1

Error message: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'bxxx-xxxx-xxxxa'.

I am getting this error intermittently, while accessing token with auth code. Token endpoint fails with error code 400. Request body in browser contains:

POST: https://login.microsoftonline.com/tenantID/oauth2/v2.0/token

  1. clientId,
  2. scope - xxxxxxxx/.default openid profile offline_access
  3. grant_type: authorization_code
  4. code
  5. redirect_uri

and here is MSAL configuration: (we are using react-msal 1.4.3)

const msalConfig = {
  auth: {
    clientId: env?.ClientId,
    authority: env?.Authority,
    redirectUri: env?.RedirectUri,
    postLogoutRedirectUri: env?.PostLogoutRedirectUri,
  },
  cache: {
    cacheLocation: "localStorage",
    storeAuthStateInCookie: true,
  },
  scopes: [env?.AuthScope],
}

Please let me know if anyone has encounter this issue before and found any solution for it.

Sudhir Kulat
  • 11
  • 2

2 Answers2

1

• It is because your administrator has enabled the security defaults setting in ‘Manage security defaults’ section in Azure AD tenant properties as shown below in the snapshot. When you enable this option, Azure AD mandates all users to register for Azure AD multi-factor authentication, requires the same for administrators and enforces it, blocks legacy authentication protocols, and protects privileged activities like access to the Azure portal.

Azure AD properties

Thus, if you are assigned a role of ‘Administrator’ of any sort, i.e., Global, Authentication, Application, Billing, Exchange, etc., then your ID would be required to do multi-factor authentication. Also, please ensure that you are not using any older protocol and legacy authentication since those doesn’t have access to multi-factor authentication.

As a result, this would help in resolving the issue and the subsequent error that you are facing. For more information, kindly refer to the below links given: -

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

https://learn.microsoft.com/en-us/answers/questions/494959/aadsts50076-ue-to-a-configuration-change-made-by-y.html

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
0

Just posting this in case someone else has the same issue.

I got this error but it was actually due to that fact that when I rotated the client secret, I mistakingly put the new client secret in the client id field.

The error obviously didn't explain it didn't recognise the client id and given I had just used a VPN it threw me off for a while until I spotted my mistake!!

Matt Strain
  • 41
  • 2