Not able to get access token due Invalid_grant AADSTS50126: Error validating credentials due to invalid username or password

P.RRCAT10 1 Reputation point
2021-09-08T20:33:16.36+00:00

I have been trying to access token in postman, providing username and password but error is present although username and password are correctly set. I need to confirm if this error is present due Federal authentication is used by my company? Could you please help me?

{
"error": "invalid_grant",
"error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: 5687f74f-f5ce-46b1-8df7-954365baae00\r\nCorrelation ID: f5bd2008-d19f-4f8f-934f-439abdc72b54\r\nTimestamp: 2021-09-08 20:19:45Z",
"error_codes": [
50126
],
"timestamp": "2021-09-08 20:19:45Z",
"trace_id": "5687f74f-f5ce-46b1-8df7-954365baae00",
"correlation_id": "f5bd2008-d19f-4f8f-934f-439abdc72b54",
"error_uri": "https://login.microsoftonline.com/error?code=50126"
}

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-09-09T19:56:46.287+00:00

    If your user is federated, this scenario is expected.

    When you use the ROPC for this user, Azure knows that the user is federated and, since it does not have a UI to redirect you to your on-prem AD for you to authenticate, it throws the “AADSTS50126: Invalid username or password” error (yes, this error message is misleading and should be more explicit).

    If you have the PasswordSync option enabled on your tenant, so you can overcome this two different ways:

    1. Defining an Home Realm Discovery policy

    Basically, you will enforce the AppID that you are using “to check the password for users on Azure AD and not on the on-prem AD”. See more information here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal

    The PS Script for the policy should be something like:

    Add the object ID of the Service Principal. You can find it under Azure Active Directory > Enterprise Applications > Application you’re looking for > Properties > ObjectID) 

    $spId = "GUID HERE"  
  
  
$policy = New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName EnableDirectAuth -Type HomeRealmDiscoveryPolicy -IsOrganizationDefault $false  
  
  
Add-AzureADServicePrincipalPolicy -Id $spId -RefObjectId $policy.Id

    If you don’t have PasswordSync enabled, you need to achieve this by using Approach 2:

    2 – Change the user account

    If you use a cloud-only account, you will not face this issue.

    Also, please note that this only works for users without any kind of MFA. The main goal of using MFA is to ensure that users provide a 2nd piece of information that will always require UI interaction. Since this flow does not allow UI interaction, if your user has MFA enabled, this will never work.

    Let me know if this is helpful and if I can help you with anything else.

    0 comments