question

SiegfriedHeintze-9929 avatar image
3 Votes"
SiegfriedHeintze-9929 asked josoliveira-7968 published

Login message says I must use MFA but SignUpSignInFlow says no MFA

When I did an "az login" I received this message:

"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.\r\nTrace ID: 348d5fb2-e91a-476d-b7e1-6d4d787d0400\r\nCorrelation ID: 700a81e3-75c9-47e0-aad5-94bfed299947\r\nTimestamp: 2020-04-16 18:04:46Z","error_codes":[50076],"timestamp":"2020-04-16 18:04:46Z","trace_id":"348d5fb2-e91a-476d-b7e1-6d4d787d0400","correlation_id":"700a81e3-75c9-47e0-aad5-94bfed299947","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action"

However, when I go to my SignInSignUp flow, it shows MFA (multifactor Authentication) is disabled. What is going on? Do I have a problem or not?

Thanks
Siegfried

azure-ad-b2c
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Yesterday our developer got the same message out of nowhere. Saying "you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013".

But the AAD user itself can access his office.com resources with the same account and MFA for him works. He event reset the MFA device - still works, but he can't add his account to Visual studio. Tried different VMs. This is not related to VM's.

0 Votes 0 ·
SiegfriedHeintze-9929 avatar image
0 Votes"
SiegfriedHeintze-9929 answered

I just had a nice session with Brice from Azure support.

As part of a Microsoft AADB2C tutorial, I had created another azure directory/B2Ctenant. I was not aware that this process also created had created another user account. I don't know what this account is for -- I don't remember needing it for the AADB2C tutorial (so far). Deleting this new user account seems to have solved the problem (which was just an error message).

Thank you Brice

Siegfried

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
11 Votes"
amanpreetsingh-msft answered josoliveira-7968 published

@SiegfriedHeintze-9929 This is happening because Security Defaults is enabled for your tenant. You can disable it by navigating to Azure Portal > Azure AD > Properties > Click on Manage Security Defaults link > Toggle Enable Security Defaults button to NO.

Refer to https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults for more information about Security Defaults.


Please "Accept as answer" wherever the information provided helps you to help others in the community.



· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

THANK YOU VERY MUCH SIR...IT WAS REALLY REALLY HELPFUL AS OUR POC WAS STUCK AND IT WAS A BIT URGENT ON TOP OF TIME ISSUE.

2 Votes 2 ·

@SiegfriedHeintze-9929 and @subglo-5139, Have you had a chance to work on the above suggestion?

0 Votes 0 ·

Hurry! This works after having turn on the MFA (and having checked the token checkbox).


As I queried in the other post: Is there a way to make this work without having to use MFA?


0 Votes 0 ·

You Safe my life LOL!
Thank you!!

0 Votes 0 ·

@amanpreetsingh-msft

I am also facing similar issue,
Trace ID: 35fe43dd-3eb4-4a6b-8ee0-344109584400
Correlation ID: b416aa26-7a02-4974-84c4-0356b96abc69
Timestamp: 2020-08-06 07:32:31Z. Response status code does not indicate success: 400 (BadRequest). {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000009-0000-0000-c000-000000000000'.

Please help on this.
Thanks in Advance.



0 Votes 0 ·
Show more comments
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered amanpreetsingh-msft converted comment to answer

@SiegfriedHeintze-9929 Security Defaults is a recent feature added for improving security by forcing all users in the tenant to register and perform MFA, without requiring any Azure AD Premium license. However, in some scenario like in case of dev/test tenants, you would not want to perform MFA during testing. In that case, you need to disable Security Defaults and if you have enabled MFA already, you would need to disable that as well. I have shared the steps to disable Security Defaults in my previous answer.

To disable MFA, you need to navigate to Azure Portal > Azure Active Directory > Users > Multi-Factor Authentication. This will redirect to Azure MFA Portal, where you can select users, you want to disable MFA for. Please refer to screenshot below:

7775-capture.jpg


Please "Accept as answer" wherever the information provided helps you to help others in the community.



capture.jpg (20.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OK, I just tried my Ch03WebAppAPI demo again and it prompted me for MFA.


Now, I follow your instructions and it looks like I am already disabled for MFA. I don't see that extra column for INFO so I can enable/disable MFA for myself.


7823-alreadydisabledformfa.jpg


0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

@SiegfriedHeintze-9929 Could you please double check, if security defaults are Off by below option. Azure Portal > Azure AD > Properties > Click on Manage Security Defaults link > Toggle Enable Security Defaults button to NO.


Since it is a B2C tenant,


CA Policy or Azure AD Identity protection cannot trigger MFA.


You have confirmed SignUpSignInFlow flow is not configured with MFA.


On MFA Portal this option is set to Disable.


The only option left, that can trigger MFA is Security Defaults. Please check that and let me know if that is off and you are still getting MFA prompt.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SiegfriedHeintze-9929 avatar image
0 Votes"
SiegfriedHeintze-9929 answered

Oh shucks... I posted a response and this web site lost it! Let me try again.

Good news: I followed your instructions and now I can login with no MFA!

Bad news: I'm still getting this less than friendly message from "az login". Can you explain to me what it means? Why does it say that I have been logged in but then I have failed to authenticate? Do we need to fix something? Perhaps it is related to the troubles I have been having that I have described in other posts (on Azure Functions)?

WARNING: You have logged in. Now let us find all the subscriptions to which you have access...

WARNING: Failed to authenticate '{'additional_properties': {}, 'id': '/tenants/1e694636-92fd-4ca7-b666-d0545514eb69', 'tenant_id': '1e694636-92fd-4ca7-b666-d0545514eb69'}' due to error 'Get Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.\r\nTrace ID: 71ce1029-29bf-46ea-b900-479128c38e00\r\nCorrelation ID: 34da890e-8c4d-484f-868f-9eeade415ebe\r\nTimestamp: 2020-04-30 16:13:24Z","error_codes":[50076],"timestamp":"2020-04-30 16:13:24Z","trace_id":"71ce1029-29bf-46ea-b900-479128c38e00","correlation_id":"34da890e-8c4d-484f-868f-9eeade415ebe","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action"}'

[

{

 "cloudName": "AzureCloud",

 "id": "acc26051-92a5-4ed1-a226-64a187bc27db",

 "isDefault": true,

 "name": "Azure subscription 1",

 "state": "Enabled",

 "tenantId": "7a838aec-0b9e-4856-a3b5-2b02613f36a2",

 "user": {

   "name": "sheintze@hotmail.com",

   "type": "user"

 }

}

]

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

@SiegfriedHeintze-9929, I tracked the error based on the correlation ID that you shared and found that Security Defaults applied to Azure CLI.

Since you have disabled Security Defaults, I would suggest you to close any existing PowerShell/Azure CLI sessions, where you are trying az login and start a new session. Looks like the change will take effect on new session.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SiegfriedHeintze-9929 avatar image
0 Votes"
SiegfriedHeintze-9929 answered amanpreetsingh-msft commented

OK, I have taken your advice and I have logged out ("az logout") a second time to confirm that I am logged out.

I now do "az login" again and get a very similar message. While it does not seem to be causing any problem, I'm hesitant to ignore it without understanding it better.

 WARNING: You have logged in. Now let us find all the subscriptions to which you have access...

WARNING: Failed to authenticate '{'additional_properties': {}, 'id': '/tenants/1e694636-92fd-4ca7-b666-d0545514eb69', 'tenant_id': '1e694636-92fd-4ca7-b666-d0545514eb69'}' due to error 'Get Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.\r\nTrace ID: e1cc0115-d02f-4446-ac27-cc6b71376400\r\nCorrelation ID: 5d598d3c-c264-47bf-9154-f13d1a42f4c5\r\nTimestamp: 2020-05-04 16:23:21Z","error_codes":[50076],"timestamp":"2020-05-04 16:23:21Z","trace_id":"e1cc0115-d02f-4446-ac27-cc6b71376400","correlation_id":"5d598d3c-c264-47bf-9154-f13d1a42f4c5","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action"}'

[

{

 "cloudName": "AzureCloud",

 "id": "acc26051-92a5-4ed1-a226-64a187bc27db",

 "isDefault": true,

 "name": "Azure subscription 1",

 "state": "Enabled",

 "tenantId": "7a838aec-0b9e-4856-a3b5-2b02613f36a2",

 "user": {

   "name": "sheintze@hotmail.com",

   "type": "user"

 }

}

]

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Try creating a new user under Azure Active Directory > Users and test with that account.

0 Votes 0 ·
PtwHub-9594 avatar image
0 Votes"
PtwHub-9594 answered

In my case this happened because in my current browser, I had selected a different Azure Directory (Tenant) that the one I was trying to access with the CloudShell. So the /devicelogin was using the code to try and access the AD selected in the browser and not the one I had selected in the CloudShell => Easiest solution: just logout of your browser session and start a new one to do the /devicelogin

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.