Bandela Siri Chandana ,

I'm sorry I have some difficulty matching your answer to my question.

My problem is not that CBA fails. My problem is that CBA is attempted in the first place. We do not want to use CBA. There should be no certificate, whether valid or invalid. There should be no CRL either. The whole CBA topic shouldn't even take place. Entra should let my users register their Microsoft Authenticator apps as a stong authentication method, not try to verify some mysterious certificate. I am trying to find out why it does that and how to stop it. Can you provide some guidance for that?

You state: "The users have enabled to use CBA for MFA." My users, when questioned, steadfastly deny they have done any such thing. Can you describe in more detail what my users may have inconsciously done to trigger that behaviour?

Also, you seem to assume that the problem occurs when the user signs in. It does not. The users can sign in with their password just fine. It's only when they click the "Security information" link on the "My Account" page in order to register their Microsoft Authenticator that the failure occurs.

Finally, you seem to assume that my users are "prompted to use CBA". They are not. They are just presented with the error message I quoted. There is no opportunity to cancel or select anything, just end of game. What other options do we have?

Thanks,
Tilman
Tilman Schmidt 120 Reputation points

2025-01-07T12:45:11.91+00:00

Hi @Bandela Siri Chandana ,

thank you for your reply.

I checked the affected users' Authentication methods pages in Microsoft Entra admin center. This is what they show, all identically:

In addition, I have checked the global policies page at Microsoft Entra admin center > Protection > Authentication methods > Policies and found that CBA is indeed enabled for a specific, limited group of users. Apparently a colleague administrator has been doing a test with CBA without my knowledge. All users affected by the issue are in the test group. I also verified that after adding my test account to that group, it shows the same symptoms.

So the mystery is solved thanks to your pointer to CBA as a possible cause. If you'll convert your comment to an answer I'll gladly accept it.

Thanks,
Tilman

Share via

Access to My Account fails with Sign-in error code 50192, Failure reason Invalid request

1 additional answer

Your answer