InteractionRequiredAuthError: invalid_grant: AADSTS50076

Question

Error message: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'bxxx-xxxx-xxxxa'.

I am getting this error intermittently, while accessing token with auth code. Token endpoint fails with error code 400. Request body in browser contains:

POST: https://login.microsoftonline.com/tenantID/oauth2/v2.0/token

clientId,
scope - xxxxxxxx/.default openid profile offline_access
grant_type: authorization_code
code
redirect_uri

and here is MSAL configuration: (we are using react-msal 1.4.3)

const msalConfig = {
  auth: {
    clientId: env?.ClientId,
    authority: env?.Authority,
    redirectUri: env?.RedirectUri,
    postLogoutRedirectUri: env?.PostLogoutRedirectUri,
  },
  cache: {
    cacheLocation: "localStorage",
    storeAuthStateInCookie: true,
  },
  scopes: [env?.AuthScope],
}

Please let me know if anyone has encounter this issue before and found any solution for it.

score 1 · Answer 1 · answered Aug 18 '22 at 11:57

• It is because your administrator has enabled the security defaults setting in ‘Manage security defaults’ section in Azure AD tenant properties as shown below in the snapshot. When you enable this option, Azure AD mandates all users to register for Azure AD multi-factor authentication, requires the same for administrators and enforces it, blocks legacy authentication protocols, and protects privileged activities like access to the Azure portal.

Thus, if you are assigned a role of ‘Administrator’ of any sort, i.e., Global, Authentication, Application, Billing, Exchange, etc., then your ID would be required to do multi-factor authentication. Also, please ensure that you are not using any older protocol and legacy authentication since those doesn’t have access to multi-factor authentication.

As a result, this would help in resolving the issue and the subsequent error that you are facing. For more information, kindly refer to the below links given: -

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

https://learn.microsoft.com/en-us/answers/questions/494959/aadsts50076-ue-to-a-configuration-change-made-by-y.html

CAn you help with: https://stackoverflow.com/q/75274922/2441637 — Hasan A Yousef, Jan 29 '23 at 12:49

score 0 · Answer 2 · answered Jul 21 '23 at 10:44

Just posting this in case someone else has the same issue.

I got this error but it was actually due to that fact that when I rotated the client secret, I mistakingly put the new client secret in the client id field.

The error obviously didn't explain it didn't recognise the client id and given I had just used a VPN it threw me off for a while until I spotted my mistake!!

InteractionRequiredAuthError: invalid_grant: AADSTS50076

2 Answers2

Linked