Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,371 questions
Accessing Azure Key vault results in AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
André Sikma
0
Reputation points
As of Yesterday I'm faced with the following error when attempting to access all Azure Key Vaults that reside in subscriptions in 2 specific Tenants from the browser. I have access to several other subscriptions residing in other tenants that also contain Azure Key Vaults. There I still am able to access the Key Vaults using the same identity. On all tenants I get prompted for MFA, and using MS authenticator gives no indication of failure.
Exactly one week I was able to access these Key vaults without a problem.
The error message received:
Additional information from the call to get a token: Extension: Microsoft_Azure_KeyVault Resource: keyvault Details: invalid_grant: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '<guid>'. Trace ID: <guid> Correlation ID: <guid> Timestamp: 2023-08-23 08:44:27Z
Using powershell I'm able to access the keyvault and values
Connect-AzAccount -tenant <guid> -AuthScope AzureKeyVaultServiceEndpointResourceId
Get-AzKeyVaultSecret -VaultName <vault-name>
Get-AzKeyVaultSecret -VaultName <vault-name> -Name <secret-name> [-AsPlainText]
note: without parameter AuthScope it does not work.
Get-AzKeyVaultSecret: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials. You must use multi-factor authentication to access resource AzureKeyVaultServiceEndpointResourceId, please rerun 'Connect-AzAccount' with additional parameter '-AuthScope AzureKeyVaultServiceEndpointResourceId'.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 28.999999999999996%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Domooney-MSFT 2,596 Reputation points Microsoft Employee2023-08-25T08:58:44.8066667+00:00 Hi @Andre Sikma
Thank you for posting your query on Microsoft Q&A.
Based on your description and the details shared it looks like these two tenants have configured a Conditional Access policy to require MFA for the Azure Portal app.
Unless your home tenant and the resource tenant are configured to trust MFA from one another, then you would be required to enroll for MFA individually in each tenant. The fact that the prompt is not asking you to enrol seems to indicate that you had previously enrolled at some point.
If you have changed device since the original enrollment then you would need to re-enroll. To do this an admin in the specific tenants with the problem would need to navigate to your user profile and "Require re-register MFA" this should trigger an MFA enrollment prompt the next time you try access the keyvault.
If this is not the case then we would need to see the sign-in logs within the impacted tenant to determine why Conditional Access is being triggered.
Kind Regards,
Donal
-
Domooney-MSFT 2,596 Reputation points Microsoft Employee
2023-08-31T08:39:24.9166667+00:00 Hi @Andre Sikma I just wanted to follow-up to see if this was useful or if you have any further questions? Cheers,
Donal
-
Domooney-MSFT 2,596 Reputation points Microsoft Employee
2023-10-10T13:11:20.6466667+00:00 Hi @André Sikma Hope the above information can help. If there's anything else we can help, feel free to let us know.
-
André Sikma 0 Reputation points
2024-01-09T09:05:50.49+00:00 Hi @Domooney-MSFT ,
My apologies for the late reaction. Despite me following the thread, I never saw a notification.
You are correct with regards to the Conditional Access. But as I mentioned, I have access to several subscriptions spread over several tenants. In those tenants the Conditional Access also is set to Enabled or Enforced. For these subscriptions, the process is working.
Your suggestion "Require re-register MFA" didn't resolve the problem.
To add to it, a colleague who recently returned from sabbatical also is having the same problems with exactly the same tenants. A second colleague is not experiencing these problems. The only apparent difference between the 3 of us is that the second colleague is not an administrator in our Windows Domain.
Also, recently I got a new phone, which forced me to setup all MFA-accounts again, as I moved from Android to iOS, and now I'm not able to complete the MFA registration process on these problematic tenants. The tenants the worked previously, I was able to activate on my new phone.In an attempt to resolve the problem, I removed my account in one of the problematic tenants, and re-invited myself.
If MFA is turned on, and when attempting to access the tenant I get prompted that I need to set up MFA (expected)
After clicking 'Next' the MFA registration process ends with a HTTP-500 error on https://account.activedirectory.windowsazure.com/securityinfo?isOobe=False&brkr=&brkrVer=2.37.1&clientSku=msal.js.browser&personality=&authMethods=&authMethodCount= and the browser is showing me corrupt JSON (This json also shows as response in the DevTools > Network)
Also I'm not able to switch to the organization using my Sign-Ins https://aka.ms/mysecurityinfo. If MFA is turned off for these tenants, the security Info is showing me 'An unexpected error has occurred'.
Andre
Sign in to comment
Sign in to answer