13

I am facing ERROR like below when connecting Microsoft Azure AD after enabling MFA. Before that it gets connected. Today while login, it required me to enable this security feature in my Phone(Microsoft Auithenticator APP). Unless this feature added, i can't able to access MS Outlook in Microsoft 365.

I am using WSO2 Outlook Connector to make connection with Microsoft Graph API

ERROR:

"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000
Justin
  • 855
  • 2
  • 11
  • 30
  • How do you get the access token for MS Graph API? – juunas Jun 28 '21 at 08:54
  • @juunas Thanks for your response. AccessToken and refresh token these kind of credentials already generated and the same has been raised in https://stackoverflow.com/questions/67970958/to-get-refreshtoken-accesstoken-in-microsoft-graph-api/67981259#67981259 – Justin Jun 28 '21 at 08:57
  • If you are using a refresh token, you might need to get a new one. – juunas Jun 28 '21 at 10:14
  • @juunas When I disable MFA, the same refresh token working fine while connect with MS Graph API. I think there is no issue with credentials. when i enable MFA, it failed to connect. Let me know if any thing i need to include while generate credentials/ any settings required to give grant permission like below. https://social.msdn.microsoft.com/Forums/en-US/d4b2aff3-eeb1-4204-82ed-ca80232c2523/error-aadsts50076-due-to-a-configuration-change-made-by-your-administrator-or-because-you-moved-to?forum=WindowsAzureAD – Justin Jun 28 '21 at 12:28
  • I get this error during login to visual studio. :( – kudlatiger Apr 14 '22 at 08:48

3 Answers3

3

Possible solutions:

  1. Use a interactive flow instead.

  2. If you are using a interactive flow and still getting this error, ensure openid is one of the scopes during the interactive sign-in. You might be getting the error after the interactive sign-in and trying to exchange the authorization code for a access token...

    https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize
?client_id=########-####-####-####-############
&response_type=code
&scope=openid groups.read.all
&nonce=1234
&redirect_uri=https://app.contoso.com

    Notice "scope=openid groups.read.all" in the request above.

  3. Add the client application to the exception list of the Conditional Access Policy

  4. Add the user to the exception list of the Conditional Access Policy

  5. If not using conditional access policies and the user is directly enabled for MFA, then as a last resort, disable MFA for the user if solutions above (specifically solution #1 and #2) do not work for you.

Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27
0

You must go to Azure portal https://portal.azure.com

Then go to Azure Active Directory > Properties tab > Manage security defaults > Select Disabled

This disables MFA

David Lopez
  • 353
  • 4
  • 13
-1

I resolved the error by logging in from the command line:

az login
Scott Nimrod
  • 11,206
  • 11
  • 54
  • 118