question

PRRCAT10-7809 avatar image
0 Votes"
PRRCAT10-7809 asked MarileeTurscak-MSFT edited

Not able to get access token due Invalid_grant AADSTS50126: Error validating credentials due to invalid username or password

I have been trying to access token in postman, providing username and password but error is present although username and password are correctly set. I need to confirm if this error is present due Federal authentication is used by my company? Could you please help me?

{
"error": "invalid_grant",
"error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: 5687f74f-f5ce-46b1-8df7-954365baae00\r\nCorrelation ID: f5bd2008-d19f-4f8f-934f-439abdc72b54\r\nTimestamp: 2021-09-08 20:19:45Z",
"error_codes": [
50126
],
"timestamp": "2021-09-08 20:19:45Z",
"trace_id": "5687f74f-f5ce-46b1-8df7-954365baae00",
"correlation_id": "f5bd2008-d19f-4f8f-934f-439abdc72b54",
"error_uri": "https://login.microsoftonline.com/error?code=50126"
}

azure-active-directoryazure-ad-graph
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT edited

If your user is federated, this scenario is expected.

When you use the ROPC for this user, Azure knows that the user is federated and, since it does not have a UI to redirect you to your on-prem AD for you to authenticate, it throws the “AADSTS50126: Invalid username or password” error (yes, this error message is misleading and should be more explicit).

If you have the PasswordSync option enabled on your tenant, so you can overcome this two different ways:

  1. Defining an Home Realm Discovery policy

Basically, you will enforce the AppID that you are using “to check the password for users on Azure AD and not on the on-prem AD”. See more information here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal


The PS Script for the policy should be something like:

Add the object ID of the Service Principal. You can find it under Azure Active Directory > Enterprise Applications > Application you’re looking for > Properties > ObjectID)

 $spId = "GUID HERE"
    
    
 $policy = New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName EnableDirectAuth -Type HomeRealmDiscoveryPolicy -IsOrganizationDefault $false
    
    
 Add-AzureADServicePrincipalPolicy -Id $spId -RefObjectId $policy.Id

If you don’t have PasswordSync enabled, you need to achieve this by using Approach 2:


2 – Change the user account

If you use a cloud-only account, you will not face this issue.


Also, please note that this only works for users without any kind of MFA. The main goal of using MFA is to ensure that users provide a 2nd piece of information that will always require UI interaction. Since this flow does not allow UI interaction, if your user has MFA enabled, this will never work.

Let me know if this is helpful and if I can help you with anything else.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.