3,281 questions
Cannot access certain blades in subscription resources
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 33%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Justin Tolchin
21
Reputation points
I am a global administrator. I built all the resources in this subscription. Several months ago, I stopped getting access to some of the blades due to errors like:
"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access ..."
In this latest case, I am trying to get to the certificates of my Cloud Service (extended support) resources. The error GUID points to Azure Key Vault Enterprise Application.
I successfully authenticate using the Microsoft Authenticator app and either get redirected to the Overview blade or I get another MFA challenge.
Going to any of my actual key vaults, I can see them listed, but when I try to enter, I get the MFA challenge. Once I authenticate, I am sent back.
Clearly there is something broken with the portal and CLI authentication.
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes
-
Justin Tolchin 21 Reputation points
2025-06-11T21:49:04.9533333+00:00 Note, this is basically the same problem as
https://learn.microsoft.com/en-us/answers/questions/2260977/cannot-access-resources-in-client-subscription-in -
Justin Tolchin 21 Reputation points
2025-06-11T22:02:58.0733333+00:00 I am now also not able to update the cloud service (extended support). I can get to Update and drill down into the container, but one level above where I need to get, I am blocked access and get the MFA loop again. The CRAZY thing is that I just uploaded the files using a ps1 script and it worked fine. It uses the same credentials.
-
Justin Tolchin 21 Reputation points
2025-06-11T22:06:03.36+00:00 using the following doesn't help either. I successfully authenticate, but still cannot access the resources.
Connect-AzAccount -TenantId <Tenant ID> -SubscriptionId <> -UseDeviceAuthenticationor
az login --tenant <myTenantID> --use-device-codeaz account set --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 94%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Deepthi R 25 Reputation points Microsoft External Staff Moderator2025-06-13T10:07:40.1533333+00:00 Hi Justin Tolchin,
Could you check whether you have a sign-in risk enabled via CA policy on your account. If there is a sign-in risk policy that enforces MFA that might causing you keep you in loop.
AADSTS50076 error usually occurs when there is a matched Conditional Access policies which were not satisfied.
also try disabling the security defaults temporarily if it is enabled and try to access the resource.
If still issuer persists, try to reproduce the issue while collecting the network trace in the browser.
Please try these steps and let us know if you still face the error.
-
Justin Tolchin 21 Reputation points
2025-06-13T15:26:44.2033333+00:00 Yes, disabling the security defaults allowed access. But this is not acceptable long-term.
How do I restore access and keep security enabled? If it helps, I believe it is related to my being an "external user" to the account. -
Deepthi R 25 Reputation points Microsoft External Staff Moderator
2025-06-14T11:50:59.1733333+00:00 Hi Justin Tolchin,
Thanks for pointing that your account is external.
Looks you have not granted any role like Key Vault Contributor or any role that gives permissions to key vault.
Being a Global Administrator role only grants administrative control over Microsoft Entra ID and it does not provide access to Azure resources (like Key Vault, Storage Accounts, etc.).You must have RBAC that gives access to Key Vault.
Hence, try to get the RBAC for your account and try accessing
Kindly let me know if this helps.
-
Deepthi R 25 Reputation points Microsoft External Staff Moderator
2025-06-16T11:22:31.2166667+00:00 Hi Justin Tolchin,
I would like to check if the above provided comment is helpful to resolve your current issue. Or if you found any other workaround, please do share the same here so it can be helpful for others.
-
Justin Tolchin 21 Reputation points
2025-06-16T17:02:15.4833333+00:00 Good morning!
I am listed in the key vault as being in roles: Owner, Key Vault Access Administrator, and Key Vault Administrator
-
Justin Tolchin 21 Reputation points
2025-06-16T17:42:56.5033333+00:00 Summary of Issue
A user who is a Global Administrator and has previously had access to multiple Azure Key Vaults and storage accounts is now receiving the error:
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource.
Despite being challenged for MFA using Microsoft Authenticator and completing the challenge, access to Key Vault operations (via Azure CLI or portal) fails unless Entra security defaults are temporarily disabled.
We are currently focusing on the Key Vaults to help simplify the problem.
Current Access and Configuration
- User is an external user to the organization
- User is a Member (not a Guest) in the affected tenant.
- User is assigned the following roles on the Key Vault:
- Owner
- Key Vault Access Administrator
- Key Vault Administrator
- MFA is enforced via Entra Security Defaults.
- Conditional Access is not available (tenant is using Entra Free).
- Legacy per-user MFA is not enabled; enforcement is coming from Security Defaults.
- User has access to the portal and is prompted for MFA when logging in.
- MFA is enforced via Entra Security Defaults.
- Conditional Access is not available (tenant is using Entra Free).
- Legacy per-user MFA is not enabled; enforcement is coming from Security Defaults.
- User has access to the portal and is prompted for MFA when logging in.
Steps Already Attempted
- Verified MFA prompt is working and being completed via Microsoft Authenticator.
- Confirmed the user is a Member (not Guest) in the tenant.
- Confirmed RBAC roles assigned on the Key Vault.
- Attempted az login and az keyvault certificate list using CLI — failed with AADSTS50076.
- Attempted to switch tenants explicitly via az login --tenant — same result.
- Attempted Connect-MsolService as a Global Admin — access denied.
- Verified that Identity Protection and Conditional Access features are unavailable due to Entra Free.
- Disabling Entra Security Defaults temporarily resolves the issue, but this is not an acceptable long-term solution.
- Checked for legacy MFA settings, which are not in use.
- Verified that the user is not in any sign-in risk condition based on Entra UI.
- Confirmed no other conflicting Conditional Access policies can be set without upgrading to Entra ID P1.
Conclusion
Access to most Azure resources succeeds. Access to some resources like Key Vault resources fails due to a cross-tenant token enforcement issue tied to MFA, despite the user meeting all visible MFA and RBAC requirements. The issue I'd guess stems from limitations in how Entra Free handles cross-tenant MFA validation and token trust, with no option to customize via Conditional Access. Disabling Security Defaults removes the enforcement and restores access, which points to the source of the problem.
-
Deepthi R 25 Reputation points Microsoft External Staff Moderator
2025-06-17T17:21:16.23+00:00 You are absolutely right, Entra ID behaves differently than the user as member and guest in the tenant. May be can you try to setup conditional access policy that may resolve the issue.
-
Deepthi R 25 Reputation points Microsoft External Staff Moderator
2025-06-18T16:45:36.01+00:00 Hi Justin Tolchin,
In your case, it seems that disabling Security Defaults was the only effective workaround. However, to address the issue more securely, you might consider configuring a Conditional Access policy to your scenario. This could help enforce MFA or other controls in a more flexible way without relying on the default security settings.
-
Justin Tolchin 21 Reputation points
2025-06-18T16:48:43.2366667+00:00 Unfortunately, Azure blocks conditional access without purchasing P1 or higher. That means an additional $2,100 / year to work around Microsoft's short-sightedness.
My Dev support package appears to be useless. Is there any way to escalate this?
-
Justin Tolchin 21 Reputation points
2025-06-18T17:24:53.0866667+00:00 I can access 90% of the portal and the MFA works. The 2 areas I can access until I start to drill down are Storage and Key Vault. Clearly the MFA is not returning the correct token that these parts need or are looking for. While it does return the parts needed by other areas. This suggests either a problem with the MFA process or the portal is not looking at the right token. The other really crazy thing is that when I run my .ps1 deployment script, it pushes the code to the portal storage, then updates the resource using that storage. It runs fine with the MFA. And yet, when I upload to the storage with the .ps1 script and try to update the resource manually via the portal, i am blocked at the point of accessing the storage account. That is insanity!
-
Justin Tolchin 21 Reputation points
2025-06-23T20:26:31.26+00:00 I cannot be the only person in the world in this situation.
Sign in to comment
Sign in to answer