If your user is federated, this scenario is expected.
When you use the ROPC for this user, Azure knows that the user is federated and, since it does not have a UI to redirect you to your on-prem AD for you to authenticate, it throws the “AADSTS50126: Invalid username or password” error (yes, this error message is misleading and should be more explicit).
If you have the PasswordSync option enabled on your tenant, so you can overcome this two different ways:
- Defining an Home Realm Discovery policy
Basically, you will enforce the AppID that you are using “to check the password for users on Azure AD and not on the on-prem AD”. See more information here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal
The PS Script for the policy should be something like:
Add the object ID of the Service Principal. You can find it under Azure Active Directory > Enterprise Applications > Application you’re looking for > Properties > ObjectID)
$spId = "GUID HERE"
$policy = New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName EnableDirectAuth -Type HomeRealmDiscoveryPolicy -IsOrganizationDefault $false
Add-AzureADServicePrincipalPolicy -Id $spId -RefObjectId $policy.Id
If you don’t have PasswordSync enabled, you need to achieve this by using Approach 2:
2 – Change the user account
If you use a cloud-only account, you will not face this issue.
Also, please note that this only works for users without any kind of MFA. The main goal of using MFA is to ensure that users provide a 2nd piece of information that will always require UI interaction. Since this flow does not allow UI interaction, if your user has MFA enabled, this will never work.
Let me know if this is helpful and if I can help you with anything else.