MFA connection error on Azure SQL Managed Instance

Question

Hi,

We have implemented the Azure Active Directory Universal with MFA authentication in our C# application.
User is getting below error from browser based authentication when he tries to connect on Azure SQL Managed Instance

AADSTS90036: An unexpected, non-retriable error stemming from the directory service has occurred.

 

User is able to make successful connection from SQL Server Management Studio.

 

Could you please help to troubleshoot this? Please suggest, if there are any authentication permissions to be set in configurations.

Answer 1

Hi @Nikhil Kulkarni (nkulkarn) ,

It's hard to assess this scenario given the limited information, but I would recommend checking to see if that user might be signing into your application using another tenant's SSO session. You can get more information by checking the sign in logs and verifying that the correct tenant ID is listed for that sign-in. You may also get other hints in the sign-in logs. You can validate the user's tenancy by going to Settings - Microsoft Azure and signing in with that account. There you will see all the tenants where that user is a member.

In addition, for guest users, credentials are stored in their home tenant and not in the guest tenant. As described in this similar case, this error can occur if you are using grant_type=password which initiates the ROPC flow. If this is the case for you, the recommendation is to use the***Authorization Code flow*** or Implicit flow, which opens a browser that supports the redirection required to authenticate the guest users.

If these scenarios do not apply to you, feel free to send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, and I will get a support case opened to address your issue.

If the information helped you, please Accept the answer. This will help us and improve discoverability for others in the community who may be researching similar questions.