Getting MFA error response for users who SSO login with conditional access MFA-disabled

Dave Chuang 0 Reputation points
2024-04-08T10:22:13.0233333+00:00

We are a SaaS provider that published our own Azure AD market place app for our customers to login to our application via Azure AD SSO.

However, we are getting this error AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000' when one of the users, whose MFA is disabled via conditional access.

I have been reading a quite help articles on this community but don't seem to be able to find one in similar situation

  1. Is there a way to allow user who disabled MFA (via conditional access) to access our SaaS application via SSO? E.g. our application should still allow access even if MFA was disabled for this special user. Our customer said they dont have issues using the same account on other applications.
  2. Is the error message due to a special configuration on the API call to AAD, or special configuration required on our Marketplace App? Or is the error due to wrong registration / setup flow of our marketplace app?

We are not AAD developer trained, happy to provide any information that can guide us to something where we can explore and test further.

Thanks everyone.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,788 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Michael Smith-MSFT 2,916 Reputation points Microsoft Employee
    2024-04-09T12:46:42.96+00:00

    Hi @Dave Chuang ,

    Thank you for contacting the Q&A community,

    It sounds like the user is being asked to register for MFA.

    If they are excluded from all conditional access policies that require MFA then it could be if you have SSPR enabled and the user is in the scope. SSPR requires MFA and users need to register if its enabled.

    Check if you have SSPR enabled. If the user is in scope then they need to register for MFA but should not get prompted on their subsequent sign ins if CA has excluded them.

    Otherwise you need to remove the user from the scope.

    https://portal.azure.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/Properties

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.