locked
Error AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access RRS feed

  • Question

  • Hi,

    I am trying to get the Azure AD authentication token with this call in a native application:

    var authenticationContext = new AuthenticationContext(AADAuthorityUri);

    var authenticationResult =  authenticationContext.AcquireTokenAsync(ResourceUrl, clientId, userCredential);

    and getting this error:

    System.AggregateException: One or more errors occurred. ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalClaimChallengeException: interaction_required: interaction_required ---> System.Net.Http.HttpRequestException:  Response status code does not indicate success: 400 (BadRequest). ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000009-0000-0000-c000-000000000000'.

    Any suggestion of how to get over this issue programmatically?

    Or it can be fixed only by the Administrator removing the Multi-Factor Authentication condition from Azure Active Directory Conditional access?

    Thanks,

    Paul

    Sunday, June 10, 2018 11:59 PM

Answers

  • Suggest you to follow the below steps:

    1.Login as a tenant admin to https://portal.azure.com
    2.Open the registration for your app in the
    3.Go to Settings then Required Permissions
    4.Press the Grant Permissions button

    Note: If you are not a tenant admin, you cannot give admin consent

    You may try the solutions provided in similar GitHub issue.

    --------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    • Proposed as answer by vijisankar Tuesday, June 12, 2018 3:03 PM
    • Marked as answer by paulh2009 Tuesday, June 12, 2018 7:02 PM
    Tuesday, June 12, 2018 3:03 PM

All replies

  • If you try to access by the application out side of the network, the application deny the access. In Azure AD, if you do an initial login in one location, and then login from another location, there are conditions on the AD that flag this as "risky activity".  

    So for your account there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA.  Suggest you to check the conditional access locations in Azure and see if your AAD admin can clear the flag.  (Or set up the original account with named locations in place.)
    Reference: Location conditions in Azure Active Directory conditional access

    You may refer to this documentation on Developer guidance for Azure Active Directory conditional access. And you may also refer to this these discussion - https://stackoverflow.com/questions/41508634/adal-headless-native-client-app-and-multi-factor-authentication-mfa and https://stackoverflow.com/questions/46472850/how-to-authenticate-angular2-app-with-mfa-enabled-azure-ad. See if it helps. 

    ----------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here.

    • Proposed as answer by vijisankar Monday, June 11, 2018 12:35 PM
    Monday, June 11, 2018 12:35 PM
  • Thanks, vijisankar!

    I was told by our Administrator that my account has been taken out of the users group which require MFA.

    But now I am getting a different error, which looks somehow as a step forward:

    Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx-xxx...' named 'My 
    native app'. Send an interactive authorization request for this user and resource.
    Trace ID: yyy....
    Correlation ID: zzz...
    ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (BadRequest). ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: 
    {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx-xxx...' named 'My native app'. Send an 
    interactive authorization request for this user and resource.

    Does the Administrator need to do some further configuration on my account, or it would be in my ability to overcome this problem at this point?

    Thanks,

    Paul

    Monday, June 11, 2018 3:21 PM
  • Suggest you to follow the below steps:

    1.Login as a tenant admin to https://portal.azure.com
    2.Open the registration for your app in the
    3.Go to Settings then Required Permissions
    4.Press the Grant Permissions button

    Note: If you are not a tenant admin, you cannot give admin consent

    You may try the solutions provided in similar GitHub issue.

    --------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    • Proposed as answer by vijisankar Tuesday, June 12, 2018 3:03 PM
    • Marked as answer by paulh2009 Tuesday, June 12, 2018 7:02 PM
    Tuesday, June 12, 2018 3:03 PM