A handful of our users receive an 'Error 500' when trying to access our intranet. The logs show the following (see below). We've contacted the developer of our intranet, but they say the issue is related to our Azure enviroment and therefore can't help us any further.
023-10-05 08:30:23,247 ERROR 00000000-0000-0000-0000-000000000000 Squadro.Host.Web.App_Start.ExceptionHandlingMiddleware - Error in OWIN middleware
MSAL.Desktop.4.45.0.0.MsalUiRequiredException:
ErrorCode: invalid_grant
Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.
Trace ID: 0cff1ab9-5fad-43c9-b916-103e37b66000
Correlation ID: a3d89a06-9b2b-44e1-84cb-a2f2b3e5bb90
StatusCode: 400
ResponseBody: {"error":"invalid_grant","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: dbcae2fd-73c7-43d0-976b-e9f297bf8100\r\nCorrelation ID: 828f27fb-5e06-448d-8251-22e8c3861e56\r\nTimestamp: 2023-10-05 12:25:24Z","error_codes":[50076],"timestamp":"2023-10-05 12:25:24Z","trace_id":"dbcae2fd-73c7-43d0-976b-e9f297bf8100","correlation_id":"828f27fb-5e06-448d-8251-22e8c3861e56","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action","claims":"{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"e2660428-6e39-4e80-b26d-71a1c3f1961d\",\"83a4caf0-d258-4578-88ed-f7d87b298b49\"]}}}"}
Headers: Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Below a screenshot (images 1 & 2) from our Azure enviroment showing varous logins from one account using different devices. Red: management server that runs internally and goed out via our public IP. Blue: private laptop (used both Firefox and Edge). Green: work laptop. Yellow: work laptop, but with conditional access (MFA + compliance). All the other colors (single factor) without MFA and compliancy checks. It seems like all the policies are in place, but the error (error code 500) keeps popping up. Whenever a user tries to log in to our intranet from any device (private/work, office network/own network), an error (code 500) is shown. Clearing cookies, temp files or going in-private has no impact.
Image 1
Image 2
In some situations a user can log in, but then the error (see image 3) occurs a couple hours later.
Image 3
We're using this Azure environment for other applications as well, and there it all goes smooth. Zero issues. Hence why we thought at first that the problems came from somewhere else. But according to the developer of our intranet, the issues are on our side. Azure policies to be precise. Also, if there would be any policy troubles, we would receive this error screen instead of the error screen I showed before (image 4).
Image 4
Even when we don't touch any conditional access policy, the error occurs. So, we're rather clueless on how to proceed. Some users with identical policies, rights and access do get the error, and some don't. It's completely random, making it very difficult to pinpoint what the problem is. Also, all our other applications functional perfectly fine.
Does anyone have any ideas on how to solve this?
Edit: we've already tried this, but without success: https://learn.microsoft.com/en-us/answers/questions/1337701/aadsts50076-due-to-a-configuration-change-made-by