AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access

Rick 20 Reputation points
2023-10-05T11:54:00.5766667+00:00

A handful of our users receive an 'Error 500' when trying to access our intranet. The logs show the following (see below). We've contacted the developer of our intranet, but they say the issue is related to our Azure enviroment and therefore can't help us any further.

023-10-05 08:30:23,247 ERROR 00000000-0000-0000-0000-000000000000 Squadro.Host.Web.App_Start.ExceptionHandlingMiddleware - Error in OWIN middleware
MSAL.Desktop.4.45.0.0.MsalUiRequiredException: 
	ErrorCode: invalid_grant
Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.
Trace ID: 0cff1ab9-5fad-43c9-b916-103e37b66000
Correlation ID: a3d89a06-9b2b-44e1-84cb-a2f2b3e5bb90
	StatusCode: 400 
	ResponseBody: {"error":"invalid_grant","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: dbcae2fd-73c7-43d0-976b-e9f297bf8100\r\nCorrelation ID: 828f27fb-5e06-448d-8251-22e8c3861e56\r\nTimestamp: 2023-10-05 12:25:24Z","error_codes":[50076],"timestamp":"2023-10-05 12:25:24Z","trace_id":"dbcae2fd-73c7-43d0-976b-e9f297bf8100","correlation_id":"828f27fb-5e06-448d-8251-22e8c3861e56","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action","claims":"{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"e2660428-6e39-4e80-b26d-71a1c3f1961d\",\"83a4caf0-d258-4578-88ed-f7d87b298b49\"]}}}"} 
	Headers: Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains

Below a screenshot (images 1 & 2) from our Azure enviroment showing varous logins from one account using different devices. Red: management server that runs internally and goed out via our public IP. Blue: private laptop (used both Firefox and Edge). Green: work laptop. Yellow: work laptop, but with conditional access (MFA + compliance). All the other colors (single factor) without MFA and compliancy checks. It seems like all the policies are in place, but the error (error code 500) keeps popping up. Whenever a user tries to log in to our intranet from any device (private/work, office network/own network), an error (code 500) is shown. Clearing cookies, temp files or going in-private has no impact.MicrosoftTeams-image (1)

Image 1MicrosoftTeams-image (2)

Image 2

In some situations a user can log in, but then the error (see image 3) occurs a couple hours later.

MicrosoftTeams-image

Image 3

We're using this Azure environment for other applications as well, and there it all goes smooth. Zero issues. Hence why we thought at first that the problems came from somewhere else. But according to the developer of our intranet, the issues are on our side. Azure policies to be precise. Also, if there would be any policy troubles, we would receive this error screen instead of the error screen I showed before (image 4).MicrosoftTeams-image (3)

Image 4

Even when we don't touch any conditional access policy, the error occurs. So, we're rather clueless on how to proceed. Some users with identical policies, rights and access do get the error, and some don't. It's completely random, making it very difficult to pinpoint what the problem is. Also, all our other applications functional perfectly fine.

Does anyone have any ideas on how to solve this?

Edit: we've already tried this, but without success: https://learn.microsoft.com/en-us/answers/questions/1337701/aadsts50076-due-to-a-configuration-change-made-by

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
803 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,785 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2023-10-10T01:47:00.0866667+00:00

    Hello @Rick , in the 2nd case (correlation id 828f27fb-5e06-448d-8251-22e8c3861e56, timestamp 2023-10-05 12:25:24Z) the AADSTS50076 error is being caused by 2 matched Conditional Access policies which were not satisfied. Please reach your CA admin to get more information or send a mail to azcommunity@microsoft.com with Subject Attn: Alfredo Revilla for additional detail. Also, send any extra debugging information (correlation id+timestamp) and/or (strongly suggested) reproduce the issue while Collecting a network trace in the browser or Collecting a network trace with Fiddler and send us the exported HAR file or Fiddler session.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.


0 additional answers

Sort by: Most helpful