MsalError Class

Definition

Error code returned as a property in MsalException

public static class MsalError
type MsalError = class
Public Class MsalError
Inheritance
MsalError

Fields

AccessDenied

Access denied.

AccessingWsMetadataExchangeFailed

Accessing WS Metadata Exchange Failed.

What happens?

You tried to use AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) and the account is a federated account.

Mitigation

None. The WS metadata was not found or does not correspond to what was expected.
ActivityRequired

TODO: UPDATE DOCUMENTATION! On Android, you need to call AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object) passing the activity. See https://aka.ms/msal-interactive-android

AuthenticationCanceledError

Authentication canceled.

What happens?

The user had canceled the authentication, for instance by closing the authentication dialog

Mitigation

None, you cannot get a token to call the protected API. You might want to inform the user
AuthenticationFailed

Authentication failed.

What happens?

The authentication failed. For instance the user did not enter the right password

Mitigation

Inform the user to retry.
AuthenticationUiFailed

The request could not be preformed because of an unknown failure in the UI flow.*

Mitigation

Inform the user.
AuthenticationUiFailedError

The request could not be performed because of a failure in the UI flow.

What happens?

The library failed to invoke the Web View required to perform interactive authentication. The exception might include the reason

Mitigation

If the exception includes the reason, you could inform the user. This might be, for instance, a browser implementing chrome tabs is missing on the Android phone (that's only an example: this exception can apply to other platforms as well)
AuthorityValidationFailed

Authority validation failed.

What happens?

The validation of the authority failed. This might be because the authority is not compliant with the OIDC standard, or there might be a security issue

Mitigation

Use a different authority. If you are absolutely sure that you can trust the authority you can use the WithAuthority(AadAuthorityAudience, Boolean) passing the validateAuthority parameter to false (not recommended)
B2CAuthorityHostMismatch

The B2C authority host is not the same as the one used when creating the client application.

BrokerNonceMismatch

Broker response nonce does not match the request nonce sent by MSAL.NET for iOS broker >= v6.3.19

BrokerResponseHashMismatch

Broker response hash did not match

BrokerResponseReturnedError

Broker response returned an error

CannotAccessUserInformationOrUserNotDomainJoined

Cannot Access User Information or the user is not a user domain.

What happens?

You tried to use AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>) but the user is not a domain user (the machine is not domain or AAD joined)
CannotInvokeBroker

MSAL is not able to invoke the broker. Possible reasons are the broker is not installed on the user's device, or there were issues with the UiParent or CallerViewController being null. See https://aka.ms/msal-brokers

ClientCredentialAuthenticationTypesAreMutuallyExclusive

What happens?

You configured MSAL confidential client authentication with more than one authentication type (Certificate, Secret, Client Assertion)
ClientIdMustBeAGuid

What happens?

You've specified a client ID that is not a Guid

Mitigation

Use the application ID (a Guid) from the application portal as client ID in this SDK
CodeExpired

What happens?

In the context of Device code flow (See https://aka.ms/msal-net-device-code-flow), this error happens when the device code expired before the user signed-in on another device (this is usually after 15 mins).

Mitigation

None. Inform the user that they took too long to sign-in at the provided URL and enter the provided code.
CustomWebUiRedirectUriMismatch

Error code used when the CustomWebUI has returned an uri, but it does not match the Authority and AbsolutePath of the configured redirect uri.

CustomWebUiReturnedInvalidUri

Error code used when the ICustomWebUi has returned an uri, but it is invalid - it is either null or has no code. Consider throwing an exception if you are unable to intercept the uri containing the code.

DefaultRedirectUriIsInvalid

RedirectUri validation failed.

DuplicateQueryParameterError

Duplicate query parameter was found in extraQueryParameters.

What happens?

You have used extraQueryParameter of overrides of token acquisition operations in public client and confidential client application and are passing a parameter which is already present in the URL (either because you had it in another way, or the library added it).

Mitigation [App Development]

RemoveAccount the duplicate parameter from the token acquisition override.
EncodedTokenTooLong

Encoded token too long.

What happens

In a confidential client application call, the client assertion built by MSAL is longer than the max possible length for a JWT token.
FailedToAcquireTokenSilentlyFromBroker

Failed to acquire token silently. Used in broker scenarios.

What happens

you called AcquireTokenSilent(IEnumerable<String>, IAccount) or AcquireTokenSilent(IEnumerable<String>, String) and your mobile (Xamarin) application leverages the broker (Microsoft Authenticator or Microsoft Company Portal), but the broker was not able to acquire the token silently.

Mitigation

Call AcquireTokenInteractive(IEnumerable<String>)
FailedToRefreshToken

Failed to refresh token.

What happens?

The token could not be refreshed. This can be because the user has not used the application for a long time. and therefore the refresh token maintained in the token cache has expired

Mitigation

If you are in a public client application, that supports interactivity, send an interactive request AcquireTokenInteractive(IEnumerable<String>). Otherwise, use a different method to acquire tokens.
FederatedServiceReturnedError

Federated service returned error.

Mitigation

None. The federated service returned an error. You can try to look at the Body of the exception for a better understanding of the error and choose the mitigation
GetUserNameFailed

Failed to get user name.

HttpStatusCodeNotOk

ErrorCode used when the HTTP response returns something different from 200 (OK)

HttpStatusNotFound

Error code used when the HTTP response returns HttpStatusCode.NotFound

IntegratedWindowsAuthNotSupportedForManagedUser

Integrated Windows Auth is only supported for "federated" users

InternalError

Internal error

InvalidAuthority

Invalid authority

What happens

When the library attempts to discover the authority and get the endpoints it needs to acquire a token, it got an un-authorize HTTP code or an unexpected response

remediation

Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correct
InvalidAuthorityType

Invalid authority type. MSAL.NET does not know how to interact with the authority specified when the application was built.

Mitigation

Use a different authority
InvalidAuthorizationUri

An authorization Uri has been intercepted, but it cannot be parsed. See the log for more details.

InvalidClient

AAD service error indicating that the configured client is not valid

Migigation

In the AAD app registration portal, make sure the correct client (Public or Confidential) is selected for the respective authentication flow. See https://aka.ms/msal-net-invalid-client for details.
InvalidGrantError

Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user so that the user does an interactive action in order to get a new token.

Mitigation:

If your application is a IPublicClientApplication call AcquireTokenInteractive perform an interactive authentication. If your application is a ConfidentialClientApplication chances are that the Claims member of the exception is not empty. See MsalServiceException.Claims for the right mitigation
InvalidInstance

AAD service error indicating that the configured authority does not exist

InvalidJwtError

JWT was invalid.

What happens?

The library expected a JWT (for instance a token from the cache, or received from the STS), but the format is invalid

Mitigation

Make sure that the token cache was not tampered
InvalidOwnerWindowType

Invalid owner window type.

What happens?

You used "AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object) but the parameter you passed is invalid.

Remediation

On .NET Standard, the expected object is an Activity on Android, a UIViewController on iOS, a NSWindow on MAC, and a IWin32Window or IntPr on Windows. If you are in a WPF application, you can use WindowInteropHelper(wpfControl).Handle to get the window handle associated with a WPF control
InvalidRequest

Request is invalid.

What happens?

This can happen because you are using a token acquisition method which is not compatible with the authority. For instance: you called AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) but you used an authority ending with '/common' or '/consumers' as this requires a tenanted authority or '/organizations'.

Mitigation

Adjust the authority to the AcquireTokenXX method you use (don't use 'common' or 'consumers' with AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString)AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>)
InvalidServiceUrl

Invalid service URL.

InvalidUserInstanceMetadata

What happens?

You have configured your own instance metadata, but the json provided seems to be invalid.

Mitigation

See https://aka.ms/msal-net-custom-instance-metadata for an example of a valid json that can be used.
JsonParseError

JSON parsing failed.

What happens?

A JSON blob read from the token cache or received from the STS was not parseable. This can happen when reading the token cache, or receiving an IDToken from the STS.

Mitigation

Make sure that the token cache was not tampered
LinuxXdgOpen

What happens?

MSAL tried to open the browser on Linux using the xdg-open tool, but failed.

Mitigation

Make sure you can open a page using xdg-open tool. See https://aka.ms/msal-net-os-browser for details.
LoopbackRedirectUri

What happens?

The current redirect Url is not a loopback Url.

Mitigation

To use the OS browser, a loopback url, with or without a port, must be configured both during app registration and when initializing the IPublicClientApplication object. See https://aka.ms/msal-net-os-browser for details.
LoopbackResponseUriMismatch

What happens?

MSAL has intercepted a Uri possibly containing an authorization code, but it does not match the configured redirect url.

Mitigation

If you are using an ICustomWebUi implementation, make sure the redirect url matches the url containing the auth code. If you are not using an ICustomWebUI, this could be a man-in-the middle attack.
MissingFederationMetadataUrl

Federation Metadata Url is missing for federated user.

MissingPassiveAuthEndpoint

No passive auth endpoint was found in the OIDC configuration of the authority

What happens?

When the libraries go to the authority and get its open id connect configuration it expects to find a Passive Auth Endpoint entry, and could not find it.

remediation

Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correct
MultipleAccountsForLoginHint

This error code denotes that multiple accounts were found having the same login hint and MSAL cannot choose one. Please use WithAccount(IAccount) to specify the account

MultipleTokensMatchedError

Multiple Tokens were matched.

What happens?

This exception happens in the case of applications managing several identities, when calling AcquireTokenSilent(IEnumerable<String>, IAccount) or one of its overrides and the user token cache contains multiple tokens for this client application and the specified Account, but from different authorities.

Mitigation [App Development]

specify the authority to use in the acquire token operation
NetworkNotAvailableError

The request could not be preformed because the network is down.

Mitigation [App development]

In the application you could either inform the user that there are network issues or retry later
NoAccountForLoginHint

This error code denotes that no account was found having the given login hint.

What happens?

AcquireTokenSilent(IEnumerable<String>, String) or WithLoginHint(String) was called with a loginHint parameter which does not match any account in GetAccountsAsync()

Mitigation

If you are certain about the loginHint, call AcquireTokenInteractive(IEnumerable<String>)
NoClientId

What happens?

You haven't set a client ID.

Mitigation

Use the application ID (a Guid) from the application portal as client ID in this SDK
NoDataFromSts

No data from STS.

NonHttpsRedirectNotSupported

Non HTTPS redirects are not supported

What happens?

This error happens when you have registered a non-HTTPS redirect URI for the public client application other than urn:ietf:wg:oauth:2.0:oob

Mitigation [App registration and development]

Register in the application a Reply URL starting with "https://"
NonParsableOAuthError

An error response was returned by the OAuth2 server and it could not be parsed

NoPromptFailedError

One of two conditions was encountered:

  • The Prompt.NoPrompt was passed in an interactive token call, but the constraint could not be honored because user interaction is required, for instance because the user needs to re-sign-in, give consent for more scopes, or perform multiple factor authentication.
  • An error occurred during a silent web authentication that prevented the authentication flow from completing in a short enough time frame.

Remediation:

call AcquireTokenInteractive so that the user of your application signs-in and accepts consent.
NoRedirectUri

No Redirect URI.

What happens?

You need to provide a Reply URI / Redirect URI, but have not called WithRedirectUri(String)
NoTokensFoundError

No token was found in the token cache.

Mitigation:

If your application is a IPublicClientApplication call AcquireTokenInteractive so that the user of your application signs-in and accepts consent. If your application is a ConfidentialClientApplication.:
ParsingWsMetadataExchangeFailed

Parsing WS Metadata Exchange Failed.

ParsingWsTrustResponseFailed

You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) In the case of a Federated user (that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant) ID3242: The security token could not be authenticated or authorized. The user does not exist or has entered the wrong password

PasswordRequiredForManagedUserError

Password is required for managed user.

What happens?

If can got this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) and you (or the user) did not provide a password.
PlatformNotSupported

The library is loaded on a platform which is not supported.

RedirectUriValidationFailed

RedirectUri validation failed.

What happens?

The redirect URI / reply URI is invalid

How to fix

Pass a valid redirect URI.
RequestTimeout

The Http Request to the STS timed out.

Mitigation

you can retry after a delay.
ServiceNotAvailable

Service is unavailable and returned HTTP error code within the range of 500-599

Mitigation

you can retry after a delay.
SSHCertUsedAsHttpHeader

What happens?

You have configured MSAL to request SSH certificates from AAD, and you are trying to format an HTTP authentication header.

Mitigation

SSH certificates should not used as Bearer tokens. Developers are responsible for sending the certificates to the target machines.
StateMismatchError

State returned from the STS was different from the one sent by the library

What happens?

The library sends to the STS a state associated to a request, and expects the reply to be consistent. This errors indicates that the reply is not associated with the request. This could indicate an attempt to replay a response

Mitigation

None
SystemWebviewOptionsNotApplicable

What happens?

You configured MSAL interactive authentication to use an embedded webview and you also configured SystemWebViewOptions. These are mutually exclusive.

Mitigation

Either set WithUseEmbeddedWebView(Boolean) to true or do not use WithSystemWebViewOptions(SystemWebViewOptions)
TelemetryConfigOrTelemetryCallback

What happens?

You have configured both a telememtry callback and a telemetry config.

Mitigation

Only one telememtry mechanism can be configured.
TenantDiscoveryFailedError

Tenant discovery failed.

What happens?

While reading the OpenId configuration associated with the authority, the Authorize endpoint, or Token endpoint, or the Issuer was not found

Mitigation

This indicates and authority which is not Open ID Connect compliant. Specify a different authority in the constructor of the application, or the token acquisition override ///
TokenCacheNullError

This error code comes back from AcquireTokenSilent(IEnumerable<String>, IAccount) calls when the user cache had not been set in the application constructor. This should never happen in MSAL.NET 3.x as the cache is created by the application

UapCannotFindDomainUser

Cannot access the user from the OS (UWP)

What happens

You called AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>), but the domain user name could not be found.

Mitigation

This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwp
UapCannotFindUpn

Cannot get the user from the OS (UWP)

What happens

You called AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>), but the domain user name could not be found.

Mitigation

This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwp
UnknownError

Unknown Error occured.

Mitigation

None. You might want to inform the end user.
UnknownUser

What happens

You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) The user is not known by the IdP

Mitigation

Inform the user. The login that the user provided might be incorrect (for instance empty)
UnknownUserType

What happens

You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) The user is not recognized as a managed user, or a federated user. Azure AD was not able to identify the IdP that needs to process the user

Mitigation

Inform the user. the login that the user provided might be incorrect.
UpnRequired

loginHint should be a Upn

What happens?

An override of a token acquisition operation was called in IPublicClientApplication which takes a loginHint as a parameters, but this login hint was not using the UserPrincipalName (UPN) format, e.g. john.doe@contoso.com expected by the service

Remediation

Make sure in your code that you enforce loginHint to be a UPN
UserMismatch

User Mismatch.

UserNullError

This error code comes back from AcquireTokenSilent(IEnumerable<String>, IAccount) calls when a null user is passed as the account parameter. This can be because you have called AcquireTokenSilent with an account parameter set to accounts.FirstOrDefault() but accounts is empty.

Mitigation

Pass a different account, or otherwise call AcquireTokenInteractive(IEnumerable<String>)
UserRealmDiscoveryFailed

User Realm Discovery Failed.

ValidateAuthorityOrCustomMetadata

What happens?

You have configured your own instance metadata, and have also configured custom metadata. These are mutually exclusive.

Mitigation

Set the validate authority flag to false. See https://aka.ms/msal-net-custom-instance-metadata for more details.
WABError

What happens?

Windows Authentication Broker, which handles the interaction between the user and AAD, has failed.

Mitigation

See the error message for more details.
WebviewUnavailable

The selected webview is not available on this platform. You can switch to a different webview using WithUseEmbeddedWebView(Boolean). See https://aka.ms/msal-net-os-browser for details

WsTrustEndpointNotFoundInMetadataDocument

WS-Trust Endpoint Not Found in Metadata Document.

Applies to