AADSTS16000
Multiple Users Matched Selection
Multiple user accounts matched the sign-in criteria, causing ambiguity in user selection.
Common Cause
The username matches multiple accounts across federated identity providers or linked directories.
How to Fix
Use the full UPN (user@domain.com) instead of an alias. Check for duplicate accounts across identity sources. Review federation configuration for conflicting claims mappings.
tags: authentication, federation, duplicate, upn
AADSTS20001
WS-Federation Sign-In Error
The federated identity provider returned an error during WS-Fed sign-in.
Common Cause
The federated IDP (AD FS, Okta, PingFederate) encountered an error processing the sign-in request. Federation metadata may be stale.
How to Fix
Check the federated IDP logs for the detailed error. Update federation metadata in Entra ID (Update-MgDomainFederationConfiguration). Verify the federation endpoint is reachable and the signing certificate is valid.
tags: federation, ws-fed, adfs, idp
AADSTS20012
Federation Configuration Error
There is an issue with the federation configuration for the specified domain.
Common Cause
The domain's federation metadata is invalid, expired, or unreachable. Common after AD FS certificate rotation without updating Entra ID.
How to Fix
Re-run Update-MgDomainFederationConfiguration for the affected domain. Verify AD FS metadata endpoint is accessible. Check token-signing certificates haven't expired. Consider migrating to managed authentication.
tags: federation, adfs, metadata, certificate
AADSTS50001
Resource Not Found in Tenant
The app is trying to access a resource that is not registered in the target tenant.
Common Cause
The resource identifier (API) the app is requesting access to doesn't exist in the specified tenant. Tenant ID may be wrong.
How to Fix
Verify the resource identifier/scope in the authentication request. Ensure the API app registration exists in the target tenant. For Microsoft APIs, verify the tenant has the required licenses. Check the authority URL uses the correct tenant ID.
tags: authentication, resource, tenant, api, scope
AADSTS50005
Auth Code Already Redeemed
The authorization code has already been used to obtain a token and cannot be reused.
Common Cause
Authorization codes are single-use. The app attempted to exchange the same code twice, often due to retry logic or race conditions.
How to Fix
Review app code for duplicate token requests. Implement proper token caching so the app reuses the access token rather than re-exchanging the code. Check for concurrent requests from the same session.
tags: oauth, auth code, token, retry
AADSTS50008
SAML Assertion Missing or Invalid
The SAML assertion is missing from the token request or its format is invalid.
Common Cause
The identity provider didn't include a valid SAML assertion, the assertion expired, or the XML is malformed.
How to Fix
Check the SAML response from the IDP using a SAML decoder (base64decode.org or browser extensions). Verify the assertion's NotBefore/NotOnOrAfter timestamps. Ensure clock sync between IDP and Entra ID.
tags: saml, federation, assertion, xml
AADSTS50011
Reply URL Mismatch
The reply URL specified in the request does not match any reply URL configured for the application.
Common Cause
The redirect URI doesn't match the app registration. Common after changing environments or app URLs.
How to Fix
Go to Entra ID → App Registrations → your app → Authentication. Add or correct the Redirect URI to match exactly (including http vs https, trailing slashes, ports).
tags: authentication, oauth, app registration, redirect, uri
AADSTS50012
Authentication Failed - Invalid Credentials
Authentication failed due to invalid credentials. This is a generic credential failure.
Common Cause
Wrong password, expired credentials, or the authentication method failed. For service principals, the client secret or certificate may be invalid.
How to Fix
Reset the user's password. For service principals, verify the client secret hasn't expired (check App Registration → Certificates & secrets). Generate a new secret if expired. Check for special characters in passwords that might need URL encoding.
tags: authentication, credentials, password, service principal, client secret
AADSTS50013
Assertion Audience Mismatch
The audience claim in the SAML assertion doesn't match the expected audience for the application.
Common Cause
The IDP is sending a SAML assertion intended for a different application or entity ID. The SAML relying party configuration is wrong.
How to Fix
Check the SAML assertion's Audience field matches the Application ID URI in Entra ID. Update the IDP's relying party trust to use the correct entity ID. Verify the SAML configuration in the Enterprise Application.
tags: saml, audience, assertion, entity id, federation
AADSTS50017
Certificate Validation Failed
The signing certificate could not be validated - it may be expired, revoked, or from an untrusted issuer.
Common Cause
The token-signing certificate from the federated IDP is expired, not in the trusted certificate list, or the certificate chain is incomplete.
How to Fix
Update the federation certificate in Entra ID. For AD FS, run Update-AdfsCertificate and then update the federation trust. Check certificate expiration dates. Ensure the full certificate chain is available.
tags: certificate, federation, signing, trust, adfs
AADSTS50020
User From External IDP Not in Tenant
The user account from the identity provider does not exist in this tenant.
Common Cause
A guest/external user account hasn't been created in the tenant. B2B invitation is missing or the user is trying to access the wrong tenant.
How to Fix
Invite the user via B2B: Entra ID → Users → New guest user. Verify the user is signing into the correct tenant. Check cross-tenant access settings if this is a B2B scenario.
tags: guest, b2b, external, tenant, invitation
AADSTS50034
User Account Does Not Exist
The specified user account was not found in the Entra ID directory.
Common Cause
The username/UPN doesn't match any account. The user may be mistyping their email, the account was deleted, or they're using the wrong tenant.
How to Fix
Verify the UPN is correct. Check if the account exists in Entra admin center → Users. Check the Deleted Users list if recently removed. For B2B, confirm the guest invitation was accepted.
tags: authentication, user, account, upn, deleted
AADSTS50053
Account Locked - Smart Lockout
The account has been locked after too many failed sign-in attempts.
Common Cause
Entra ID Smart Lockout triggered after multiple failed attempts. Protects against brute-force attacks.
How to Fix
Wait for lockout period to expire (default 60 seconds). Check sign-in logs for the source of failures. Customize lockout thresholds in Entra ID → Security → Authentication methods → Password protection.
tags: lockout, password, brute force, smart lockout, security
AADSTS50055
Password Expired
The user's password has expired and must be changed.
Common Cause
Password expiration policy reached. Synced from on-premises AD or Entra ID password policy.
How to Fix
User resets at https://passwordreset.microsoftonline.com. Admin can reset in Entra admin center. Consider disabling periodic expiration in favor of MFA per Microsoft recommendations.
tags: password, expiration, sspr, reset
AADSTS50056
Invalid or Null Password
The user account exists but does not have a password set in Entra ID.
Common Cause
The user was created without a password, or the password hash hasn't synced from on-premises AD.
How to Fix
Set a password for the user in Entra admin center. If synced from on-prem, verify Entra Connect password hash sync is working. Run a delta sync: Start-ADSyncSyncCycle -PolicyType Delta.
tags: password, sync, entra connect, hash sync
AADSTS50057
User Account Disabled
The user account has been disabled by an administrator.
Common Cause
The account is disabled in Entra ID or in on-premises AD (and synced). Common for terminated employees or suspended accounts.
How to Fix
Enable the account in Entra admin center → Users → select user → Properties → Account enabled. If synced from on-prem, enable in AD and wait for sync. Check if this was an intentional disable.
tags: disabled, account, blocked, terminated
AADSTS50058
Silent Sign-In Failed
A silent sign-in request was sent but no user session exists. The user needs to sign in interactively.
Common Cause
The browser session cookie expired, was cleared, or the app tried SSO but no active session exists. Common in iframe/popup-based auth.
How to Fix
Trigger an interactive sign-in instead of silent. In MSAL, catch this error and call acquireTokenRedirect or acquireTokenPopup. Check third-party cookie settings if using iframes (SameSite restrictions).
tags: sso, silent, session, cookie, msal
AADSTS50059
No Tenant Identification in Request
Tenant identification was not found in the request and could not be inferred from the credentials.
Common Cause
The authority URL uses /common or /organizations but the request context doesn't indicate which tenant. The user's UPN domain isn't associated with a tenant.
How to Fix
Use a tenant-specific authority URL (/tenantid/ or /domain.com/) instead of /common. Ensure the user types their full UPN including the domain. Check that the domain is verified in at least one tenant.
tags: tenant, authority, common, authentication
AADSTS50072
User Must Enroll for MFA
The user needs to register for multi-factor authentication to satisfy the MFA requirement.
Common Cause
MFA is required (by security defaults, Conditional Access, or per-user MFA) but the user hasn't registered any MFA methods.
How to Fix
User should register at https://aka.ms/mfasetup. Admin can pre-provision phone numbers. Check which MFA methods are enabled in Authentication methods policy. Ensure the user isn't blocked from registration by a Conditional Access policy.
tags: mfa, enrollment, registration, security defaults
AADSTS50074
Strong Authentication Required - MFA Challenge
The user passed primary authentication but must complete a strong authentication (MFA) challenge.
Common Cause
MFA is required by Conditional Access, security defaults, or per-user settings. The user needs to complete the second factor.
How to Fix
User completes the MFA challenge (authenticator app, phone call, SMS, FIDO2 key). If the user is stuck, check their registered methods. Verify the Authenticator app is properly configured. Check for number matching requirements.
tags: mfa, strong auth, conditional access, second factor
AADSTS50076
Conditional Access - MFA Required
A Conditional Access policy requires MFA but the user hasn't completed the MFA challenge.
Common Cause
A Conditional Access policy matched and requires MFA. User hasn't registered or MFA method unavailable.
How to Fix
User registers at https://aka.ms/mfasetup. Check which CA policy triggered in Sign-in logs → Conditional Access tab. Ensure user has a working MFA method.
tags: mfa, conditional access, authentication, policy
AADSTS50079
MFA Required - Per-User MFA Enforcement
Per-user MFA enforcement requires the user to complete MFA, but they haven't satisfied the challenge.
Common Cause
Per-user MFA (legacy) is enabled for this user, requiring MFA at every sign-in. Different from Conditional Access-based MFA.
How to Fix
Complete MFA. Consider migrating from per-user MFA to Conditional Access-based MFA for more granular control. Check the per-user MFA portal: https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx.
tags: mfa, per-user, legacy, enforcement
AADSTS50097
Device Authentication Required
The sign-in requires device-level authentication but the device is not enrolled or registered.
Common Cause
A Conditional Access policy requires a device claim (Entra registered, Entra joined, or Hybrid joined), and the device doesn't meet the requirement.
How to Fix
Register or join the device with Entra ID. For Windows: Settings → Accounts → Access work or school → Join. For Hybrid Join, verify Entra Connect device sync. Check the policy's device conditions.
tags: device, authentication, conditional access, enrollment, hybrid join
AADSTS50105
User Not Assigned to Application
The user is not assigned a role for the application and 'User assignment required' is enabled.
Common Cause
The Enterprise App requires explicit user/group assignment. The user hasn't been added.
How to Fix
Entra ID → Enterprise Apps → your app → Users and groups → Add user/group. Or disable 'User assignment required' under Properties if all users should have access.
tags: app assignment, enterprise app, role, access
AADSTS50126
Invalid Username or Password
The username or password provided is incorrect.
Common Cause
Wrong password, account exists in a different tenant, or the UPN doesn't match (common with email vs UPN mismatches).
How to Fix
Verify the password. Check if the user's email differs from their UPN. Try signing in at https://myaccount.microsoft.com. Reset password if needed. Check Entra Connect for UPN sync issues.
tags: authentication, password, invalid, upn
AADSTS50128
Invalid Tenant Domain Name
The domain name in the request is not a valid tenant domain.
Common Cause
The tenant name or domain in the authority URL is misspelled or doesn't exist.
How to Fix
Verify the tenant domain or GUID in the authority URL. Check that the domain is verified in Entra admin center → Custom domain names. Common typo issue.
tags: tenant, domain, authority, configuration
AADSTS50131
Conditional Access - Device State Required
A Conditional Access policy requires a specific device state that is not met.
Common Cause
The policy requires the device to be compliant, Hybrid Entra ID joined, or marked as approved, and the current device fails this check.
How to Fix
Enroll the device in Intune for compliance. Join to Entra ID or Hybrid Join. Check device status: dsregcmd /status. Review Conditional Access policy grant controls.
tags: conditional access, device, compliance, hybrid join, intune
AADSTS50132
Session Revoked - Password or MFA Change
The user's session has been revoked, typically because their password was changed or MFA settings were modified.
Common Cause
An admin revoked sessions, the user's password was reset, or the Continuous Access Evaluation (CAE) policy detected a critical event.
How to Fix
User signs in again with new credentials. This is expected behavior after password resets or security events. If unexpected, check audit logs for who initiated the revocation.
tags: session, revoked, password reset, cae, security
AADSTS50133
Session Expired - Max Age Exceeded
The session has expired because it exceeded the maximum session lifetime configured in the sign-in frequency policy.
Common Cause
Conditional Access sign-in frequency policy requires re-authentication. The token's max age has been reached.
How to Fix
User signs in again. This is expected behavior. Review the Conditional Access sign-in frequency setting if it's too aggressive. Check token lifetime policies.
tags: session, expired, token, sign-in frequency, conditional access
AADSTS50140
Keep Me Signed In Interrupt
The user was interrupted by the 'Stay signed in?' prompt during sign-in.
Common Cause
The KMSI (Keep Me Signed In) prompt was shown. This is an informational interrupt, not an error, but some apps don't handle the interrupt flow.
How to Fix
User can dismiss by choosing Yes or No. Admins can disable the KMSI prompt in Entra ID → Company Branding → Sign-in page settings. Apps should handle interrupt flows properly.
tags: kmsi, stay signed in, interrupt, branding
AADSTS50144
On-Premises AD Password Expired
The user's Active Directory password has expired and must be changed on-premises.
Common Cause
The on-premises AD account password expired. With password hash sync, the cloud account reflects the on-prem expiration.
How to Fix
Change password on-premises (Ctrl+Alt+Del → Change password, or via corporate password portal). If SSPR is enabled, use https://passwordreset.microsoftonline.com with password writeback. Wait for sync to complete.
tags: password, expired, on-premises, ad, writeback, sspr
AADSTS50158
External Security Challenge Required
An external authentication method or security challenge is required and was not satisfied.
Common Cause
A Conditional Access policy or authentication method requires an external MFA provider (e.g., Duo, RSA) and the challenge wasn't completed.
How to Fix
Complete the external MFA challenge. Verify the external auth provider integration is working. Check Entra ID → External authentication methods configuration. Test the external provider's endpoint.
tags: mfa, external, authentication, third party, duo
AADSTS50173
Fresh Credential Required
The session requires fresh credentials - the user must re-authenticate even if a session exists.
Common Cause
Continuous Access Evaluation (CAE) detected a security event, or an admin action requires immediate re-authentication. Also triggered by Conditional Access auth strength policies.
How to Fix
User signs in again with current credentials. Check audit logs for the trigger event. If frequent, review CAE configuration and Conditional Access session controls.
tags: reauthentication, fresh, cae, security, session
AADSTS50196
Infinite Loop Detected
Entra ID detected an infinite loop between itself and the federated identity provider.
Common Cause
A misconfiguration causes the auth request to bounce between Entra ID and the federated IDP (AD FS, Okta, etc.) endlessly.
How to Fix
Check federation configuration for the domain. Verify the IDP's relying party trust is correctly configured. Ensure the IDP isn't redirecting back to Entra ID without processing the request. Check for conflicting Claims rules.
tags: federation, loop, adfs, idp, redirect
AADSTS51004
User Account Not in Directory
The user account does not exist in the specified directory/tenant.
Common Cause
The user is trying to access a resource in a tenant where their account doesn't exist. Wrong tenant or the account was never created.
How to Fix
Verify the user exists in the target tenant. Check the authority URL points to the correct tenant. For guest access, ensure a B2B invitation was sent and accepted.
tags: account, tenant, directory, not found
AADSTS53003
Conditional Access - Access Blocked
Access was blocked by a Conditional Access policy - the user didn't satisfy the grant controls.
Common Cause
A CA policy matched and the user didn't meet the requirements (MFA, compliant device, location, etc.).
How to Fix
Check Sign-in logs → the sign-in → Conditional Access tab to see which policy and why. Verify the user can meet the grant controls. Common fixes: register MFA, enroll device, connect to approved network.
tags: conditional access, blocked, policy, sign-in, grant controls
AADSTS65001
Consent Not Granted
The user or admin has not consented to the application's requested permissions.
Common Cause
The app needs permissions requiring admin consent, or user consent is disabled tenant-wide.
How to Fix
Admin grants consent: Entra ID → Enterprise Apps → your app → Permissions → Grant admin consent. Or configure Admin consent workflow so users can request access.
tags: consent, permissions, admin consent, oauth
AADSTS65004
User Declined Consent
The user explicitly declined to grant consent to the application's permission request.
Common Cause
The user clicked 'Cancel' or 'Deny' on the consent prompt.
How to Fix
User can try again and accept the consent. If the app requires permissions the user is uncomfortable with, review the permissions and determine if they're appropriate. Admin can grant consent on behalf of users.
tags: consent, declined, permissions, user
AADSTS70000
Invalid Grant - Token Request Failed
The token request failed because the grant (auth code or refresh token) is invalid.
Common Cause
The authorization code or refresh token is expired, revoked, was issued to a different client, or has already been used.
How to Fix
Restart the sign-in flow to get a new auth code. Check token expiration. For refresh tokens, verify the app's refresh token lifecycle settings. Ensure the client ID matches the original grant.
tags: oauth, token, grant, refresh token, expired
AADSTS70001
Application Deleted or Disabled
The application registration has been deleted or is disabled in the tenant.
Common Cause
The app was removed from App Registrations, or the Enterprise Application was disabled.
How to Fix
Check Entra ID → App Registrations (include deleted). Restore from deleted apps if within the 30-day recovery window. Re-register the app if permanently deleted. Check Enterprise App → Properties → Enabled.
tags: app registration, deleted, disabled, restore
AADSTS70002
Invalid Client Credentials
The client credentials (client secret or certificate) provided are invalid.
Common Cause
The client secret is wrong, expired, or the client certificate doesn't match. Secrets expire after the configured lifetime (default up to 2 years).
How to Fix
Check App Registration → Certificates & secrets for expiration dates. Generate a new client secret and update the application configuration. For certificates, verify the thumbprint matches.
tags: authentication, client secret, certificate, service principal, expired
AADSTS70008
Auth Code or Refresh Token Expired
The authorization code or refresh token has expired and can no longer be exchanged for an access token.
Common Cause
Auth codes expire in 10 minutes. Refresh tokens expire based on policy (default 90 days inactive, 24 hours for single-page apps).
How to Fix
Re-initiate the sign-in flow for a new auth code. For refresh tokens, the user needs to sign in interactively again. Review token lifetime policies if tokens expire too quickly.
tags: oauth, token, expired, refresh token, auth code
AADSTS70011
Invalid Scope Requested
The scope requested by the application is invalid or has been removed.
Common Cause
The app is requesting a permission scope that doesn't exist, is misspelled, or was revoked.
How to Fix
Check the scope strings in your app code. Compare against the API's published scopes (e.g., Microsoft Graph permissions list). Update API permissions in the app registration.
tags: oauth, scope, permissions, graph api
AADSTS75011
Authentication Method Mismatch
The authentication method used doesn't match what was expected by the application or policy.
Common Cause
The app expects a specific auth method (e.g., certificate-based) but the user authenticated with a different method (e.g., password).
How to Fix
Check the app's authentication requirements. Review Conditional Access authentication strength policies. Ensure the user's registered auth methods include what the app/policy requires.
tags: authentication, method, auth strength, certificate
AADSTS80001
Pass-Through Auth Agent Connection Failed
The PTA agent cannot connect to Entra ID, causing pass-through authentication to fail.
Common Cause
The PTA agent on-premises cannot reach the Entra ID endpoints. Network issues, proxy misconfiguration, or the PTA agent service is stopped.
How to Fix
Verify the PTA agent service is running on the server. Check outbound connectivity to *.msappproxy.net on port 443. Review proxy settings. Install additional PTA agents for redundancy. Check agent status in Entra admin center → Connect Health.
tags: pta, pass-through, authentication, agent, hybrid, connectivity
AADSTS80007
Pass-Through Auth Agent Error
The PTA agent encountered an error while validating credentials against on-premises AD.
Common Cause
The PTA agent cannot communicate with a domain controller, the DC is unreachable, or there are Kerberos/NTLM issues.
How to Fix
Verify domain controllers are reachable from the PTA agent server. Check AD connectivity and DNS resolution. Review Windows Event logs on the PTA agent server. Ensure the PTA agent service account has appropriate permissions.
tags: pta, agent, domain controller, authentication, hybrid
AADSTS80010
PTA - Password Validation Failed
The on-premises domain controller rejected the password via the Pass-Through Authentication agent.
Common Cause
Wrong password, account locked in on-premises AD, or password policy requirements not met.
How to Fix
Verify the password against on-premises AD. Check for on-prem account lockouts. Review AD password policies. Check if the user's AD account has 'must change password at next logon' set.
tags: pta, password, on-premises, lockout, domain controller
AADSTS90002
Tenant Not Found
The specified tenant ID or domain name does not correspond to any existing Entra ID tenant.
Common Cause
The tenant ID/domain in the authority URL is wrong, the tenant was deleted, or DNS isn't configured.
How to Fix
Verify the tenant GUID or domain. Check at https://login.microsoftonline.com/<tenantId>/.well-known/openid-configuration. If recently created, allow time for propagation.
tags: tenant, not found, authority, configuration
AADSTS90072
User Account Type Mismatch
A personal account was used where a work/school account is required, or vice versa.
Common Cause
The authority endpoint doesn't match the account type (/organizations vs /consumers vs /common).
How to Fix
Use the correct authority: /organizations for work/school, /consumers for personal, /common for both. Update the authority URL in app configuration.
tags: tenant, personal, work account, authority, endpoint
AADSTS90100
Invalid Request Parameter
A required parameter is missing or invalid in the authentication request.
Common Cause
The app's auth request URL is malformed - missing client_id, redirect_uri, response_type, or other required parameters.
How to Fix
Review the OAuth/OIDC request parameters. Verify client_id, redirect_uri, scope, and response_type are all present and correctly formatted. Test with Microsoft Graph Explorer or Postman.
tags: oauth, parameter, request, malformed
AADSTS120000
Password Change Failed
The password change request failed - the new password doesn't meet complexity requirements.
Common Cause
The new password doesn't meet on-premises AD or Entra ID password policy requirements (length, complexity, history, banned passwords).
How to Fix
Choose a stronger password meeting all policy requirements. Check Entra ID → Security → Authentication methods → Password protection for banned password lists. Review on-premises AD fine-grained password policies.
tags: password, change, complexity, policy, banned passwords
AADSTS130004
NGC Device Not Found
The Windows Hello for Business (NGC) device key is not found or has been removed.
Common Cause
The device's Windows Hello key was deleted from Entra ID, the device was re-imaged without removing the old key, or there's a key synchronization issue.
How to Fix
Delete the device's Windows Hello keys in Entra admin center → Devices. Have the user re-register Windows Hello. For Hybrid scenarios, check WHfB provisioning via GPO/Intune. Run dsregcmd /status on the device.
tags: windows hello, ngc, device, passwordless, key
AADSTS530003
Non-Compliant Device Blocked by CA
A Conditional Access policy requires a compliant device, but the device is not compliant.
Common Cause
The device isn't enrolled in Intune or fails a compliance policy (OS version, encryption, etc.).
How to Fix
Enroll device in Intune. Check compliance status in Intune admin center → Devices. Review which compliance policy fails. Force sync and allow time for compliance evaluation (up to 8 hours).
tags: conditional access, compliance, intune, device
AADSTS700016
Application Not Found in Tenant
The application with the specified client ID was not found in the target tenant.
Common Cause
The app ID (client ID) is wrong, deleted, or registered in a different tenant.
How to Fix
Verify client_id matches the App Registration. Check you're authenticating against the correct tenant. For multi-tenant apps, ensure multi-tenant access is configured.
tags: app registration, client id, tenant, authentication
AADSTS700027
Invalid Client Assertion - JWT Validation Failed
The client assertion (JWT token) used for client credential authentication failed validation.
Common Cause
The JWT assertion is expired, has the wrong audience, is signed with the wrong key, or the certificate has expired.
How to Fix
Verify the certificate used for signing matches the one uploaded to App Registration → Certificates. Check the JWT's aud, iss, exp, and nbf claims. Ensure the clock on the signing server is accurate.
tags: jwt, client assertion, certificate, service principal, authentication