MsalError Class

Definition

Error code returned as a property in MsalException

public static class MsalError
type MsalError = class
Public Class MsalError
Inheritance
MsalError

Fields

AccessDenied

Access denied.

AccessingWsMetadataExchangeFailed

Accessing WS Metadata Exchange Failed.

What happens?

You tried to use AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) and the account is a federated account.

Mitigation

None. The WS metadata was not found or does not correspond to what was expected.
ActivityRequired

On Android, you need to call AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object) passing the activity. See https://aka.ms/msal-interactive-android

AndroidBrokerOperationFailed

Failed To Complete Android Broker Operation

AndroidBrokerSignatureVerificationFailed

Failed to validate android broker signature

AuthenticationCanceledError

Authentication canceled.

What happens?

The user had canceled the authentication, for instance by closing the authentication dialog

Mitigation

None, you cannot get a token to call the protected API. You might want to inform the user
AuthenticationFailed

Authentication failed.

What happens?

The authentication failed. For instance the user did not enter the right password

Mitigation

Inform the user to retry.
AuthenticationUiFailed

The request could not be preformed because of an unknown failure in the UI flow.*

Mitigation

Inform the user.
AuthenticationUiFailedError

The request could not be performed because of a failure in the UI flow.

What happens?

The library failed to invoke the Web View required to perform interactive authentication. The exception might include the reason

Mitigation

If the exception includes the reason, you could inform the user. This might be, for instance, a browser implementing chrome tabs is missing on the Android phone (that's only an example: this exception can apply to other platforms as well)
AuthorityTypeMismatch

What happens?

The authority configured at the application level is different than the authority configured at the request level

Mitigation

Ensure the same authority type is used
AuthorityValidationFailed

Authority validation failed.

What happens?

The validation of the authority failed. This might be because the authority is not compliant with the OIDC standard, or there might be a security issue

Mitigation

Use a different authority. If you are absolutely sure that you can trust the authority you can use the WithAuthority(AadAuthorityAudience, Boolean) passing the validateAuthority parameter to false (not recommended)
B2CAuthorityHostMismatch

The B2C authority host is not the same as the one used when creating the client application.

BrokerApplicationRequired

What happens?

A broker application is required, but one could not be found or communicated with.

Mitigation

Install a broker application, such as Authenticator, from the application store
BrokerNonceMismatch

Broker response nonce does not match the request nonce sent by MSAL.NET for iOS broker >= v6.3.19

BrokerResponseHashMismatch

Broker response hash did not match

BrokerResponseReturnedError

Broker response returned an error

CannotAccessUserInformationOrUserNotDomainJoined

Cannot Access User Information or the user is not a user domain.

What happens?

You tried to use AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>) but the user is not a domain user (the machine is not domain or AAD joined)
CannotInvokeBroker

MSAL is not able to invoke the broker. Possible reasons are the broker is not installed on the user's device, or there were issues with the UiParent or CallerViewController being null. See https://aka.ms/msal-brokers

CertWithoutPrivateKey

What happens?

The certificate provided does not have a private key.

Mitigation

Ensure the certificate has a private key.
ClientCredentialAuthenticationTypeMustBeDefined

What happens?

You configured MSAL confidential client authentication without an authentication type (Certificate, Secret, Client Assertion)

Mitigation

Either call ConfidentialClientApplicationBuilder.WithClientSecret, ConfidentialClientApplicationBuilder.WithCertificate, ConfidentialClientApplicationBuilder.WithClientAssertion
ClientCredentialAuthenticationTypesAreMutuallyExclusive

What happens?

You configured MSAL confidential client authentication with more than one authentication type (Certificate, Secret, Client Assertion)
ClientIdMustBeAGuid

What happens?

You've specified a client ID that is not a Guid

Mitigation

Use the application ID (a GUID) from the application portal as client ID in this SDK
CodeExpired

What happens?

In the context of Device code flow (See https://aka.ms/msal-net-device-code-flow), this error happens when the device code expired before the user signed-in on another device (this is usually after 15 mins).

Mitigation

None. Inform the user that they took too long to sign-in at the provided URL and enter the provided code.
CryptoNet45

What happens?

MSAL cannot use the certificate for signing.

Mitigation

Possible cause: use of CNG certificates with .Net classic 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate type (non-CNG) or sign your own assertion as described at https://aka.ms/msal-net-signed-assertion
CurrentBrokerAccount

This error code comes back from AcquireTokenSilent(IEnumerable<String>, IAccount) calls when the OperatingSystemAccount user is passed as the account parameter. Only some brokers (WAM) can login the current user.

Mitigation

On Windows, use the broker via .WithBroker(true), use a different account, or otherwise call AcquireTokenInteractive(IEnumerable<String>)
CustomMetadataInstanceOrUri

What happens?

You have configured your own instance metadata using both an Uri and a string. Only one is supported.

Mitigation

Call WithInstanceDiscoveryMetadata only once. See https://aka.ms/msal-net-custom-instance-metadata for more details.
CustomWebUiRedirectUriMismatch

Error code used when the CustomWebUI has returned a URI, but it does not match the Authority and AbsolutePath of the configured redirect URI.

CustomWebUiReturnedInvalidUri

Error code used when the ICustomWebUi has returned a URI, but it is invalid - it is either null or has no code. Consider throwing an exception if you are unable to intercept the URI containing the code.

DefaultRedirectUriIsInvalid

RedirectUri validation failed.

DeviceCertificateNotFound

Device certificate not found.

DuplicateQueryParameterError

Duplicate query parameter was found in extraQueryParameters.

What happens?

You have used extraQueryParameter of overrides of token acquisition operations in public client and confidential client application and are passing a parameter which is already present in the URL (either because you had it in another way, or the library added it).

Mitigation [App Development]

RemoveAccount the duplicate parameter from the token acquisition override.
EncodedTokenTooLong

Encoded token too long.

What happens

In a confidential client application call, the client assertion built by MSAL is longer than the max possible length for a JWT token.
ExperimentalFeature

What happens?

You are trying to use a feature which was marked as experimental

Mitigation

When creating the PublicClientApplication or ConfidentialClientApplication, use .WithExperimentalFeatures() option. See https://aka.ms/msal-net-experimental-features for details.
FailedToAcquireTokenSilentlyFromBroker

Failed to acquire token silently. Used in broker scenarios.

What happens

you called AcquireTokenSilent(IEnumerable<String>, IAccount) or AcquireTokenSilent(IEnumerable<String>, String) and your mobile (Xamarin) application leverages the broker (Microsoft Authenticator or Microsoft Company Portal), but the broker was not able to acquire the token silently.

Mitigation

Call AcquireTokenInteractive(IEnumerable<String>)
FailedToGetBrokerResponse

What happens?

You are trying to authenticate with the broker but MSAL is unable to read the response from the broker.

Mitigation

The currently installed broker may not support MSAL.Xamarin, you need to ensure that you have installed either Intune Company Portal (5.0.4689.0 or greater) or Microsoft Authenticator (6.2001.0140 or greater). see https://aka.ms/Brokered-Authentication-for-Android"
FailedToRefreshToken

Failed to refresh token.

What happens?

The token could not be refreshed. This can be because the user has not used the application for a long time. and therefore the refresh token maintained in the token cache has expired

Mitigation

If you are in a public client application, that supports interactivity, send an interactive request AcquireTokenInteractive(IEnumerable<String>). Otherwise, use a different method to acquire tokens.
FederatedServiceReturnedError

Federated service returned error.

Mitigation

None. The federated service returned an error. You can try to look at the Body of the exception for a better understanding of the error and choose the mitigation
GetUserNameFailed

Failed to get user name.

HttpListenerError

An HttpListenerException occurred while listening for the system browser to complete the login.

HttpStatusCodeNotOk

ErrorCode used when the HTTP response returns something different from 200 (OK)

HttpStatusNotFound

Error code used when the HTTP response returns HttpStatusCode.NotFound

IntegratedWindowsAuthNotSupportedForManagedUser

Integrated Windows Auth is only supported for "federated" users

InteractionRequired

Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user so the user can do an interactive log-in to get a token with updated claims.

Mitigation:

If your application is a IPublicClientApplication call AcquireTokenInteractive perform an interactive authentication. If your application is a ConfidentialClientApplication chances are that the Claims member of the exception is not empty. See MsalServiceException.Claims for the right mitigation
InternalError

Internal error

InvalidAdalCacheMultipleRTs

What happens?

The ADAL cache is invalid as it contains multiple refresh token entries for one user.

Mitigation

Delete the ADAL cache. If you do not maintain an ADAL cache, this may be a bug in MSAL.
InvalidAuthority

Invalid authority

What happens

When the library attempts to discover the authority and get the endpoints it needs to acquire a token, it got an un-authorize HTTP code or an unexpected response

remediation

Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correct
InvalidAuthorityType

Invalid authority type. MSAL.NET does not know how to interact with the authority specified when the application was built.

Mitigation

Use a different authority
InvalidAuthorizationUri

An authorization Uri has been intercepted, but it cannot be parsed. See the log for more details.

InvalidClient

Azure AD service error indicating a configuration issue.

Mitigation

See error message for details, then take corrective action in the app registration portal See https://aka.ms/msal-net-invalid-client for details.
InvalidGrantError

Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user so that the user does an interactive action in order to get a new token.

Mitigation:

If your application is a IPublicClientApplication call AcquireTokenInteractive perform an interactive authentication. If your application is a ConfidentialClientApplication chances are that the Claims member of the exception is not empty. See MsalServiceException.Claims for the right mitigation
InvalidInstance

AAD service error indicating that the configured authority does not exist

InvalidJsonClaimsFormat

What happens?

You have configured a claims request, but the claims string is not in JSON format

Mitigation

Ensure that the claims parameter is valid JSON. Inspect the inner exception for details about JSON parsing.
InvalidJwtError

JWT was invalid.

What happens?

The library expected a JWT (for instance a token from the cache, or received from the STS), but the format is invalid

Mitigation

Make sure that the token cache was not tampered
InvalidOwnerWindowType

Invalid owner window type.

What happens?

You used "AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object) but the parameter you passed is invalid.

Remediation

On .NET Standard, the expected object is an Activity on Android, a UIViewController on iOS, a NSWindow on MAC, and a IWin32Window or IntPr on Windows. If you are in a WPF application, you can use WindowInteropHelper(wpfControl).Handle to get the window handle associated with a WPF control
InvalidRequest

Request is invalid.

What happens?

This can happen because you are using a token acquisition method which is not compatible with the authority. For instance: you called AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) but you used an authority ending with '/common' or '/consumers' as this requires a tenanted authority or '/organizations'.

Mitigation

Adjust the authority to the AcquireTokenXX method you use (don't use 'common' or 'consumers' with AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString)AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>)
InvalidUserInstanceMetadata

What happens?

You have configured your own instance metadata, but the json provided seems to be invalid.

Mitigation

See https://aka.ms/msal-net-custom-instance-metadata for an example of a valid json that can be used.
JsonParseError

JSON parsing failed.

What happens?

A JSON blob read from the token cache or received from the STS was not parseable. This can happen when reading the token cache, or receiving an IDToken from the STS.

Mitigation

Make sure that the token cache was not tampered
LinuxXdgOpen

What happens?

MSAL tried to open the browser on Linux using the xdg-open, gnome-open, or kfmclient tools, but failed.

Mitigation

Make sure you can open a page using xdg-open tool. See https://aka.ms/msal-net-os-browser for details.
LoopbackRedirectUri

What happens?

The current redirect URL is not a loopback URL.

Mitigation

To use the OS browser, a loopback URL, with or without a port, must be configured both during app registration and when initializing the IPublicClientApplication object. See https://aka.ms/msal-net-os-browser for details.
LoopbackResponseUriMismatch

What happens?

MSAL has intercepted a Uri possibly containing an authorization code, but it does not match the configured redirect URL.

Mitigation

If you are using an ICustomWebUi implementation, make sure the redirect URL matches the URL containing the auth code. If you are not using an ICustomWebUI, this could be a man-in-the middle attack.
MissingFederationMetadataUrl

Federation Metadata URL is missing for federated user.

MissingPassiveAuthEndpoint

No passive auth endpoint was found in the OIDC configuration of the authority

What happens?

When the libraries go to the authority and get its open id connect configuration it expects to find a Passive Auth Endpoint entry, and could not find it.

remediation

Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correct
MultipleAccountsForLoginHint

This error code denotes that multiple accounts were found having the same login hint and MSAL cannot choose one. Please use WithAccount(IAccount) to specify the account

MultipleTokensMatchedError

Multiple Tokens were matched.

What happens?

This exception happens in the case of applications managing several identities, when calling AcquireTokenSilent(IEnumerable<String>, IAccount) or one of its overrides and the user token cache contains multiple tokens for this client application and the specified Account, but from different authorities.

Mitigation [App Development]

specify the authority to use in the acquire token operation
NetworkNotAvailableError
Obsolete.

The request could not be preformed because the network is down.

Mitigation [App development]

In the application you could either inform the user that there are network issues or retry later
NoAccountForLoginHint

This error code denotes that no account was found having the given login hint.

What happens?

AcquireTokenSilent(IEnumerable<String>, String) or WithLoginHint(String) was called with a loginHint parameter which does not match any account in GetAccountsAsync()

Mitigation

If you are certain about the loginHint, call AcquireTokenInteractive(IEnumerable<String>)
NoAndroidBrokerAccountFound

MSAL is not able to find a suitable account to use with broker

NoAndroidBrokerInstalledOnDevice

MSAL cannot find the broker application to authenticate accounts.

NoClientId

What happens?

You haven't set a client ID.

Mitigation

Use the application ID (a GUID) from the application portal as client ID in this SDK
NonHttpsRedirectNotSupported

Non HTTPS redirects are not supported

What happens?

This error happens when you have registered a non-HTTPS redirect URI for the public client application other than urn:ietf:wg:oauth:2.0:oob

Mitigation [App registration and development]

Register in the application a Reply URL starting with "https://"
NonParsableOAuthError

An error response was returned by the OAuth2 server and it could not be parsed

NoPromptFailedError

One of two conditions was encountered:

  • The Prompt.NoPrompt was passed in an interactive token call, but the constraint could not be honored because user interaction is required, for instance because the user needs to re-sign-in, give consent for more scopes, or perform multiple factor authentication.
  • An error occurred during a silent web authentication that prevented the authentication flow from completing in a short enough time frame.

Remediation:

call AcquireTokenInteractive so that the user of your application signs-in and accepts consent.
NoRedirectUri

No Redirect URI.

What happens?

You need to provide a Reply URI / Redirect URI, but have not called WithRedirectUri(String)
NoTokensFoundError

No token was found in the token cache.

Mitigation:

If your application is a IPublicClientApplication call AcquireTokenInteractive so that the user of your application signs-in and accepts consent.
NoUsernameOrAccountIDProvidedForSilentAndroidBrokerAuthentication

Unable to query the Android account manager because no username or home account ID is provided in the silent authentication request.

NullIntentReturnedFromAndroidBroker

Null intent was returned so broker activity cannot be launched

ParsingWsMetadataExchangeFailed

Parsing WS Metadata Exchange Failed.

ParsingWsTrustResponseFailed

You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) In the case of a Federated user (that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant) ID3242: The security token could not be authenticated or authorized. The user does not exist or has entered the wrong password

PasswordRequiredForManagedUserError

Password is required for managed user.

What happens?

If can got this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) and you (or the user) did not provide a password.
PlatformNotSupported

The library is loaded on a platform which is not supported.

RedirectUriValidationFailed

RedirectUri validation failed.

What happens?

The redirect URI / reply URI is invalid

How to fix

Pass a valid redirect URI.
RegionalAuthorityValidation

What happens?

You configured both Regional Authority and Authority Validation. Authority validation is not currently supported for regional authorities.

Mitigation

Set the validateAuthority flag to false to use Azure Regional authority. Do not disable authority validation if you read the authority from an untrusted source, for example from the WWWAuthenticate header of an HTTP request that resulted in a 401 response.
RegionDiscoveryFailed

Region discovery failed.

RegionDiscoveryNotEnabled

What happens?

WithAzureRegion is set to true

Mitigation

Region discovery cannot be performed for ADFS authority.
RequestTimeout

The HTTP Request to the STS timed out.

Mitigation

you can retry after a delay.
RopcDoesNotSupportMsaAccounts

Resource Owner Password Credential (ROPC) grant attempted with an MSA (Microsoft personal) account. ROPC does not support MSA accounts. See https://aka.ms/msal-net-ropc for details.

ScopesRequired

What happens?

No scopes have been requested

Mitigation

At least one scope must be specified for this authentication flow
ServiceNotAvailable

Service is unavailable and returned HTTP error code within the range of 500-599

Mitigation

you can retry after a delay.
SSHCertUsedAsHttpHeader

What happens?

You have configured MSAL to request SSH certificates from AAD, and you are trying to format an HTTP authentication header.

Mitigation

SSH certificates should not used as Bearer tokens. Developers are responsible for sending the certificates to the target machines.
StateMismatchError

State returned from the STS was different from the one sent by the library

What happens?

The library sends to the STS a state associated to a request, and expects the reply to be consistent. This errors indicates that the reply is not associated with the request. This could indicate an attempt to replay a response

Mitigation

None
SystemWebviewOptionsNotApplicable

What happens?

You configured MSAL interactive authentication to use an embedded WebView and you also configured SystemWebViewOptions. These are mutually exclusive.

Mitigation

Either set WithUseEmbeddedWebView(Boolean) to true or do not use WithSystemWebViewOptions(SystemWebViewOptions)
TelemetryConfigOrTelemetryCallback

What happens?

You have configured both a telemetry callback and a telemetry config.

Mitigation

Only one telemetry mechanism can be configured.
TenantDiscoveryFailedError

Tenant discovery failed.

What happens?

While reading the OpenId configuration associated with the authority, the Authorize endpoint, or Token endpoint, or the Issuer was not found

Mitigation

This indicates and authority which is not Open ID Connect compliant. Specify a different authority in the constructor of the application, or the token acquisition override ///
TokenCacheNullError
Obsolete.

This error code comes back from AcquireTokenSilent(IEnumerable<String>, IAccount) calls when the user cache had not been set in the application constructor. This should never happen in MSAL.NET 3.x as the cache is created by the application

TokenTypeMismatch

What happens?

You asked for one type of token, but did not receive it.

Mitigation

This happens if the Identity Provider (AAD, B2C, ADFS etc.) does not support / implement the requested token type. In case of ADFS, consider upgrading to the latest version.
UapCannotFindDomainUser

Cannot access the user from the OS (UWP)

What happens

You called AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>), but the domain user name could not be found.

Mitigation

This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwp
UapCannotFindUpn

Cannot get the user from the OS (UWP)

What happens

You called AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>), but the domain user name could not be found.

Mitigation

This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwp
UnknownBrokerError

Unknown broker error occurred.

Mitigation

None. You might want to inform the end user.
UnknownError

Unknown Error occurred.

Mitigation

None. You might want to inform the end user.
UnknownUser

What happens

You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) The user is not known by the IdP

Mitigation

Inform the user. The login that the user provided might be incorrect (for instance empty)
UnknownUserType

What happens

You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString) The user is not recognized as a managed user, or a federated user. Azure AD was not able to identify the IdP that needs to process the user

Mitigation

Inform the user. the login that the user provided might be incorrect.
UpnRequired

loginHint should be a UPN

What happens?

An override of a token acquisition operation was called in IPublicClientApplication which takes a loginHint as a parameters, but this login hint was not using the UserPrincipalName (UPN) format, e.g. john.doe@contoso.com expected by the service

Remediation

Make sure in your code that you enforce loginHint to be a UPN
UserMismatch

User Mismatch.

UserNullError

This error code comes back from AcquireTokenSilent(IEnumerable<String>, IAccount) calls when a null user is passed as the account parameter. This can be because you have called AcquireTokenSilent with an account parameter set to accounts.FirstOrDefault() but accounts is empty.

Mitigation

Pass a different account, or otherwise call AcquireTokenInteractive(IEnumerable<String>)
UserRealmDiscoveryFailed

User Realm Discovery Failed.

ValidateAuthorityOrCustomMetadata

What happens?

You have configured your own instance metadata, and have also set validate authority to true. These are mutually exclusive.

Mitigation

Set the validate authority flag to false. See https://aka.ms/msal-net-custom-instance-metadata for more details.
WABError

What happens?

Windows Authentication Broker, which handles the interaction between the user and AAD, has failed.

Mitigation

See the error message for more details.
WamInteractiveError

WAM service exception that can occur when calling AcquireTokenInteractive

WamNoB2C

The Windows broker (WAM) is only supported in conjunction with "work and school" accounts and with Microsoft accounts.

WamPickerError

WAM service exception that can occur when calling AcquireTokenInteractive and the account picker pops up

WamUiThread

When calling AcquireTokenInteractive with the WAM broker, the call must be made from the UI thread.

WebView2NotInstalled

What happens?

The embedded browser cannot be started because a runtime component is missing.

Mitigation

"The embedded browser needs WebView2 runtime to be installed. An end user of the app can download and install the WebView2 runtime from https://go.microsoft.com/fwlink/p/?LinkId=2124703 and restart the app. or the app developer can install the WebView2 runtime https://docs.microsoft.com/en-us/microsoft-edge/webview2/concepts/distribution
WebviewUnavailable

The selected WebView is not available on this platform. You can switch to a different WebView using WithUseEmbeddedWebView(Boolean). See https://aka.ms/msal-net-os-browser for details

WsTrustEndpointNotFoundInMetadataDocument

WS-Trust Endpoint Not Found in Metadata Document.

Applies to