MsalError Class
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Error code returned as a property in MsalException
public static class MsalErrortype MsalError = classPublic Class MsalError- Inheritance
-
MsalError
Fields
| AccessDenied |
Access denied. |
| AccessingWsMetadataExchangeFailed |
Accessing WS Metadata Exchange Failed. What happens? You tried to use AcquireTokenByUsernamePassword(IEnumerable<String>, String, String) and the account is a federated account.Mitigation None. The WS metadata was not found or does not correspond to what was expected. |
| AccessTokenTypeMissing |
What happens? The response from the token endpoint does not contain the token_type parameter.Mitigation This happens if the identity provider (AAD, B2C, ADFS, etc.) did not include the access token type in the token response. Verify the configuration of the identity provider. |
| ActivityRequired |
On Android, you need to call |
| AdfsNotSupportedWithBroker |
What happens? Broker is configured with an ADFS authority, however, it does not support ADFS environments.Mitigation Broker does not support ADFS environments. |
| AndroidBrokerOperationFailed |
Failed To Complete Android Broker Operation |
| AndroidBrokerSignatureVerificationFailed |
Failed to validate android broker signature |
| AuthenticationCanceledError |
Authentication canceled. What happens? The user had canceled the authentication, for instance by closing the authentication dialogMitigation None, you cannot get a token to call the protected API. You might want to inform the user |
| AuthenticationFailed |
Authentication failed. What happens? The authentication failed. For instance the user did not enter the right passwordMitigation Inform the user to retry. |
| AuthenticationUiFailed |
The request could not be preformed because of an unknown failure in the UI flow.* Mitigation Inform the user. |
| AuthenticationUiFailedError |
The request could not be performed because of a failure in the UI flow. What happens? The library failed to invoke the Web View required to perform interactive authentication. The exception might include the reasonMitigation If the exception includes the reason, you could inform the user. This might be, for instance, a browser implementing chrome tabs is missing on the Android phone (that's only an example: this exception can apply to other platforms as well) |
| AuthorityHostMismatch |
The cloud (authority URL host) defined at the application level cannot be different than the cloud at the request level. What happens? You did not define an authority at the application level, so it defaults to the public cloud (login.microsoft.com), but the authority at the request level is for a different cloud. Only the tenant can be changed at the request level.Mitigation Add .WithAuthority("https://login.windows-ppe.net/common) at the application level and specify the tenant at the request level: .WithAuthority("https://login.windows-ppe.net/1234-567-890-12345678). |
| AuthorityTenantSpecifiedTwice |
What happens? You specified a tenant twice - once in WithAuthority() and once using WithTenant()Mitigation Specify the tenant once. |
| AuthorityTypeMismatch |
What happens? The authority configured at the application level is different than the authority configured at the request levelMitigation Ensure the same authority type is used |
| AuthorityValidationFailed |
Authority validation failed. What happens? The validation of the authority failed. This might be because the authority is not compliant with the OIDC standard, or there might be a security issueMitigation Use a different authority. If you are absolutely sure that you can trust the authority you can use the WithAuthority(AadAuthorityAudience, Boolean) passing thevalidateAuthority parameter to false (not recommended)
|
| B2CAuthorityHostMismatch |
The B2C authority host is not the same as the one used when creating the client application. |
| BrokerApplicationRequired |
What happens? A broker application is required, but one could not be found or communicated with.Mitigation Install a broker application, such as Authenticator, from the application store |
| BrokerDoesNotSupportPop |
What happens? The request has broker enabled and Proof-of-Possession configured but the broker does not support Proof-of-PossessionMitigation only configure Proof-of-Possession for public clients on windows. |
| BrokerNonceMismatch |
Broker response nonce does not match the request nonce sent by MSAL.NET for iOS broker >= v6.3.19 |
| BrokerRequiredForPop |
What happens? The request has Proof-of-Possession configured but does not have broker enabled. Broker is required to use Proof-of-Possession on public clientsMitigation Enable the broker when Proof-of-Possession is configured. |
| BrokerResponseHashMismatch |
Broker response hash did not match |
| BrokerResponseReturnedError |
Broker response returned an error |
| CannotAccessUserInformationOrUserNotDomainJoined |
Cannot Access User Information or the user is not a user domain. What happens? You tried to use AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>) but the user is not a domain user (the machine is not domain or AAD joined) |
| CannotInvokeBroker |
MSAL is not able to invoke the broker. Possible reasons are the broker is not installed on the user's device, or there were issues with the UiParent or CallerViewController being null. See https://aka.ms/msal-brokers |
| CertificateNotRsa |
What happens? The certificate provided is not of type RSA.Mitigation Please use an RSA certificate. |
| CertWithoutPrivateKey |
What happens? The certificate provided does not have a private key.Mitigation Ensure the certificate has a private key. |
| ClientCredentialAuthenticationTypeMustBeDefined |
What happens? You configured MSAL confidential client authentication without an authentication type (Certificate, Secret, Client Assertion)Mitigation Either call ConfidentialClientApplicationBuilder.WithClientSecret, ConfidentialClientApplicationBuilder.WithCertificate, ConfidentialClientApplicationBuilder.WithClientAssertion |
| ClientCredentialAuthenticationTypesAreMutuallyExclusive |
What happens? You configured MSAL confidential client authentication with more than one authentication type (Certificate, Secret, Client Assertion) |
| ClientIdMustBeAGuid |
What happens? You've specified a client ID that is not a GuidMitigation Use the application ID (a GUID) from the application portal as client ID in this SDK |
| CodeExpired |
What happens? In the context of Device code flow (See https://aka.ms/msal-net-device-code-flow), this error happens when the device code expired before the user signed-in on another device (this is usually after 15 mins).Mitigation None. Inform the user that they took too long to sign-in at the provided URL and enter the provided code. |
| CombinedUserAppCacheNotSupported |
Using combined flat storage, like a file, to store both app and user tokens is not supported. Use a partitioned token cache (for ex. distributed cache like Redis) or separate files for app and user token caches. See https://aka.ms/msal-net-token-cache-serialization . |
| CryptographicError |
A cryptographic exception occurred when trying to use the provided certificate |
| CurrentBrokerAccount |
This error code comes back from AcquireTokenSilent(IEnumerable<String>, IAccount) calls when the
OperatingSystemAccount user is passed as the Mitigation On Windows, use the broker via .WithBroker(true), use a different account, or otherwise call AcquireTokenInteractive(IEnumerable<String>) |
| CustomMetadataInstanceOrUri |
What happens? You have configured your own instance metadata using both an Uri and a string. Only one is supported.Mitigation Call WithInstanceDiscoveryMetadata only once. See https://aka.ms/msal-net-custom-instance-metadata for more details. |
| CustomWebUiRedirectUriMismatch |
Error code used when the CustomWebUI has returned a URI, but it does not match the Authority and AbsolutePath of the configured redirect URI. |
| CustomWebUiReturnedInvalidUri |
Error code used when the ICustomWebUi has returned a URI, but it is invalid - it is either null or has no code. Consider throwing an exception if you are unable to intercept the URI containing the code. |
| DefaultRedirectUriIsInvalid |
RedirectUri validation failed. |
| DeviceCertificateNotFound |
Device certificate not found. |
| DuplicateQueryParameterError |
Duplicate query parameter was found in extraQueryParameters. What happens? You have usedextraQueryParameter of overrides
of token acquisition operations in public client and confidential client application and are passing a parameter which is already present in the
URL (either because you had it in another way, or the library added it).
Mitigation [App Development] RemoveAccount the duplicate parameter from the token acquisition override. |
| EncodedTokenTooLong |
Encoded token too long. What happens In a confidential client application call, the client assertion built by MSAL is longer than the max possible length for a JWT token. |
| ExactlyOneScopeExpected |
Exactly one scope is expected. |
| ExperimentalFeature |
What happens? You are trying to use a feature which was marked as experimentalMitigation When creating the PublicClientApplication or ConfidentialClientApplication, use .WithExperimentalFeatures() option. See https://aka.ms/msal-net-experimental-features for details. |
| FailedToAcquireTokenSilentlyFromBroker |
Failed to acquire token silently. Used in broker scenarios. What happens you called AcquireTokenSilent(IEnumerable<String>, IAccount) or AcquireTokenSilent(IEnumerable<String>, String) and your mobile (Xamarin) application leverages the broker (Microsoft Authenticator or Microsoft Company Portal), but the broker was not able to acquire the token silently.Mitigation Call AcquireTokenInteractive(IEnumerable<String>) |
| FailedToGetBrokerResponse |
What happens? You are trying to authenticate with the broker but MSAL is unable to read the response from the broker.Mitigation The currently installed broker may not support MSAL.Xamarin, you need to ensure that you have installed either Intune Company Portal (5.0.4689.0 or greater) or Microsoft Authenticator (6.2001.0140 or greater). see https://aka.ms/Brokered-Authentication-for-Android" |
| FailedToRefreshToken |
Failed to refresh token. What happens? The token could not be refreshed. This can be because the user has not used the application for a long time. and therefore the refresh token maintained in the token cache has expiredMitigation If you are in a public client application, that supports interactivity, send an interactive request AcquireTokenInteractive(IEnumerable<String>). Otherwise, use a different method to acquire tokens. |
| FederatedServiceReturnedError |
Federated service returned error. Mitigation None. The federated service returned an error. You can try to look at the Body of the exception for a better understanding of the error and choose the mitigation |
| GetUserNameFailed |
Failed to get user name. |
| HttpListenerError |
An HttpListenerException occurred while listening for the system browser to complete the login. |
| HttpStatusCodeNotOk |
ErrorCode used when the HTTP response returns something different from 200 (OK) |
| HttpStatusNotFound |
Error code used when the HTTP response returns HttpStatusCode.NotFound |
| InitializeProcessSecurityError |
What happens? Failure setting process security to enable WAM Account Picker in an elevated process.Mitigation For troubleshooting details, see https://aka.ms/msal-net-wam . |
| IntegratedWindowsAuthenticationFailed |
This can occur if there is an configuration issue in the ADFS environment where this is authenticating. See https://aka.ms/msal-net-iwa-troubleshooting for more details |
| IntegratedWindowsAuthNotSupportedForManagedUser |
Integrated Windows Auth is only supported for "federated" users |
| InteractionRequired |
Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user so the user can do an interactive log-in to get a token with updated claims. Mitigation: If your application is a IPublicClientApplication callAcquireTokenInteractive
perform an interactive authentication. If your application is a ConfidentialClientApplication chances are that the Claims member
of the exception is not empty. See MsalServiceException.Claims for the right mitigation
|
| InternalError |
Internal error |
| InvalidAdalCacheMultipleRTs |
What happens? The ADAL cache is invalid as it contains multiple refresh token entries for one user.Mitigation Delete the ADAL cache. If you do not maintain an ADAL cache, this may be a bug in MSAL. |
| InvalidAuthority |
Invalid authority What happens When the library attempts to discover the authority and get the endpoints it needs to acquire a token, it got an un-authorize HTTP code or an unexpected responseremediation Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correct |
| InvalidAuthorityType |
Invalid authority type. MSAL.NET does not know how to interact with the authority specified when the application was built. Mitigation Use a different authority |
| InvalidAuthorizationUri |
An authorization Uri has been intercepted, but it cannot be parsed. See the log for more details. |
| InvalidClient |
Azure AD service error indicating a configuration issue. Mitigation See error message for details, then take corrective action in the app registration portal See https://aka.ms/msal-net-invalid-client for details. |
| InvalidGrantError |
Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user so that the user does an interactive action in order to get a new token. Mitigation: If your application is a IPublicClientApplication callAcquireTokenInteractive
perform an interactive authentication. If your application is a ConfidentialClientApplication chances are that the Claims member
of the exception is not empty. See MsalServiceException.Claims for the right mitigation
|
| InvalidInstance |
AAD service error indicating that the configured authority does not exist |
| InvalidJsonClaimsFormat |
What happens? You have configured a claims request, but the claims string is not in JSON formatMitigation Ensure that the claims parameter is valid JSON. Inspect the inner exception for details about JSON parsing. |
| InvalidJwtError |
JWT was invalid. What happens? The library expected a JWT (for instance a token from the cache, or received from the STS), but the format is invalidMitigation Make sure that the token cache was not tampered |
| InvalidManagedIdentityEndpoint |
Invalid managed identity endpoint. |
| InvalidManagedIdentityResponse |
A required value is missing from the managed identity response. |
| InvalidOwnerWindowType |
Invalid owner window type. What happens? You used"AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object)
but the parameter you passed is invalid.
Remediation On .NET Standard, the expected object is anActivity on Android, a UIViewController on iOS,
a NSWindow on MAC, and a IWin32Window or IntPr on Windows.
If you are in a WPF application, you can use WindowInteropHelper(wpfControl).Handle to get the window
handle associated with a WPF control
|
| InvalidRequest |
Request is invalid. What happens? This can happen because you are using a token acquisition method which is not compatible with the authority. For instance: you called AcquireTokenByUsernamePassword(IEnumerable<String>, String, String) but you used an authority ending with '/common' or '/consumers' as this requires a tenanted authority or '/organizations'.Mitigation Adjust the authority to the AcquireTokenXX method you use (don't use 'common' or 'consumers' with AcquireTokenByUsernamePassword(IEnumerable<String>, String, String)AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>) |
| InvalidTokenProviderResponseValue |
A required value is missing from the token provider response |
| InvalidUserInstanceMetadata |
What happens? You have configured your own instance metadata, but the json provided seems to be invalid.Mitigation See https://aka.ms/msal-net-custom-instance-metadata for an example of a valid json that can be used. |
| JsonParseError |
JSON parsing failed. What happens? A JSON blob read from the token cache or received from the STS was not parseable. This can happen when reading the token cache, or receiving an IDToken from the STS.Mitigation Make sure that the token cache was not tampered |
| LinuxXdgOpen |
What happens? MSAL tried to open the browser on Linux using the xdg-open, gnome-open, or kfmclient tools, but failed.Mitigation Make sure you can open a page using xdg-open tool. See https://aka.ms/msal-net-os-browser for details. |
| LoopbackRedirectUri |
What happens? The current redirect URL is not a loopback URL.Mitigation To use the OS browser, a loopback URL, with or without a port, must be configured both during app registration and when initializing the IPublicClientApplication object. See https://aka.ms/msal-net-os-browser for details. |
| LoopbackResponseUriMismatch |
What happens? MSAL has intercepted a Uri possibly containing an authorization code, but it does not match the configured redirect URL.Mitigation If you are using an ICustomWebUi implementation, make sure the redirect URL matches the URL containing the auth code. If you are not using an ICustomWebUI, this could be a man-in-the middle attack. |
| ManagedIdentityRequestFailed |
Managed Identity error response was received. |
| ManagedIdentityUnreachableNetwork |
Managed Identity endpoint is not reachable. |
| MissingFederationMetadataUrl |
Federation Metadata URL is missing for federated user. |
| MissingPassiveAuthEndpoint |
No passive auth endpoint was found in the OIDC configuration of the authority What happens? When the libraries go to the authority and get its open id connect configuration it expects to find a Passive Auth Endpoint entry, and could not find it.remediation Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correct |
| MultipleAccountsForLoginHint |
This error code denotes that multiple accounts were found having the same login hint and MSAL cannot choose one. Please use WithAccount(IAccount) to specify the account |
| MultipleTokensMatchedError |
Multiple Tokens were matched. What happens? This exception happens in the case of applications managing several identities, when calling AcquireTokenSilent(IEnumerable<String>, IAccount) or one of its overrides and the user token cache contains multiple tokens for this client application and the specified Account, but from different authorities.Mitigation [App Development] specify the authority to use in the acquire token operation |
| NetworkNotAvailableError |
Obsolete.
The request could not be preformed because the network is down. Mitigation [App development] In the application you could either inform the user that there are network issues or retry later |
| NoAccountForLoginHint |
This error code denotes that no account was found having the given login hint. What happens? AcquireTokenSilent(IEnumerable<String>, String) or WithLoginHint(String) was called with aloginHint parameter which does not match any account in GetAccountsAsync()Mitigation If you are certain about the loginHint, call AcquireTokenInteractive(IEnumerable<String>) |
| NoAndroidBrokerAccountFound |
MSAL is not able to find a suitable account to use with broker |
| NoAndroidBrokerInstalledOnDevice |
MSAL cannot find the broker application to authenticate accounts. |
| NoClientId |
What happens? You haven't set a client ID.Mitigation Use the application ID (a GUID) from the application portal as client ID in this SDK |
| NonceRequiredForPopOnPCA |
What happens? The request has Proof-of-Possession configured but does not have a nonce configured. A nonce is required for Proof-of-Possession on public clientsMitigation Provide a nonce when Proof-of-Possession is configured for public clients. |
| NonHttpsRedirectNotSupported |
Non HTTPS redirects are not supported What happens? This error happens when the authorization flow, which collects user credentials, gets redirected to an page that is not supported, for example if the redirect occurs over http. This error does not trigger for the final redirect, which can be http://localhost, but for intermediary redirects.Mitigation This usually happens when using a federated directory which is not setup correctly. |
| NonParsableOAuthError |
An error response was returned by the OAuth2 server and it could not be parsed |
| NoPromptFailedError |
One of two conditions was encountered:
Remediation: callAcquireTokenInteractive so that the user of your application signs-in and accepts consent.
|
| NoRedirectUri |
No Redirect URI. What happens? You need to provide a Reply URI / Redirect URI, but have not called WithRedirectUri(String) |
| NoTokensFoundError |
No token was found in the token cache. Mitigation: If your application is a IPublicClientApplication callAcquireTokenInteractive so
that the user of your application signs-in and accepts consent.
|
| NoUsernameOrAccountIDProvidedForSilentAndroidBrokerAuthentication |
Unable to query the Android account manager because no username or home account ID is provided in the silent authentication request. |
| NullIntentReturnedFromAndroidBroker |
Null intent was returned so broker activity cannot be launched |
| OboCacheKeyNotInCacheError |
What happens? The token cache does not contain a token with an OBO cache key that matches thelongRunningProcessSessionKey passed into AcquireTokenInLongRunningProcess(IEnumerable<String>, String).
Mitigation Call InitiateLongRunningProcessInWebApi(IEnumerable<String>, String, String) with thislongRunningProcessSessionKey
first or call AcquireTokenInLongRunningProcess(IEnumerable<String>, String) with an already used longRunningProcessSessionKey.
|
| ParsingWsMetadataExchangeFailed |
Parsing WS Metadata Exchange Failed. |
| ParsingWsTrustResponseFailed |
You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, String) In the case of a Federated user (that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant) ID3242: The security token could not be authenticated or authorized. The user does not exist or has entered the wrong password |
| PasswordRequiredForManagedUserError |
Password is required for managed user. What happens? If can got this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, String) and you (or the user) did not provide a password. |
| PlatformNotSupported |
The library is loaded on a platform which is not supported. |
| RedirectUriValidationFailed |
RedirectUri validation failed. What happens? The redirect URI / reply URI is invalidHow to fix Pass a valid redirect URI. |
| RegionalAndAuthorityOverride |
What happens? You configured WithAuthority at the request level, and also WithAzureRegion. This is not supported when the environment changes from application to request.Mitigation Use WithTenantId at the request level instead. |
| RegionalAuthorityValidation |
What happens? You configured both Regional Authority and Authority Validation. Authority validation is not currently supported for regional authorities.Mitigation Set the validateAuthority flag to false to use Azure Regional authority. Do not disable authority validation if you read the authority from an untrusted source, for example from the WWWAuthenticate header of an HTTP request that resulted in a 401 response. |
| RegionDiscoveryFailed |
Region discovery failed. |
| RegionDiscoveryNotEnabled |
What happens? WithAzureRegion is set to trueMitigation Region discovery cannot be performed for ADFS authority. |
| RegionDiscoveryWithCustomInstanceMetadata |
What happens? You have configured both Region Discovery and Custom Instance Metadata. Custom metadata supersedes region discovery.Mitigation Configure either Region Discovery or Custom Instance Discovery Metadata. |
| RequestThrottled |
Service returned HTTP error code 429 which indicates the request has been throttled. For more details see https://aka.ms/msal-net-throttling |
| RequestTimeout |
The HTTP Request to the STS timed out. Mitigation you can retry after a delay. |
| RopcDoesNotSupportMsaAccounts |
Resource Owner Password Credential (ROPC) grant attempted with an MSA (Microsoft personal) account. ROPC does not support MSA accounts. See https://aka.ms/msal-net-ropc for details. |
| ScopesRequired |
What happens? No scopes have been requestedMitigation At least one scope must be specified for this authentication flow |
| ServiceNotAvailable |
Service is unavailable and returned HTTP error code within the range of 500-599 Mitigation you can retry after a delay. |
| SetCiamAuthorityAtRequestLevelNotSupported |
Setting the CIAM authority (ex. "{tenantName}.ciamlogin.com") at the request level is not supported. The CIAM authority must be set during application creation. |
| SSHCertUsedAsHttpHeader |
What happens? You have configured MSAL to request SSH certificates from AAD, and you are trying to format an HTTP authentication header.Mitigation SSH certificates should not used as Bearer tokens. Developers are responsible for sending the certificates to the target machines. |
| StateMismatchError |
State returned from the STS was different from the one sent by the library What happens? The library sends to the STS a state associated to a request, and expects the reply to be consistent. This errors indicates that the reply is not associated with the request. This could indicate an attempt to replay a responseMitigation None |
| StaticCacheWithExternalSerialization |
What happens? You configured MSAL cache serialization at the same time with a static internal cache via WithCacheOptions(CacheOptions) These are mutually exclusive.Mitigation Use only one option. Web site and web API scenarios should rely on external cache serialization, as internal cache serialization cannot scale. See https://aka.ms/msal-net-cca-token-cache-serialization |
| SystemWebviewOptionsNotApplicable |
What happens? You configured MSAL interactive authentication to use an embedded WebView and you also configured SystemWebViewOptions. These are mutually exclusive.Mitigation Either set WithUseEmbeddedWebView(Boolean) to true or do not use WithSystemWebViewOptions(SystemWebViewOptions) |
| TelemetryConfigOrTelemetryCallback |
What happens? You have configured both a telemetry callback and a telemetry config.Mitigation Only one telemetry mechanism can be configured. |
| TenantDiscoveryFailedError |
Tenant discovery failed. What happens? While reading the OpenId configuration associated with the authority, the Authorize endpoint, or Token endpoint, or the Issuer was not foundMitigation This indicates and authority which is not Open ID Connect compliant. Specify a different authority in the constructor of the application, or the token acquisition override /// |
| TenantOverrideNonAad |
What happens? You configured WithTenant at the request level, but the application is using a non-AAD authority These are mutually exclusive.Mitigation WithTenantId can only be used in conjunction with AAD authorities. |
| TokenCacheNullError |
Obsolete.
This error code comes back from AcquireTokenSilent(IEnumerable<String>, IAccount) calls when the user cache had not been set in the application constructor. This should never happen in MSAL.NET 3.x as the cache is created by the application |
| TokenTypeMismatch |
What happens? You asked for one type of token, but did not receive it.Mitigation This happens if the Identity Provider (AAD, B2C, ADFS etc.) does not support / implement the requested token type. In case of ADFS, consider upgrading to the latest version. |
| UapCannotFindDomainUser |
Cannot access the user from the OS (UWP) What happens You called AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>), but the domain user name could not be found.Mitigation This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwp |
| UapCannotFindUpn |
Cannot get the user from the OS (UWP) What happens You called AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>), but the domain user name could not be found.Mitigation This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwp |
| UnableToParseAuthenticationHeader |
MSAL is unable to parse the authentication header returned from the endpoint. This can be a result of a malformed header returned in either the WWW-Authenticate or the Authentication-Info collections. |
| UnauthorizedClient |
The client is unauthorized to access resource.
This commonly happens when Mobile App Management (MAM) policies are enabled. MSAL will throw an exception in that case with Mitigation Catch the exception and use the properties in it to obtain the right parameters from Intune SDK. IntuneAppProtectionPolicyRequiredException |
| UnknownBrokerError |
Unknown broker error occurred. Mitigation None. You might want to inform the end user. |
| UnknownError |
Unknown Error occurred. Mitigation None. You might want to inform the end user. |
| UnknownManagedIdentityError |
Unknown error response received. |
| UnknownUser |
What happens You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, String) The user is not known by the IdPMitigation Inform the user. The login that the user provided might be incorrect (for instance empty) |
| UnknownUserType |
What happens You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, String) The user is not recognized as a managed user, or a federated user. Azure AD was not able to identify the IdP that needs to process the userMitigation Inform the user. the login that the user provided might be incorrect. |
| UpnRequired |
loginHint should be a UPN What happens? An override of a token acquisition operation was called in IPublicClientApplication which takes aloginHint as a parameters, but this login hint was not using the UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
expected by the service
Remediation Make sure in your code that you enforceloginHint to be a UPN
|
| UserAssertionNullError |
This error code comes back from AcquireTokenOnBehalfOf(IEnumerable<String>, UserAssertion)
calls when a null user assertion is passed as the Mitigation Pass a valid value for user assertion |
| UserAssignedManagedIdentityNotConfigurableAtRuntime |
User assigned managed identity is not configurable at runtime for service fabric. |
| UserAssignedManagedIdentityNotSupported |
User assigned managed identity is not supported for this source. |
| UserMismatch |
User Mismatch. |
| UserNullError |
This error code comes back from AcquireTokenSilent(IEnumerable<String>, IAccount) calls when a null user is
passed as the Mitigation Pass a different account, or otherwise call AcquireTokenInteractive(IEnumerable<String>) |
| UserRealmDiscoveryFailed |
User Realm Discovery Failed. |
| ValidateAuthorityOrCustomMetadata |
What happens? You have configured your own instance metadata, and have also set validate authority to true. These are mutually exclusive.Mitigation Set the validate authority flag to false. See https://aka.ms/msal-net-custom-instance-metadata for more details. |
| WABError |
What happens? Windows Authentication Broker, which handles the interaction between the user and AAD, has failed.Mitigation See the error message for more details. |
| WamFailedToSignout |
WAM Signout failed. |
| WamInteractiveError |
WAM service exception that can occur when calling AcquireTokenInteractive |
| WamNoB2C |
The Windows broker (WAM) is only supported in conjunction with "work and school" accounts and with Microsoft accounts. |
| WamPickerError |
WAM service exception that can occur when calling AcquireTokenInteractive and the account picker pops up |
| WamScopesRequired |
What happens? No scopes have been requestedMitigation At least one scope must be specified for MSAL Runtime WAM |
| WamUiThread |
When calling AcquireTokenInteractive with the WAM broker, the call must be made from the UI thread. |
| WebView2LoaderNotFound |
What happens? The embedded WebView2 browser cannot be started because a runtime component cannot be loaded.Mitigation For troubleshooting details, see https://aka.ms/msal-net-webview2 . |
| WebView2NotInstalled |
What happens? The embedded browser cannot be started because a runtime component is missing.Mitigation "The embedded browser needs WebView2 runtime to be installed. An end user of the app can download and install the WebView2 runtime from https://go.microsoft.com/fwlink/p/?LinkId=2124703 and restart the app. or the app developer can install the WebView2 runtime https://docs.microsoft.com/en-us/microsoft-edge/webview2/concepts/distribution |
| WebviewUnavailable |
The selected WebView is not available on this platform. You can switch to a different WebView using WithUseEmbeddedWebView(Boolean). See https://aka.ms/msal-net-os-browser for details |
| WsTrustEndpointNotFoundInMetadataDocument |
WS-Trust Endpoint Not Found in Metadata Document. |
Applies to
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for