AADSTS50126: Error validating credentials due to invalid username or password

Janarthanan Ravikumar 1 Reputation point
2021-05-06T16:12:59.1+00:00

I am doing a POC on graphapi to read calendar details. Since it is for a desktop app I am using Username/Password for authorization. Below are the details.

  1. All the users are federated under our tenant.
  2. we are trying to call Graph API endpoint with the delegated protection type. Can you please let me know which Authentication protocol should use to retrieve the data from GraphAPI. I have gone through the Authentication protocol looks like ROPC (Resource Owner Password Credential ) approach suits our requirement ,but with ROPC I am facing the below mentioned issue. Please let me know what is the available option we can go for. As a collective decision, tenant will not provide application permission
    access due to security reasons, all we can go for delegated permission type and I want to access the GraphAPI endpoint via API.
  3. I am able to access the GraphAPI endpoint from Microsoft Graph explorer but I couldn't access from postman.

Error:
"error": "invalid_grant",
"error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: 1ca8efbe-7673-4a5d-8b2f-aae5ec360604\r\nCorrelation ID: 00e302c6-b650-4228-8618-5a4d9706b990\r\nTimestamp: 2021-05-06 15:30:26Z",
"error_codes": [
50126
],

94522-invalidgrant.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,560 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saurabh Sharma 23,751 Reputation points Microsoft Employee
    2021-05-06T22:59:02.42+00:00

    Hi @Janarthanan Ravikumar ,

    Thanks for using Microsoft Q&A !!
    You are getting this error as ROPC is not supported in hybrid identity federation environment with the exception of PTA as Azure AD is not able to test the user name and password against the identity provider. So, when you re making api call from postman ( as it can't do the redirection) credentials can't verified and you get this error. Please refer to these threads -

    Thanks
    Saurabh

    0 comments
  2. AmanpreetSingh-MSFT 56,311 Reputation points
    2021-05-07T07:31:21.763+00:00

    Hi @Janarthanan Ravikumar · Thank you for reaching out.

    As SaurabhSharma-msft mentioned, when you re making api call from postman (as it can't do the redirection) credentials can't be validated from the on-premises IDP.

    However, to make this scenario working with Federated accounts,

    1. Sync users' passwords to Azure AD. If you don't want to sync password for entire organization, you may consider using Selective Password Hash Sync.
    2. Create a policy to allow credentials validation of federated users from within Azure AD.
    3. Link the policy to the application, for which you want to use ROPC flow with federated accounts.

    For step-by-step instructions, please refer to my blog post here: https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  3. Sombudhya Basu 1 Reputation point
    2022-03-22T22:01:08.79+00:00

    Hi @AmanpreetSingh-MSFT ,

    I am a non federated user , trying out some POC by using Azure powershell. I am able to login to portal using the same password but somehow that does not seem to work using powershell.

    Could you please assist me on what could go wrong?

    Request id:
    ad10dadc-e24b-4877-8cc7-bf13ef0d1901
    Correlation id:
    fbb90a53-79d5-498d-a570-80a9918d01f2

    0 comments