Not able to get access token due Invalid_grant AADSTS50126: Error validating credentials due to invalid username or password

P.RRCAT10 1 Reputation point

I have been trying to access token in postman, providing username and password but error is present although username and password are correctly set. I need to confirm if this error is present due Federal authentication is used by my company? Could you please help me?

"error": "invalid_grant",
"error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: 5687f74f-f5ce-46b1-8df7-954365baae00\r\nCorrelation ID: f5bd2008-d19f-4f8f-934f-439abdc72b54\r\nTimestamp: 2021-09-08 20:19:45Z",
"error_codes": [
"timestamp": "2021-09-08 20:19:45Z",
"trace_id": "5687f74f-f5ce-46b1-8df7-954365baae00",
"correlation_id": "f5bd2008-d19f-4f8f-934f-439abdc72b54",
"error_uri": ""

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,661 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 24,056 Reputation points Microsoft Employee

    If your user is federated, this scenario is expected.

    When you use the ROPC for this user, Azure knows that the user is federated and, since it does not have a UI to redirect you to your on-prem AD for you to authenticate, it throws the “AADSTS50126: Invalid username or password” error (yes, this error message is misleading and should be more explicit).

    If you have the PasswordSync option enabled on your tenant, so you can overcome this two different ways:

    1. Defining an Home Realm Discovery policy

    Basically, you will enforce the AppID that you are using “to check the password for users on Azure AD and not on the on-prem AD”. See more information here:

    The PS Script for the policy should be something like:

    Add the object ID of the Service Principal. You can find it under Azure Active Directory > Enterprise Applications > Application you’re looking for > Properties > ObjectID)

    $spId = "GUID HERE"  
    $policy = New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName EnableDirectAuth -Type HomeRealmDiscoveryPolicy -IsOrganizationDefault $false  
    Add-AzureADServicePrincipalPolicy -Id $spId -RefObjectId $policy.Id  

    If you don’t have PasswordSync enabled, you need to achieve this by using Approach 2:

    2 – Change the user account

    If you use a cloud-only account, you will not face this issue.

    Also, please note that this only works for users without any kind of MFA. The main goal of using MFA is to ensure that users provide a 2nd piece of information that will always require UI interaction. Since this flow does not allow UI interaction, if your user has MFA enabled, this will never work.

    Let me know if this is helpful and if I can help you with anything else.

    0 comments No comments