"invalid username or password" 'AADSTS50126' in Microsoft Graph API password authentication

Eric Chen 21 Reputation points
2020-07-15T08:44:22.393+00:00

I'm doing some Data retrieving work by using Graph API,
I have done some of scripts to get data via Graph API with [Applicaion] permission.
but I also need some API with [delegated] permission only, so I have to change authentication method from "client_credentials" to "password"

When I tried to sign in from authentication form with the user I was using, I got the below error:

'AADSTS50126' "invalid_grant" Error validating credentials due to invalid username or password

I have searched below another thread, seems same problem happened recently.
https://learn.microsoft.com/en-us/answers/questions/38035/aadsts50126-invalid-grant-error-validating-credent.html

I might try to follow the suggestion from that thread, to create a new account without Federated Authentication,
In a big organization, I can't do it by myself, but may I know if we create new account for this, what other requirement I need to know?
Like, what roles does the new account need?

My requirement is: Login for using delegated permission API to get Teams Chats list by using PowerShell.

Thank you
Eric Chen

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,657 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-07-15T11:20:27.25+00:00

    Hi @EricChen-8890

    I have posted another solution to this problem at below link:

    https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d

    If you choose to go with this solution, you would not need to create new cloud-only user account and you can use the already existing federated account as well.

    @Faraha-6803 Hopefully, this would be helpful for you as well.

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-07-16T06:38:41.597+00:00

    @EricChen-8890,

    In this command "Get-AzureADServicePrincipal -SearchString < display_name_of_the_app >", the <display_name_of_the_app > section would contain the display name of the app registered in Azure AD.

    To giv eyou more context on this, when you register an application in Azure AD, it creates two major objects in Azure AD, one is called the application object (visible under App Registration section) and the other object is called the Service Principal Object (visible under Enterprise Registration section). Now both these objects are internally connected with each other using the App ID, but since both are separate objects in AAD, hence both has there own object IDs and name of both the application object and the service principal object remains same in AAD.

    Hence for this command Get-AzureADServicePrincipal -SearchString < display_name_of_the_app >", here we are searching for that Service Principal Object with the Application Name.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    1 person found this answer helpful.
    0 comments
  2. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-07-15T09:39:02.547+00:00

    @Eric Chen , Thank you for reaching out. The reason a federated user fails with the Resource Owner Password Grant flow is because for a federated user Azure AD has to redirect the user to the specific federation Server that belongs to the user's on-prem domain so that the ADFS server can get the auth down with the local domain controller. In Resource Owner Password grant flow this redirect is not possible hence it is not able to validate the username and password and hence that error.

    As a suggestion, you can create a new cloud only user whose username and password should reside in Azure AD, so that when using Resource Owner password Grant flow you submit the user's credentials, AAD can authenticate the user without any redirections.

    This user can be a normal user in AAD and the respective delegated permissions should be present in the app registration. Now one more thing to make sure is, if the delegated permission that you are providing needs admin consent then before the user logs in to the application, the admin has to provide the admin consent to this delegated permission. If you want to the user to provide his/her own consent (if the delegated permission needs user consent) when you would have to somehow provide the user consent before going ahead with the Resource Owner Password Grant Flow.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

  3. Eric Chen 21 Reputation points
    2020-07-16T15:34:03.77+00:00

    @amanpreetsingh-msft @soumi-MSFT

    Thank you for making this super clear, I will let you know if we get chance to try this.