Share via

User did not pass MFA challenge

  • Article

Question

Thursday, July 18, 2019 5:26 PM

Two questions regarding sign-in error codes.

1. What is the difference between the following two sign-in errors?

a. 50074 - User did not pass the MFA challenge.

b. 50076 - User did not pass the MFA challenge (non interactive).

2. Do one or both errors indicate that valid user credentials were provided but the login failed because MFA was not completed successfully?

All replies (4)

Thursday, July 18, 2019 9:26 PM

From my understanding, non-interactive MFA is accomplished through service principals (or in some cases, certs) along with scripting and automation, whereas interactive MFA requires the user to interact by entering a username and password. 

And yes, in both cases the failure indicates that the authentication was attempted but was not successful.

Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

Tuesday, July 23, 2019 12:35 PM

Please clarify the second part of your reply.  It is obvious that authentication was attempted.  The question was do theses errors indicate that valid credentials (correct username AND password) were provided during the attempt.  Thank you for your attention.

Wednesday, July 24, 2019 12:12 AM

Hi Timo,

The error means that they didn't perform MFA appropriately, and it does not mean that they entered invalid credentials. If they got a wrong username or password, the error would have been "50126: Invalid username or password, or invalid on-premises username or password." 

You can duplicate this yourself by trying to sign in and then leaving the MFA prompt for two minutes. Theoretically you would get a 57004 in that situation.

Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

Wednesday, September 18, 2019 1:50 AM

This is interesting.  I am seeing a bunch of these failures in my Sign-in logs all within seconds.  See the screenshot for an example of 10 failures with event 50076 - User did not pass the MFA challenge (non interactive) all within 10 seconds. 

The user has the call my mobile option but says he didn't get a call for this event.  Is that because its "non interactive" and if so how do I know who or what was trying to authenticate and how can you authenticate non interactively when MFA is enabled?

Why so many failure entries for one apparent login attempt?  Surely the phone could not have rung10 times in 10 seconds so again how do I know who or what was trying to authenticate so many times n such a short time period?