question

JanarthananRavikumar-5576 avatar image
0 Votes"
JanarthananRavikumar-5576 asked SombudhyaBasu-5701 answered

AADSTS50126: Error validating credentials due to invalid username or password

I am doing a POC on graphapi to read calendar details. Since it is for a desktop app I am using Username/Password for authorization. Below are the details.


  1. All the users are federated under our tenant.

  2. we are trying to call Graph API endpoint with the delegated protection type. Can you please let me know which Authentication protocol should use to retrieve the data from GraphAPI. I have gone through the Authentication protocol looks like ROPC (Resource Owner Password Credential ) approach suits our requirement ,but with ROPC I am facing the below mentioned issue. Please let me know what is the available option we can go for. As a collective decision, tenant will not provide application permission
    access due to security reasons, all we can go for delegated permission type and I want to access the GraphAPI endpoint via API.

  3. I am able to access the GraphAPI endpoint from Microsoft Graph explorer but I couldn't access from postman.



Error:
"error": "invalid_grant",
"error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: 1ca8efbe-7673-4a5d-8b2f-aae5ec360604\r\nCorrelation ID: 00e302c6-b650-4228-8618-5a4d9706b990\r\nTimestamp: 2021-05-06 15:30:26Z",
"error_codes": [
50126
],

94522-invalidgrant.png


azure-active-directoryazure-ad-graph
invalidgrant.png (92.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered

Hi @JanarthananRavikumar-5576,

Thanks for using Microsoft Q&A !!
You are getting this error as ROPC is not supported in hybrid identity federation environment with the exception of PTA as Azure AD is not able to test the user name and password against the identity provider. So, when you re making api call from postman ( as it can't do the redirection) credentials can't verified and you get this error. Please refer to these threads -

Thanks
Saurabh

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @JanarthananRavikumar-5576 · Thank you for reaching out.

As SaurabhSharma-msft mentioned, when you re making api call from postman (as it can't do the redirection) credentials can't be validated from the on-premises IDP.

However, to make this scenario working with Federated accounts,
1. Sync users' passwords to Azure AD. If you don't want to sync password for entire organization, you may consider using Selective Password Hash Sync.
2. Create a policy to allow credentials validation of federated users from within Azure AD.
3. Link the policy to the application, for which you want to use ROPC flow with federated accounts.

For step-by-step instructions, please refer to my blog post here: https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JanarthananRavikumar-5576 · Just checking if you had a chance to test it out.

0 Votes 0 ·

Hi @amanpreetsingh-msft @SaurabhSharma-msft
Thanks for your quick response.
we have already referred the threads as @SaurabhSharma-msft mentioned. But we want to know is there any other solution apart from Selective Password Hash Sync for the Federated accounts.

Thanks for your help!

0 Votes 0 ·
amanpreetsingh-msft avatar image amanpreetsingh-msft JanarthananRavikumar-5576 ·

Hi @JanarthananRavikumar-5576 · If you don't want to use selective Password Hash Sync, use cloud only user account. Unfortunately, there is no other option apart from these options.

1 Vote 1 ·
SombudhyaBasu-5701 avatar image
0 Votes"
SombudhyaBasu-5701 answered

Hi @amanpreetsingh-msft ,

I am a non federated user , trying out some POC by using Azure powershell. I am able to login to portal using the same password but somehow that does not seem to work using powershell.

Could you please assist me on what could go wrong?

Request id:
ad10dadc-e24b-4877-8cc7-bf13ef0d1901
Correlation id:
fbb90a53-79d5-498d-a570-80a9918d01f2

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.