M365 & Azure Error Code Lookup

155 error codes across 15 services. NDR bounce codes, AADSTS errors, Intune failures, Azure deployment issues — with plain-English causes and fixes.

Active Directory (7)

0x800704DC

Group Nesting Limit Exceeded

The user is a member of too many security groups, exceeding the Kerberos token size limit.

Common Cause
Users in many nested groups can exceed the MaxTokenSize (default 12,000 bytes). Very common in large enterprises with complex group structures.
How to Fix
Reduce group memberships. Increase MaxTokenSize via registry (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize) up to 65535. Review and clean up redundant group memberships.
tags: kerberos, token size, groups, nesting, active directory
KDC_ERR_S_PRINCIPAL_UNKNOWN

Kerberos - SPN Not Found

The Service Principal Name (SPN) for the target service was not found in Active Directory.

Common Cause
The SPN is not registered, is registered on the wrong account, or there are duplicate SPNs.
How to Fix
Check SPNs with setspn -Q <SPN>. Register the SPN: setspn -S <SPN> <account>. Check for duplicates: setspn -X. Ensure the service account is correct.
tags: kerberos, spn, authentication, service account
KDC_ERR_PREAUTH_FAILED

Kerberos Pre-Authentication Failed

Kerberos pre-authentication failed - typically an incorrect password.

Common Cause
Wrong password, clock skew between client and DC exceeds 5 minutes, or the encryption type is not supported.
How to Fix
Verify the password. Check time sync (w32tm /stripchart /computer:<DC>). Ensure supported encryption types (AES256) are enabled on the account and DC. Check the account's supported encryption types attribute.
tags: kerberos, pre-auth, password, clock skew, encryption
0x80090325

LDAP/TLS - Certificate Trust Error

The LDAP connection over TLS failed because the server certificate is not trusted.

Common Cause
The DC's LDAPS certificate is self-signed, expired, or issued by a CA not trusted by the client.
How to Fix
Install a valid TLS certificate on the DC from a trusted CA. If using internal PKI, ensure the root CA certificate is distributed to all clients via GPO. Check certificate validity dates.
tags: ldap, tls, certificate, trust, pki
0x80005000

ADSI - Unknown COM Error

An unspecified ADSI (Active Directory Service Interface) COM error occurred.

Common Cause
Common in PowerShell or .NET code when the LDAP path is wrong, the DC is unreachable, or the ADSI query syntax is invalid.
How to Fix
Verify the LDAP path syntax (LDAP://DC=domain,DC=com). Check DC connectivity. If in PowerShell, use Get-ADUser instead of [ADSI]. Verify the user running the script has AD read permissions.
tags: adsi, ldap, powershell, com, scripting
8453

AD Replication - Access Denied

AD replication failed with access denied between domain controllers.

Common Cause
The replication service account or computer account lacks the required permissions for replication.
How to Fix
Run repadmin /showrepl to identify the failing DC. Reset the computer account password if needed. Check NTDS Settings permissions. Verify the KCC has appropriate permissions. Run dcdiag /test:replications.
tags: replication, domain controller, permissions, dcdiag
1396

Logon Failure - Mutual Auth Failed

Logon failure: the target account name is incorrect, or mutual authentication failed.

Common Cause
SPN mismatch, duplicate SPNs, or the target server's computer account password is out of sync with AD.
How to Fix
Reset the computer account: netdom resetpwd /server:<DC>. Check for SPN duplicates with setspn -X. Verify the target server's secure channel: nltest /sc_verify:domain.com.
tags: logon, spn, mutual auth, computer account, secure channel

Azure (13)

AuthorizationFailed

RBAC Authorization Failed

The client lacks authorization for the requested action on the Azure resource.

Common Cause
Missing RBAC role assignment for the target resource, resource group, or subscription.
How to Fix
Check role assignments: Resource → Access control (IAM). Assign appropriate role. For service principals, verify app role assignments. Audit with az role assignment list.
tags: rbac, permissions, iam, service principal
SkuNotAvailable

VM SKU Not Available

The requested VM size is not available in the specified region.

Common Cause
Capacity constraints in the region or SKU not offered there.
How to Fix
Check: az vm list-skus --location <region>. Try different size or region. Request quota increase. Consider Spot VMs for non-critical workloads.
tags: vm, sku, region, quota, capacity
OperationNotAllowed

Subscription Quota Exceeded

The operation would exceed the subscription's resource quota.

Common Cause
Hit maximum resources (VMs, cores, IPs) for the region.
How to Fix
Check usage: Subscriptions → Usage + quotas. Request increase via support ticket. Delete unused resources. Deploy to different region.
tags: quota, subscription, cores, limit
DeploymentFailed

ARM/Bicep Deployment Failed

An Azure Resource Manager deployment failed.

Common Cause
Naming conflicts, missing dependencies, invalid parameters, or unregistered resource provider.
How to Fix
Check deployment details in Resource Group → Deployments. Validate with az deployment group validate. Register resource providers. Check naming rules.
tags: arm, bicep, deployment, template, iac
ResourceGroupBeingDeleted

Resource Group Deletion in Progress

Cannot operate on the resource group - deletion is in progress.

Common Cause
Delete initiated and still running. Resources with soft delete can slow this.
How to Fix
Wait for completion. Check for deletion locks or soft delete. Monitor with az group show.
tags: resource group, deletion, lock, key vault
Conflict

Resource Conflict - Already Exists

The resource already exists and cannot be created again with the same name.

Common Cause
Attempting to create a resource with a name that's already taken (globally unique names for storage accounts, key vaults, etc.).
How to Fix
Choose a different name. Check if the existing resource is yours (may be in a different resource group). For soft-deleted resources (Key Vault), purge the old one first.
tags: naming, conflict, exists, unique
InvalidParameter

Invalid Parameter Value

One or more parameter values in the request are invalid.

Common Cause
The ARM/Bicep template or API call contains a parameter with an invalid value, format, or type.
How to Fix
Check the error details for the specific parameter. Validate parameter types and allowed values against the resource provider documentation. Use az deployment group validate to catch issues before deploying.
tags: parameter, validation, arm, api
MissingRegistrationForType

Resource Provider Not Registered

The subscription is not registered for the resource provider required by this resource type.

Common Cause
The Azure subscription hasn't registered the resource provider (e.g., Microsoft.Compute, Microsoft.Network).
How to Fix
Register the provider: az provider register --namespace Microsoft.xxx. Check status: az provider show --namespace Microsoft.xxx. Some providers require additional steps or agreements.
tags: resource provider, registration, subscription
PublicIPCountLimitReached

Public IP Quota Reached

The subscription has reached the maximum number of public IP addresses in this region.

Common Cause
Public IP address quota exhausted for the region (default varies by subscription type).
How to Fix
Delete unused public IPs. Request a quota increase via Azure Portal → Help + Support. Consider using Azure NAT Gateway to reduce public IP usage.
tags: public ip, quota, networking, limit
OSProvisioningTimedOut

VM Provisioning Timed Out

The VM operating system did not report ready within the expected timeframe.

Common Cause
The VM OS took too long to boot and report to Azure fabric. Common with custom images, large VMs, or images with long first-boot scripts.
How to Fix
Check boot diagnostics in VM → Support + troubleshooting → Boot diagnostics. Verify the Azure Guest Agent is installed and running in the image. Simplify first-boot scripts. Try a different VM size or region.
tags: vm, provisioning, timeout, boot, guest agent
AllocationFailed

VM Allocation Failed

Azure could not allocate the requested VM resources in the specified region/zone.

Common Cause
No physical capacity available for the requested VM size in the target datacenter cluster.
How to Fix
Try a different VM size. Deploy to a different availability zone or region. Stop-deallocate and restart the VM. For availability sets, deploy all VMs at the same time. Try again later during off-peak hours.
tags: vm, allocation, capacity, availability zone
NetworkSecurityGroupCannotBeAttached

NSG Attachment Error

The network security group cannot be attached to the specified subnet or NIC.

Common Cause
Conflicting NSG rules, the NSG is in a different region than the target resource, or service endpoint policies conflict.
How to Fix
Verify the NSG is in the same region as the VNet/NIC. Check for conflicting application security groups. Review service endpoint policies. Detach existing NSG before attaching new one if required.
tags: nsg, networking, subnet, security
StorageAccountAlreadyTaken

Storage Account Name Taken

The storage account name is already in use globally.

Common Cause
Azure storage account names must be globally unique across all Azure customers.
How to Fix
Choose a different name. Names must be 3-24 chars, lowercase letters and numbers only. Consider adding a random suffix or abbreviation to ensure uniqueness.
tags: storage, naming, unique, global

Defender for Endpoint (2)

SenseClientConnectionError

MDE Sensor - Cannot Connect

The Defender for Endpoint sensor cannot establish a connection to the cloud service.

Common Cause
Network connectivity issues, proxy misconfiguration, SSL inspection interfering, or the device isn't properly onboarded.
How to Fix
Run the MDE Client Analyzer tool (MDEClientAnalyzer.cmd). Verify connectivity to *.securitycenter.windows.com and *.ods.opinsights.azure.com. Check proxy settings. Re-run the onboarding script if needed.
tags: defender, sensor, connectivity, onboarding, endpoint
SenseServiceNotStarted

MDE Sense Service Not Running

The Microsoft Defender for Endpoint service (MsSense) is not started on the device.

Common Cause
The service crashed, was disabled, or failed to start due to a dependency. Common after OS updates or policy conflicts.
How to Fix
Start the service: sc start MsSense. Check Event Viewer for errors. Verify the service startup type is Automatic. Re-onboard the device if the service won't start. Check for Group Policy or Intune policies that might be disabling it.
tags: defender, service, sense, onboarding, endpoint

Entra Connect (7)

8344

Sync - Insufficient Access Rights

Entra Connect doesn't have permissions to read/write an AD attribute.

Common Cause
The MSOL/AAD service account lacks required ACLs on the target OU.
How to Fix
Re-run the Entra Connect wizard to configure permissions. Or manually grant ACLs on the OU. Check for inheritance-blocked OUs. Use ADSIEdit to verify effective permissions.
tags: directory sync, permissions, active directory, hybrid
InvalidSoftMatch

Sync - Soft Match Failed

Couldn't match an on-premises object with a cloud object.

Common Cause
proxyAddresses or UPN don't match between on-prem and cloud objects.
How to Fix
Ensure UPN or primary SMTP matches. Use Set-MsolUserPrincipalName if needed. Delete cloud object and let sync recreate it. Check for duplicate attribute conflicts.
tags: directory sync, soft match, hybrid, upn, smtp
AttributeValueMustBeUnique

Sync - Duplicate Attribute Conflict

An attribute value already exists on another directory object.

Common Cause
Duplicate email, UPN, or proxyAddress across on-prem AD or Entra ID.
How to Fix
Run IdFix tool. Check both directories for the conflicting value. Remove or change the duplicate. Review the sync error in Synchronization Service Manager.
tags: directory sync, duplicate, attribute conflict, idfix
LargeObject

Sync - Object Exceeds Size Limit

The directory object has too many attribute values and exceeds Entra ID limits.

Common Cause
A user or group has too many proxyAddresses, group memberships, or other multi-valued attributes (e.g., more than 1500 group memberships).
How to Fix
Reduce the number of values on the object. For groups, consider nested groups. For proxyAddresses, remove unused aliases. Check the specific attribute in the sync error details.
tags: directory sync, large object, attribute, limit
DataValidationFailed

Sync - Data Validation Error

An attribute value failed validation against Entra ID schema requirements.

Common Cause
The attribute value contains characters or formats not allowed by Entra ID (e.g., spaces in UPN, invalid email format, disallowed characters).
How to Fix
Run IdFix to identify and fix invalid attributes. Common issues: spaces in UPN, invalid characters in display name, malformed email addresses. Fix in on-premises AD and let sync propagate.
tags: directory sync, validation, schema, idfix
FederatedDomainChangeError

Sync - Cannot Change Federated Domain UPN

Cannot change a user's UPN to a different federated domain during sync.

Common Cause
Entra Connect attempted to change a user's UPN suffix to a domain that uses a different federation configuration.
How to Fix
Change the UPN suffix in on-premises AD to the correct target domain. If switching federation, update the domain federation settings first. Consider converting the domain to managed before changing UPNs.
tags: directory sync, federation, upn, domain change
PasswordSyncError

Password Hash Sync Failed

Entra Connect failed to synchronize password hashes from on-premises AD.

Common Cause
The password hash sync agent can't reach a domain controller, the MSOL account permissions changed, or the DC doesn't support the required encryption.
How to Fix
Restart the ADSync service. Check the password sync status: Get-ADSyncAADPasswordSyncConfiguration. Verify MSOL account permissions. Ensure DCs support TLS 1.2. Check event logs for specific PHS errors.
tags: password hash sync, phs, directory sync, domain controller

Entra ID (55)

AADSTS16000

Multiple Users Matched Selection

Multiple user accounts matched the sign-in criteria, causing ambiguity in user selection.

Common Cause
The username matches multiple accounts across federated identity providers or linked directories.
How to Fix
Use the full UPN (user@domain.com) instead of an alias. Check for duplicate accounts across identity sources. Review federation configuration for conflicting claims mappings.
tags: authentication, federation, duplicate, upn
AADSTS20001

WS-Federation Sign-In Error

The federated identity provider returned an error during WS-Fed sign-in.

Common Cause
The federated IDP (AD FS, Okta, PingFederate) encountered an error processing the sign-in request. Federation metadata may be stale.
How to Fix
Check the federated IDP logs for the detailed error. Update federation metadata in Entra ID (Update-MgDomainFederationConfiguration). Verify the federation endpoint is reachable and the signing certificate is valid.
tags: federation, ws-fed, adfs, idp
AADSTS20012

Federation Configuration Error

There is an issue with the federation configuration for the specified domain.

Common Cause
The domain's federation metadata is invalid, expired, or unreachable. Common after AD FS certificate rotation without updating Entra ID.
How to Fix
Re-run Update-MgDomainFederationConfiguration for the affected domain. Verify AD FS metadata endpoint is accessible. Check token-signing certificates haven't expired. Consider migrating to managed authentication.
tags: federation, adfs, metadata, certificate
AADSTS50001

Resource Not Found in Tenant

The app is trying to access a resource that is not registered in the target tenant.

Common Cause
The resource identifier (API) the app is requesting access to doesn't exist in the specified tenant. Tenant ID may be wrong.
How to Fix
Verify the resource identifier/scope in the authentication request. Ensure the API app registration exists in the target tenant. For Microsoft APIs, verify the tenant has the required licenses. Check the authority URL uses the correct tenant ID.
tags: authentication, resource, tenant, api, scope
AADSTS50005

Auth Code Already Redeemed

The authorization code has already been used to obtain a token and cannot be reused.

Common Cause
Authorization codes are single-use. The app attempted to exchange the same code twice, often due to retry logic or race conditions.
How to Fix
Review app code for duplicate token requests. Implement proper token caching so the app reuses the access token rather than re-exchanging the code. Check for concurrent requests from the same session.
tags: oauth, auth code, token, retry
AADSTS50008

SAML Assertion Missing or Invalid

The SAML assertion is missing from the token request or its format is invalid.

Common Cause
The identity provider didn't include a valid SAML assertion, the assertion expired, or the XML is malformed.
How to Fix
Check the SAML response from the IDP using a SAML decoder (base64decode.org or browser extensions). Verify the assertion's NotBefore/NotOnOrAfter timestamps. Ensure clock sync between IDP and Entra ID.
tags: saml, federation, assertion, xml
AADSTS50011

Reply URL Mismatch

The reply URL specified in the request does not match any reply URL configured for the application.

Common Cause
The redirect URI doesn't match the app registration. Common after changing environments or app URLs.
How to Fix
Go to Entra ID → App Registrations → your app → Authentication. Add or correct the Redirect URI to match exactly (including http vs https, trailing slashes, ports).
tags: authentication, oauth, app registration, redirect, uri
AADSTS50012

Authentication Failed - Invalid Credentials

Authentication failed due to invalid credentials. This is a generic credential failure.

Common Cause
Wrong password, expired credentials, or the authentication method failed. For service principals, the client secret or certificate may be invalid.
How to Fix
Reset the user's password. For service principals, verify the client secret hasn't expired (check App Registration → Certificates & secrets). Generate a new secret if expired. Check for special characters in passwords that might need URL encoding.
tags: authentication, credentials, password, service principal, client secret
AADSTS50013

Assertion Audience Mismatch

The audience claim in the SAML assertion doesn't match the expected audience for the application.

Common Cause
The IDP is sending a SAML assertion intended for a different application or entity ID. The SAML relying party configuration is wrong.
How to Fix
Check the SAML assertion's Audience field matches the Application ID URI in Entra ID. Update the IDP's relying party trust to use the correct entity ID. Verify the SAML configuration in the Enterprise Application.
tags: saml, audience, assertion, entity id, federation
AADSTS50017

Certificate Validation Failed

The signing certificate could not be validated - it may be expired, revoked, or from an untrusted issuer.

Common Cause
The token-signing certificate from the federated IDP is expired, not in the trusted certificate list, or the certificate chain is incomplete.
How to Fix
Update the federation certificate in Entra ID. For AD FS, run Update-AdfsCertificate and then update the federation trust. Check certificate expiration dates. Ensure the full certificate chain is available.
tags: certificate, federation, signing, trust, adfs
AADSTS50020

User From External IDP Not in Tenant

The user account from the identity provider does not exist in this tenant.

Common Cause
A guest/external user account hasn't been created in the tenant. B2B invitation is missing or the user is trying to access the wrong tenant.
How to Fix
Invite the user via B2B: Entra ID → Users → New guest user. Verify the user is signing into the correct tenant. Check cross-tenant access settings if this is a B2B scenario.
tags: guest, b2b, external, tenant, invitation
AADSTS50034

User Account Does Not Exist

The specified user account was not found in the Entra ID directory.

Common Cause
The username/UPN doesn't match any account. The user may be mistyping their email, the account was deleted, or they're using the wrong tenant.
How to Fix
Verify the UPN is correct. Check if the account exists in Entra admin center → Users. Check the Deleted Users list if recently removed. For B2B, confirm the guest invitation was accepted.
tags: authentication, user, account, upn, deleted
AADSTS50053

Account Locked - Smart Lockout

The account has been locked after too many failed sign-in attempts.

Common Cause
Entra ID Smart Lockout triggered after multiple failed attempts. Protects against brute-force attacks.
How to Fix
Wait for lockout period to expire (default 60 seconds). Check sign-in logs for the source of failures. Customize lockout thresholds in Entra ID → Security → Authentication methods → Password protection.
tags: lockout, password, brute force, smart lockout, security
AADSTS50055

Password Expired

The user's password has expired and must be changed.

Common Cause
Password expiration policy reached. Synced from on-premises AD or Entra ID password policy.
How to Fix
User resets at https://passwordreset.microsoftonline.com. Admin can reset in Entra admin center. Consider disabling periodic expiration in favor of MFA per Microsoft recommendations.
tags: password, expiration, sspr, reset
AADSTS50056

Invalid or Null Password

The user account exists but does not have a password set in Entra ID.

Common Cause
The user was created without a password, or the password hash hasn't synced from on-premises AD.
How to Fix
Set a password for the user in Entra admin center. If synced from on-prem, verify Entra Connect password hash sync is working. Run a delta sync: Start-ADSyncSyncCycle -PolicyType Delta.
tags: password, sync, entra connect, hash sync
AADSTS50057

User Account Disabled

The user account has been disabled by an administrator.

Common Cause
The account is disabled in Entra ID or in on-premises AD (and synced). Common for terminated employees or suspended accounts.
How to Fix
Enable the account in Entra admin center → Users → select user → Properties → Account enabled. If synced from on-prem, enable in AD and wait for sync. Check if this was an intentional disable.
tags: disabled, account, blocked, terminated
AADSTS50058

Silent Sign-In Failed

A silent sign-in request was sent but no user session exists. The user needs to sign in interactively.

Common Cause
The browser session cookie expired, was cleared, or the app tried SSO but no active session exists. Common in iframe/popup-based auth.
How to Fix
Trigger an interactive sign-in instead of silent. In MSAL, catch this error and call acquireTokenRedirect or acquireTokenPopup. Check third-party cookie settings if using iframes (SameSite restrictions).
tags: sso, silent, session, cookie, msal
AADSTS50059

No Tenant Identification in Request

Tenant identification was not found in the request and could not be inferred from the credentials.

Common Cause
The authority URL uses /common or /organizations but the request context doesn't indicate which tenant. The user's UPN domain isn't associated with a tenant.
How to Fix
Use a tenant-specific authority URL (/tenantid/ or /domain.com/) instead of /common. Ensure the user types their full UPN including the domain. Check that the domain is verified in at least one tenant.
tags: tenant, authority, common, authentication
AADSTS50072

User Must Enroll for MFA

The user needs to register for multi-factor authentication to satisfy the MFA requirement.

Common Cause
MFA is required (by security defaults, Conditional Access, or per-user MFA) but the user hasn't registered any MFA methods.
How to Fix
User should register at https://aka.ms/mfasetup. Admin can pre-provision phone numbers. Check which MFA methods are enabled in Authentication methods policy. Ensure the user isn't blocked from registration by a Conditional Access policy.
tags: mfa, enrollment, registration, security defaults
AADSTS50074

Strong Authentication Required - MFA Challenge

The user passed primary authentication but must complete a strong authentication (MFA) challenge.

Common Cause
MFA is required by Conditional Access, security defaults, or per-user settings. The user needs to complete the second factor.
How to Fix
User completes the MFA challenge (authenticator app, phone call, SMS, FIDO2 key). If the user is stuck, check their registered methods. Verify the Authenticator app is properly configured. Check for number matching requirements.
tags: mfa, strong auth, conditional access, second factor
AADSTS50076

Conditional Access - MFA Required

A Conditional Access policy requires MFA but the user hasn't completed the MFA challenge.

Common Cause
A Conditional Access policy matched and requires MFA. User hasn't registered or MFA method unavailable.
How to Fix
User registers at https://aka.ms/mfasetup. Check which CA policy triggered in Sign-in logs → Conditional Access tab. Ensure user has a working MFA method.
tags: mfa, conditional access, authentication, policy
AADSTS50079

MFA Required - Per-User MFA Enforcement

Per-user MFA enforcement requires the user to complete MFA, but they haven't satisfied the challenge.

Common Cause
Per-user MFA (legacy) is enabled for this user, requiring MFA at every sign-in. Different from Conditional Access-based MFA.
How to Fix
Complete MFA. Consider migrating from per-user MFA to Conditional Access-based MFA for more granular control. Check the per-user MFA portal: https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx.
tags: mfa, per-user, legacy, enforcement
AADSTS50097

Device Authentication Required

The sign-in requires device-level authentication but the device is not enrolled or registered.

Common Cause
A Conditional Access policy requires a device claim (Entra registered, Entra joined, or Hybrid joined), and the device doesn't meet the requirement.
How to Fix
Register or join the device with Entra ID. For Windows: Settings → Accounts → Access work or school → Join. For Hybrid Join, verify Entra Connect device sync. Check the policy's device conditions.
tags: device, authentication, conditional access, enrollment, hybrid join
AADSTS50105

User Not Assigned to Application

The user is not assigned a role for the application and 'User assignment required' is enabled.

Common Cause
The Enterprise App requires explicit user/group assignment. The user hasn't been added.
How to Fix
Entra ID → Enterprise Apps → your app → Users and groups → Add user/group. Or disable 'User assignment required' under Properties if all users should have access.
tags: app assignment, enterprise app, role, access
AADSTS50126

Invalid Username or Password

The username or password provided is incorrect.

Common Cause
Wrong password, account exists in a different tenant, or the UPN doesn't match (common with email vs UPN mismatches).
How to Fix
Verify the password. Check if the user's email differs from their UPN. Try signing in at https://myaccount.microsoft.com. Reset password if needed. Check Entra Connect for UPN sync issues.
tags: authentication, password, invalid, upn
AADSTS50128

Invalid Tenant Domain Name

The domain name in the request is not a valid tenant domain.

Common Cause
The tenant name or domain in the authority URL is misspelled or doesn't exist.
How to Fix
Verify the tenant domain or GUID in the authority URL. Check that the domain is verified in Entra admin center → Custom domain names. Common typo issue.
tags: tenant, domain, authority, configuration
AADSTS50131

Conditional Access - Device State Required

A Conditional Access policy requires a specific device state that is not met.

Common Cause
The policy requires the device to be compliant, Hybrid Entra ID joined, or marked as approved, and the current device fails this check.
How to Fix
Enroll the device in Intune for compliance. Join to Entra ID or Hybrid Join. Check device status: dsregcmd /status. Review Conditional Access policy grant controls.
tags: conditional access, device, compliance, hybrid join, intune
AADSTS50132

Session Revoked - Password or MFA Change

The user's session has been revoked, typically because their password was changed or MFA settings were modified.

Common Cause
An admin revoked sessions, the user's password was reset, or the Continuous Access Evaluation (CAE) policy detected a critical event.
How to Fix
User signs in again with new credentials. This is expected behavior after password resets or security events. If unexpected, check audit logs for who initiated the revocation.
tags: session, revoked, password reset, cae, security
AADSTS50133

Session Expired - Max Age Exceeded

The session has expired because it exceeded the maximum session lifetime configured in the sign-in frequency policy.

Common Cause
Conditional Access sign-in frequency policy requires re-authentication. The token's max age has been reached.
How to Fix
User signs in again. This is expected behavior. Review the Conditional Access sign-in frequency setting if it's too aggressive. Check token lifetime policies.
tags: session, expired, token, sign-in frequency, conditional access
AADSTS50140

Keep Me Signed In Interrupt

The user was interrupted by the 'Stay signed in?' prompt during sign-in.

Common Cause
The KMSI (Keep Me Signed In) prompt was shown. This is an informational interrupt, not an error, but some apps don't handle the interrupt flow.
How to Fix
User can dismiss by choosing Yes or No. Admins can disable the KMSI prompt in Entra ID → Company Branding → Sign-in page settings. Apps should handle interrupt flows properly.
tags: kmsi, stay signed in, interrupt, branding
AADSTS50144

On-Premises AD Password Expired

The user's Active Directory password has expired and must be changed on-premises.

Common Cause
The on-premises AD account password expired. With password hash sync, the cloud account reflects the on-prem expiration.
How to Fix
Change password on-premises (Ctrl+Alt+Del → Change password, or via corporate password portal). If SSPR is enabled, use https://passwordreset.microsoftonline.com with password writeback. Wait for sync to complete.
tags: password, expired, on-premises, ad, writeback, sspr
AADSTS50158

External Security Challenge Required

An external authentication method or security challenge is required and was not satisfied.

Common Cause
A Conditional Access policy or authentication method requires an external MFA provider (e.g., Duo, RSA) and the challenge wasn't completed.
How to Fix
Complete the external MFA challenge. Verify the external auth provider integration is working. Check Entra ID → External authentication methods configuration. Test the external provider's endpoint.
tags: mfa, external, authentication, third party, duo
AADSTS50173

Fresh Credential Required

The session requires fresh credentials - the user must re-authenticate even if a session exists.

Common Cause
Continuous Access Evaluation (CAE) detected a security event, or an admin action requires immediate re-authentication. Also triggered by Conditional Access auth strength policies.
How to Fix
User signs in again with current credentials. Check audit logs for the trigger event. If frequent, review CAE configuration and Conditional Access session controls.
tags: reauthentication, fresh, cae, security, session
AADSTS50196

Infinite Loop Detected

Entra ID detected an infinite loop between itself and the federated identity provider.

Common Cause
A misconfiguration causes the auth request to bounce between Entra ID and the federated IDP (AD FS, Okta, etc.) endlessly.
How to Fix
Check federation configuration for the domain. Verify the IDP's relying party trust is correctly configured. Ensure the IDP isn't redirecting back to Entra ID without processing the request. Check for conflicting Claims rules.
tags: federation, loop, adfs, idp, redirect
AADSTS51004

User Account Not in Directory

The user account does not exist in the specified directory/tenant.

Common Cause
The user is trying to access a resource in a tenant where their account doesn't exist. Wrong tenant or the account was never created.
How to Fix
Verify the user exists in the target tenant. Check the authority URL points to the correct tenant. For guest access, ensure a B2B invitation was sent and accepted.
tags: account, tenant, directory, not found
AADSTS53003

Conditional Access - Access Blocked

Access was blocked by a Conditional Access policy - the user didn't satisfy the grant controls.

Common Cause
A CA policy matched and the user didn't meet the requirements (MFA, compliant device, location, etc.).
How to Fix
Check Sign-in logs → the sign-in → Conditional Access tab to see which policy and why. Verify the user can meet the grant controls. Common fixes: register MFA, enroll device, connect to approved network.
tags: conditional access, blocked, policy, sign-in, grant controls
AADSTS65001

Consent Not Granted

The user or admin has not consented to the application's requested permissions.

Common Cause
The app needs permissions requiring admin consent, or user consent is disabled tenant-wide.
How to Fix
Admin grants consent: Entra ID → Enterprise Apps → your app → Permissions → Grant admin consent. Or configure Admin consent workflow so users can request access.
tags: consent, permissions, admin consent, oauth
AADSTS65004

User Declined Consent

The user explicitly declined to grant consent to the application's permission request.

Common Cause
The user clicked 'Cancel' or 'Deny' on the consent prompt.
How to Fix
User can try again and accept the consent. If the app requires permissions the user is uncomfortable with, review the permissions and determine if they're appropriate. Admin can grant consent on behalf of users.
tags: consent, declined, permissions, user
AADSTS70000

Invalid Grant - Token Request Failed

The token request failed because the grant (auth code or refresh token) is invalid.

Common Cause
The authorization code or refresh token is expired, revoked, was issued to a different client, or has already been used.
How to Fix
Restart the sign-in flow to get a new auth code. Check token expiration. For refresh tokens, verify the app's refresh token lifecycle settings. Ensure the client ID matches the original grant.
tags: oauth, token, grant, refresh token, expired
AADSTS70001

Application Deleted or Disabled

The application registration has been deleted or is disabled in the tenant.

Common Cause
The app was removed from App Registrations, or the Enterprise Application was disabled.
How to Fix
Check Entra ID → App Registrations (include deleted). Restore from deleted apps if within the 30-day recovery window. Re-register the app if permanently deleted. Check Enterprise App → Properties → Enabled.
tags: app registration, deleted, disabled, restore
AADSTS70002

Invalid Client Credentials

The client credentials (client secret or certificate) provided are invalid.

Common Cause
The client secret is wrong, expired, or the client certificate doesn't match. Secrets expire after the configured lifetime (default up to 2 years).
How to Fix
Check App Registration → Certificates & secrets for expiration dates. Generate a new client secret and update the application configuration. For certificates, verify the thumbprint matches.
tags: authentication, client secret, certificate, service principal, expired
AADSTS70008

Auth Code or Refresh Token Expired

The authorization code or refresh token has expired and can no longer be exchanged for an access token.

Common Cause
Auth codes expire in 10 minutes. Refresh tokens expire based on policy (default 90 days inactive, 24 hours for single-page apps).
How to Fix
Re-initiate the sign-in flow for a new auth code. For refresh tokens, the user needs to sign in interactively again. Review token lifetime policies if tokens expire too quickly.
tags: oauth, token, expired, refresh token, auth code
AADSTS70011

Invalid Scope Requested

The scope requested by the application is invalid or has been removed.

Common Cause
The app is requesting a permission scope that doesn't exist, is misspelled, or was revoked.
How to Fix
Check the scope strings in your app code. Compare against the API's published scopes (e.g., Microsoft Graph permissions list). Update API permissions in the app registration.
tags: oauth, scope, permissions, graph api
AADSTS75011

Authentication Method Mismatch

The authentication method used doesn't match what was expected by the application or policy.

Common Cause
The app expects a specific auth method (e.g., certificate-based) but the user authenticated with a different method (e.g., password).
How to Fix
Check the app's authentication requirements. Review Conditional Access authentication strength policies. Ensure the user's registered auth methods include what the app/policy requires.
tags: authentication, method, auth strength, certificate
AADSTS80001

Pass-Through Auth Agent Connection Failed

The PTA agent cannot connect to Entra ID, causing pass-through authentication to fail.

Common Cause
The PTA agent on-premises cannot reach the Entra ID endpoints. Network issues, proxy misconfiguration, or the PTA agent service is stopped.
How to Fix
Verify the PTA agent service is running on the server. Check outbound connectivity to *.msappproxy.net on port 443. Review proxy settings. Install additional PTA agents for redundancy. Check agent status in Entra admin center → Connect Health.
tags: pta, pass-through, authentication, agent, hybrid, connectivity
AADSTS80007

Pass-Through Auth Agent Error

The PTA agent encountered an error while validating credentials against on-premises AD.

Common Cause
The PTA agent cannot communicate with a domain controller, the DC is unreachable, or there are Kerberos/NTLM issues.
How to Fix
Verify domain controllers are reachable from the PTA agent server. Check AD connectivity and DNS resolution. Review Windows Event logs on the PTA agent server. Ensure the PTA agent service account has appropriate permissions.
tags: pta, agent, domain controller, authentication, hybrid
AADSTS80010

PTA - Password Validation Failed

The on-premises domain controller rejected the password via the Pass-Through Authentication agent.

Common Cause
Wrong password, account locked in on-premises AD, or password policy requirements not met.
How to Fix
Verify the password against on-premises AD. Check for on-prem account lockouts. Review AD password policies. Check if the user's AD account has 'must change password at next logon' set.
tags: pta, password, on-premises, lockout, domain controller
AADSTS90002

Tenant Not Found

The specified tenant ID or domain name does not correspond to any existing Entra ID tenant.

Common Cause
The tenant ID/domain in the authority URL is wrong, the tenant was deleted, or DNS isn't configured.
How to Fix
Verify the tenant GUID or domain. Check at https://login.microsoftonline.com/<tenantId>/.well-known/openid-configuration. If recently created, allow time for propagation.
tags: tenant, not found, authority, configuration
AADSTS90072

User Account Type Mismatch

A personal account was used where a work/school account is required, or vice versa.

Common Cause
The authority endpoint doesn't match the account type (/organizations vs /consumers vs /common).
How to Fix
Use the correct authority: /organizations for work/school, /consumers for personal, /common for both. Update the authority URL in app configuration.
tags: tenant, personal, work account, authority, endpoint
AADSTS90100

Invalid Request Parameter

A required parameter is missing or invalid in the authentication request.

Common Cause
The app's auth request URL is malformed - missing client_id, redirect_uri, response_type, or other required parameters.
How to Fix
Review the OAuth/OIDC request parameters. Verify client_id, redirect_uri, scope, and response_type are all present and correctly formatted. Test with Microsoft Graph Explorer or Postman.
tags: oauth, parameter, request, malformed
AADSTS120000

Password Change Failed

The password change request failed - the new password doesn't meet complexity requirements.

Common Cause
The new password doesn't meet on-premises AD or Entra ID password policy requirements (length, complexity, history, banned passwords).
How to Fix
Choose a stronger password meeting all policy requirements. Check Entra ID → Security → Authentication methods → Password protection for banned password lists. Review on-premises AD fine-grained password policies.
tags: password, change, complexity, policy, banned passwords
AADSTS130004

NGC Device Not Found

The Windows Hello for Business (NGC) device key is not found or has been removed.

Common Cause
The device's Windows Hello key was deleted from Entra ID, the device was re-imaged without removing the old key, or there's a key synchronization issue.
How to Fix
Delete the device's Windows Hello keys in Entra admin center → Devices. Have the user re-register Windows Hello. For Hybrid scenarios, check WHfB provisioning via GPO/Intune. Run dsregcmd /status on the device.
tags: windows hello, ngc, device, passwordless, key
AADSTS530003

Non-Compliant Device Blocked by CA

A Conditional Access policy requires a compliant device, but the device is not compliant.

Common Cause
The device isn't enrolled in Intune or fails a compliance policy (OS version, encryption, etc.).
How to Fix
Enroll device in Intune. Check compliance status in Intune admin center → Devices. Review which compliance policy fails. Force sync and allow time for compliance evaluation (up to 8 hours).
tags: conditional access, compliance, intune, device
AADSTS700016

Application Not Found in Tenant

The application with the specified client ID was not found in the target tenant.

Common Cause
The app ID (client ID) is wrong, deleted, or registered in a different tenant.
How to Fix
Verify client_id matches the App Registration. Check you're authenticating against the correct tenant. For multi-tenant apps, ensure multi-tenant access is configured.
tags: app registration, client id, tenant, authentication
AADSTS700027

Invalid Client Assertion - JWT Validation Failed

The client assertion (JWT token) used for client credential authentication failed validation.

Common Cause
The JWT assertion is expired, has the wrong audience, is signed with the wrong key, or the certificate has expired.
How to Fix
Verify the certificate used for signing matches the one uploaded to App Registration → Certificates. Check the JWT's aud, iss, exp, and nbf claims. Ensure the clock on the signing server is accurate.
tags: jwt, client assertion, certificate, service principal, authentication

Exchange Online (32)

4.4.7

Message Delayed - Server Unreachable

The message has been queued because the destination mail server is unreachable or not responding within the timeout period.

Common Cause
The remote server is down, DNS resolution failed for the destination, network path is blocked, or TLS negotiation is failing. Also common during large-scale Microsoft outages.
How to Fix
Check the destination domain's MX records with nslookup. Verify the remote server is online. Check for TLS certificate issues on the receiving server. Monitor message trace in Exchange admin center - the message will auto-retry for up to 24-48 hours before generating a final NDR.
tags: ndr, mail flow, timeout, dns, queue
4.4.316

Connection Limit Exceeded - TTL Expired

The message expired in the transport queue because it exceeded the maximum retry time.

Common Cause
The remote server was unreachable for the entire retry period (default 24-48 hours). The message sat in queue until it timed out.
How to Fix
Investigate why the destination was unreachable for the full queue lifetime. Check remote MX availability, firewall rules, and connector configuration. For hybrid setups, verify the on-premises server was online and the hybrid connector was functional.
tags: ndr, queue, timeout, expired, hybrid
5.0.350

Remote Server Returned Generic Error

The remote mail server returned an unspecified permanent error during the SMTP conversation.

Common Cause
Catch-all error for SMTP failures not covered by a more specific code. Often caused by the remote server's anti-spam or security appliance rejecting the message.
How to Fix
Check message trace for the detailed SMTP response from the remote server. The actual error text (e.g., 'blocked by policy') will indicate the real issue. Contact the remote domain's postmaster if the rejection reason is unclear.
tags: ndr, smtp, remote, generic
5.1.0

Sender Denied

The message was rejected because the sender's email address is invalid or not authorized.

Common Cause
The sending address doesn't exist, is misconfigured, or a transport rule is blocking the sender. Can also occur when Send-As permissions are missing.
How to Fix
Verify the sender address exists and is properly configured. Check transport rules for blocks. If using Send-As, confirm the permission is granted and allow 15 minutes for replication.
tags: ndr, sender, permissions, transport rule
5.1.1

User Unknown - Recipient Not Found

The recipient email address does not exist or is not recognized by the destination mail system.

Common Cause
The recipient address is misspelled, the mailbox was deleted or disabled, or the domain MX records point to the wrong server.
How to Fix
Verify the recipient address spelling. Check if the mailbox exists in the admin center. For external recipients, confirm the domain's MX records. If recently migrated, ensure mail routing is updated.
tags: ndr, bounce, mail flow, recipient, unknown user
5.1.2

Invalid Recipient Domain - DNS Error

The recipient's domain could not be resolved via DNS. No MX, A, or AAAA record was found.

Common Cause
The recipient domain doesn't exist, DNS is misconfigured, or the domain's MX records are missing. Typos in the domain portion of the email address.
How to Fix
Check the domain spelling. Verify DNS with nslookup -type=MX <domain>. If it's an internal domain, check accepted domains in Exchange admin center. For new domains, ensure MX records have propagated.
tags: ndr, dns, mx record, domain
5.1.3

Invalid Address Format

The recipient email address has an invalid format that cannot be parsed by the mail system.

Common Cause
The email address contains illegal characters, missing @ symbol, spaces, or other formatting errors. Can also occur with malformed X.500 addresses in hybrid environments.
How to Fix
Check the address format - must be user@domain.com. In hybrid setups, verify the targetAddress and proxyAddresses attributes in AD. Look for hidden characters (common when copying from PDFs or web pages).
tags: ndr, address, format, x500, hybrid
5.1.8

Sender Rejected - Outbound Spam Policy

The sending account has been blocked from sending outbound mail due to detection as a potential spam source.

Common Cause
The user account was compromised and used to send spam, or legitimate bulk sending triggered the outbound spam detection.
How to Fix
Check the Restricted Users page in Microsoft Defender portal. Secure the account (reset password, enable MFA, review inbox rules and forwarding). Remove the user from the restricted list after securing. Submit a delisting request if needed.
tags: ndr, spam, outbound, compromised, restricted
5.1.10

Recipient Not Found - DBEB

Directory-Based Edge Blocking (DBEB) rejected the message because the recipient doesn't exist in the organization.

Common Cause
DBEB is enabled and the recipient address doesn't match any mail-enabled object in the directory.
How to Fix
Verify the recipient exists in Entra ID / Exchange Online. If the address is an alias, ensure it's properly configured. For hybrid environments, confirm directory sync is working.
tags: ndr, dbeb, hybrid, recipient
5.2.0

Mailbox Full - Quota Exceeded

The recipient's mailbox has reached its storage quota and cannot accept new messages.

Common Cause
The recipient mailbox is full. User has exceeded their mailbox quota (50 GB Business / 100 GB Enterprise).
How to Fix
Notify the recipient to clean up their mailbox. As admin, temporarily increase quota, enable auto-expanding archive, or assign Exchange Online Archiving license.
tags: ndr, quota, storage, mailbox full
5.2.2

Submission Quota Exceeded

The mailbox has exceeded its submission quota - the limit on messages sent or received per time period.

Common Cause
The user has sent or received too many messages in a short period. Exchange Online enforces rate limits on mailbox submissions.
How to Fix
Wait for the throttle window to reset (typically 1-24 hours). Check for mail loops or auto-forwarding amplification. Review mailbox rules that could be generating excessive traffic.
tags: ndr, quota, throttle, rate limit, submission
5.2.3

Message Too Large

The message (including attachments) exceeds the maximum message size limit.

Common Cause
Exchange Online default limit is 25 MB for internet messages. Some connectors or transport rules may impose smaller limits. Encoding overhead can increase the effective size by ~33%.
How to Fix
Reduce attachment size. Use OneDrive/SharePoint sharing links instead of attachments. Check message size limits on connectors: Get-TransportConfig | FL MaxSendSize, MaxReceiveSize. Remember that Base64 encoding adds ~33% to file size.
tags: ndr, size limit, attachment, transport
5.2.121

Recipient Rate Limit - Per Day

The recipient has exceeded the maximum number of messages they can receive in a day.

Common Cause
The receiving mailbox hit Exchange Online's daily recipient rate limit. This protects against mail storms and abuse.
How to Fix
Wait for the limit to reset (24-hour rolling window). Check for mail loops or excessive automated messages. Review mailbox rules generating auto-replies to distribution groups.
tags: ndr, rate limit, throttle, recipient
5.2.122

Sender Rate Limit Exceeded

The sending user has exceeded the maximum number of messages they can send per day (10,000 recipients/day).

Common Cause
The user has hit Exchange Online's daily sending limit. Applies per-user across all messages.
How to Fix
Wait for the 24-hour rolling window to reset. For legitimate bulk sending needs, use a dedicated bulk email service (SendGrid, Mailchimp). Do not attempt to work around limits by using multiple accounts.
tags: ndr, rate limit, sender, bulk, throttle
5.4.1

Relay Access Denied

The recipient domain is not configured as an accepted domain or relay domain, and the connector does not allow relaying.

Common Cause
Exchange Online won't relay mail for domains it doesn't own. The connector configuration doesn't include this domain as a relay target.
How to Fix
Check accepted domains in Exchange admin center. For relay scenarios (e.g., printers, LOB apps), configure an inbound connector that allows relay for the specific IP or certificate. Review connector scope.
tags: ndr, relay, connector, accepted domain, smart host
5.4.14

Hop Count Exceeded - Mail Loop

The message exceeded the maximum number of hops, indicating a mail loop.

Common Cause
A mail loop exists - typically misconfigured connectors, forwarding rules, or MX records in hybrid setups.
How to Fix
Check inbound/outbound connectors for circular routing. Review forwarding rules. Verify MX records and smart host configuration. In hybrid, confirm centralized mail transport settings.
tags: ndr, mail loop, connectors, hybrid, routing, hop count
5.5.0

SMTP Protocol Error

A generic SMTP protocol error occurred during the mail transfer conversation.

Common Cause
The sending or receiving system sent an unexpected SMTP command. Often caused by middleware (spam filters, proxies) injecting malformed SMTP responses.
How to Fix
Check message trace for the full SMTP conversation log. If going through an on-premises appliance, check its logs. Test direct SMTP delivery bypassing security appliances to isolate the issue.
tags: ndr, smtp, protocol, appliance
5.6.11

Invalid Content - Message Formatting

The message body or headers contain invalid formatting that Exchange Online cannot process.

Common Cause
Malformed MIME content, invalid headers, or encoding issues. Common with messages generated by custom applications or older systems.
How to Fix
Check the sending application's message formatting. Ensure proper MIME encoding. If from a custom app, validate the message structure using an SMTP analyzer tool. Check for non-standard header fields.
tags: ndr, mime, formatting, encoding, headers
5.7.1

Message Rejected - Delivery Restriction

The sender does not have permission to send to this recipient. The recipient has delivery restrictions.

Common Cause
The distribution group or mailbox restricts who can send to it. Transport rules may also block the message.
How to Fix
Check delivery management settings on the DL/mailbox (accepted senders list). Review transport rules. For shared mailboxes, verify Send-As or Send-on-Behalf permissions.
tags: ndr, permissions, distribution group, transport rule, restriction
5.7.12

Sender Not Authenticated for Relay

The sender tried to relay mail through Exchange Online but is not authenticated or authorized.

Common Cause
An application or device is attempting to send mail through Exchange Online without proper authentication (no SMTP AUTH or client certificate).
How to Fix
Configure the sending device/application to use SMTP AUTH with OAuth 2.0 or enable SMTP AUTH for the mailbox. Alternatively, use a connector with certificate-based auth. Check Set-CASMailbox -SmtpClientAuthenticationDisabled status.
tags: ndr, relay, authentication, smtp auth, device
5.7.23

SPF Validation Failed

The sending server's IP address is not authorized by the sender's SPF record.

Common Cause
The sending server IP is not in the domain's SPF DNS record. Common when mail is routed through a new gateway or third-party service without updating SPF.
How to Fix
Update the sender domain's SPF record to include the sending server IP or service (e.g., include:spf.protection.outlook.com). Use MXToolbox to validate the SPF record. Remember the 10 DNS lookup limit.
tags: ndr, spf, authentication, dns, email security
5.7.25

DKIM Validation Failed

The DKIM signature on the message could not be verified.

Common Cause
The DKIM signature doesn't match the message content (message was modified in transit), the DKIM DNS record is missing, or the signing domain doesn't align.
How to Fix
Verify DKIM is properly configured in Exchange admin center → DKIM page. Check that DNS CNAME records for DKIM selectors are published. Ensure no mail appliances are modifying message content after signing.
tags: ndr, dkim, authentication, dns, email security
5.7.26

DMARC Validation Failed

The message failed DMARC validation based on the sender domain's published DMARC policy.

Common Cause
Both SPF and DKIM alignment failed for the sender domain, and the domain's DMARC policy specifies reject or quarantine.
How to Fix
Fix SPF alignment (envelope sender must match From domain) and/or DKIM alignment (signing domain must match From domain). Check DMARC reports for failure details. Use DMARC aggregate reports to identify unauthorized senders.
tags: ndr, dmarc, spf, dkim, authentication, email security
5.7.57

TLS Required But Not Established

The connector requires TLS encryption, but TLS could not be negotiated with the remote server.

Common Cause
A connector is configured with ForceStartTLS or RequireTLS, but the remote server doesn't support TLS, has an expired certificate, or TLS negotiation failed.
How to Fix
Check the connector's TLS settings. Verify the remote server supports TLS 1.2. If the remote server has a self-signed cert, consider adjusting the connector's TlsCertificateName or RequireTls setting. Test with Test-SmtpConnectivity.
tags: ndr, tls, encryption, connector, certificate
5.7.64

Tenant Access Blocked

The entire sending tenant has been blocked from sending to this organization.

Common Cause
The receiving organization has blocked your tenant via a tenant allow/block list, or cross-tenant access policy denies mail flow.
How to Fix
Contact the receiving organization's admin to request unblocking. Verify your tenant isn't on any shared blocklists. Check your outbound IP reputation at MXToolbox.
tags: ndr, blocked, tenant, reputation
5.7.124

External Sender Not Allowed

The recipient's mailbox or group does not accept messages from senders outside the organization.

Common Cause
The mailbox or group has 'RequireSenderAuthenticationEnabled' set to $true, blocking all external senders.
How to Fix
If the recipient should receive external mail: Set-DistributionGroup -RequireSenderAuthenticationEnabled $false, or for mailboxes adjust the delivery restrictions. Consider using transport rules for more granular control.
tags: ndr, external, restriction, distribution group
5.7.501

Spam Detected - Message Rejected

The message was identified as spam by Exchange Online Protection and rejected based on the anti-spam policy.

Common Cause
The message content, headers, or sending IP triggered EOP's spam filters. The anti-spam policy is set to reject (rather than quarantine) for high-confidence spam.
How to Fix
Check the message headers for the spam confidence level (SCL) and the specific filter that triggered. Review anti-spam policies in Microsoft Defender portal. If false positive, submit the message to Microsoft for analysis. Check sender IP reputation.
tags: ndr, spam, eop, anti-spam, quarantine
5.7.502

Blocked by Anti-Spam - Sender IP

The sending IP address has been blocked by Exchange Online Protection's IP blocklist.

Common Cause
The sender's IP is on Microsoft's blocklist or a third-party IP reputation blocklist used by EOP.
How to Fix
Check the sender IP at MXToolbox Blacklist Check. Request delisting from the specific blocklist. If your IP, ensure your mail server isn't an open relay and isn't sending spam. Check the EOP connection filter policy.
tags: ndr, spam, ip blocklist, eop, reputation
5.7.503

Blocked by Anti-Spam Policy

The message was blocked by a custom anti-spam policy or mail flow rule configured by the tenant admin.

Common Cause
An administrator-configured anti-spam policy, transport rule, or tenant allow/block list entry is blocking this message.
How to Fix
Review anti-spam policies and transport rules in Exchange admin center. Check the Tenant Allow/Block List. If the block is intentional, inform the sender. For false positives, create a transport rule exception or adjust the policy.
tags: ndr, spam, policy, transport rule, block list
5.7.606

Access Denied - Bad Sending IP

The sending IP address is not authorized or has been identified as a source of abuse.

Common Cause
The IP is on Microsoft's internal blocklist for abuse, is a known open proxy, or is from a region/IP range that has been restricted.
How to Fix
Check the IP reputation at sender.office.com (Microsoft SNDS). Submit a delisting request. Ensure the IP isn't on public blocklists. If using a shared hosting IP, consider a dedicated sending IP.
tags: ndr, ip, blocked, abuse, reputation
5.7.708

Tenant Blocked - Outbound Sending Denied

The tenant has been blocked from sending email due to spam or abuse detection.

Common Cause
The tenant has been flagged by Microsoft for sending spam, typically from compromised accounts.
How to Fix
Check Restricted Users in Defender portal. Secure all compromised accounts. Review outbound spam filter notifications. Submit a support request to Microsoft to delist the tenant.
tags: ndr, spam, blocked, compromised, tenant
5.7.750

Unregistered Domain - Sender Not Verified

The sender domain is not registered or verified as an accepted domain in the tenant.

Common Cause
Attempting to send from a domain that hasn't been added and verified in Microsoft 365 admin center.
How to Fix
Add the sender domain in Microsoft 365 admin center → Settings → Domains. Complete DNS verification (TXT or MX record). Allow up to 72 hours for DNS propagation.
tags: ndr, domain, verification, accepted domain

Exchange Online Protection (1)

ERR_EOP_TransportRule

EOP - Transport Rule Blocked

A mail flow (transport) rule in Exchange Online Protection blocked or modified the message.

Common Cause
An admin-configured transport rule matched the message and took an action (reject, redirect, quarantine, add disclaimer, etc.).
How to Fix
Check transport rules in Exchange admin center → Mail flow → Rules. Use message trace to identify which rule triggered. Review the rule conditions and actions. Disable or modify the rule if the block is unintended.
tags: eop, transport rule, mail flow, blocked, quarantine

Group Policy (2)

8007071a

GPO - Remote Procedure Call Failed

Group Policy processing failed because the RPC server is unavailable.

Common Cause
The client cannot reach a domain controller via RPC. Network issues, firewall blocking, or DC is down.
How to Fix
Verify DC connectivity: nltest /dsgetdc:domain.com. Check firewall rules for RPC (TCP 135 + dynamic ports). Verify DNS is resolving the domain correctly. Run gpupdate /force after fixing connectivity.
tags: gpo, rpc, domain controller, firewall, connectivity
1030/1058

GPO - Cannot Access SYSVOL

The client cannot access the Group Policy template files in SYSVOL.

Common Cause
SYSVOL replication issue (DFS-R or FRS), network connectivity to SYSVOL share, or NTFS permissions on the SYSVOL folder.
How to Fix
Verify access to \\domain\SYSVOL. Check DFS-R replication status with dfsrdiag. Verify SYSVOL NTFS and share permissions. Check that the GPO files exist in the SYSVOL\<domain>\Policies folder on the authenticating DC.
tags: gpo, sysvol, dfs-r, replication, permissions

Intune (11)

0x87D1FDE8

App Install - Download Failed

Intune failed to download the application package.

Common Cause
Network issues, corrupted app package, insufficient disk space, or VPN/proxy interference.
How to Fix
Check device connectivity to Intune CDN. Verify disk space. Re-upload the app package. Review IntuneManagementExtension.log on the device.
tags: app deployment, download, installation
0x87D13B7E

App Install - Dependency Failed

An app dependency or prerequisite check failed during installation.

Common Cause
A required dependency app wasn't installed, or a detection rule prerequisite was not met.
How to Fix
Check the app's dependency chain in Intune. Verify all dependency apps are assigned and installed. Review detection rules for each dependency. Check the IME log for the specific dependency failure.
tags: app deployment, dependency, detection rule
0x87D1041C

App Install - Detection Failed After Install

The app installed but Intune's detection rule failed to confirm the installation.

Common Cause
The detection rule (registry key, file path, MSI product code) doesn't match what the installer created. Version mismatch or wrong detection path.
How to Fix
Verify the detection rule matches the actual installation output. Check the installed path, registry key, or MSI product code on a test device. Update the detection rules in the Intune app configuration.
tags: app deployment, detection, registry, msi
0x80180014

Enrollment - Already Enrolled

Device is already enrolled in MDM and cannot be re-enrolled.

Common Cause
Stale MDM enrollment record. Previous enrollment wasn't cleanly removed.
How to Fix
Delete stale device record from Intune admin center. On device, remove MDM via Settings → Accounts → Access work or school. Re-enroll. For Autopilot, check the device list.
tags: enrollment, mdm, duplicate, stale
0x80180018

Enrollment - Device Cap Reached

The user has reached the maximum number of devices they can enroll in Intune.

Common Cause
The user has enrolled the maximum allowed devices (default: 15 per user for personal devices).
How to Fix
Delete unused device enrollments from Intune. Increase the device enrollment limit in Intune → Device enrollment → Device limit restrictions. Review if old devices can be retired.
tags: enrollment, device limit, cap, restriction
0x801c03ed

Autopilot - Device Not Registered

Autopilot deployment failed because the device hardware hash isn't registered.

Common Cause
Hardware hash wasn't imported, or hash changed after hardware replacement.
How to Fix
Import hash via Intune → Devices → Windows enrollment → Devices. Use Get-WindowsAutopilotInfo script. Wait 15 minutes after import. Re-image the device.
tags: autopilot, enrollment, hardware hash, oobe
0x801c03ea

Autopilot - Profile Assignment Failed

The Autopilot device is registered but no deployment profile was assigned.

Common Cause
The device is in the Autopilot list but hasn't been assigned a profile, or group-based assignment hasn't synced.
How to Fix
Assign an Autopilot deployment profile in Intune. If using dynamic groups, verify the device matches the group's membership rules. Allow time for group membership to evaluate (can take hours).
tags: autopilot, profile, assignment, dynamic group
0x87D101F8

Compliance - Setting Not Applicable

A compliance policy setting can't be evaluated for this device platform.

Common Cause
Policy targets a setting not supported on the device OS version or platform.
How to Fix
Review compliance policy platform filters. Check device has synced. Allow up to 8 hours for compliance evaluation. Force sync from device or admin center.
tags: compliance, policy, platform, sync
0x87D10291

Configuration Profile - Conflict

Two or more configuration profiles have conflicting settings for the same device.

Common Cause
Multiple profiles target the same setting with different values. Intune can't determine which value to apply.
How to Fix
Review assigned configuration profiles in Intune → Devices → select device → Device configuration → Profile status. Remove or consolidate conflicting profiles. Use filters to narrow profile assignments.
tags: configuration, profile, conflict, settings
0x80072ee7

Device Sync - Connection Failed

The Intune management extension or MDM client cannot connect to the Intune service.

Common Cause
No internet connectivity, proxy blocking Intune endpoints, firewall rules, or DNS resolution failure.
How to Fix
Verify device can reach manage.microsoft.com, *.manage.microsoft.com, and other Intune endpoints. Check proxy settings. Verify DNS. Restart the IntuneManagementExtension service.
tags: sync, connectivity, proxy, mdm, firewall
0x87D30004

Wipe/Retire - Action Failed

The remote wipe or retire action failed to execute on the device.

Common Cause
The device is offline, the MDM enrollment is stale, or the device has been factory reset without completing the wipe.
How to Fix
Verify the device is online and checking in. If the device is permanently offline, delete the device record. For retire failures, try a selective wipe first. Check device actions in Intune admin center.
tags: wipe, retire, remote action, offline

Microsoft Graph (6)

Request_ResourceNotFound

Resource Not Found (404)

The specified resource could not be found via Graph API.

Common Cause
Object ID/UPN incorrect, object deleted, or caller lacks permission (Graph returns 404 instead of 403 sometimes).
How to Fix
Verify object ID or UPN. Check recycle bin for deleted objects. Ensure the app has correct Graph permissions (e.g., User.Read.All).
tags: graph api, 404, object id, permissions
Authorization_RequestDenied

Insufficient Graph API Privileges

The app or user lacks the required Graph API permissions.

Common Cause
Missing API permission or admin consent not granted.
How to Fix
Check required permissions in Graph docs for the endpoint. Add in App Registrations → API permissions. Grant admin consent.
tags: graph api, permissions, consent, app registration
429 Too Many Requests

Graph API - Rate Limited

Application has been throttled for exceeding Graph API rate limits.

Common Cause
Too many API calls in a short period. Per-app and per-tenant limits enforced.
How to Fix
Implement exponential backoff using Retry-After header. Use batch requests. Use delta queries instead of polling. Use webhooks for real-time updates.
tags: graph api, throttling, rate limit, batch
BadRequest

Malformed Request

The Graph API request is malformed - invalid syntax, missing fields, or wrong data types.

Common Cause
The request body, URL, or query parameters contain errors. OData filter syntax may be wrong.
How to Fix
Test the request in Graph Explorer. Validate OData syntax. Check for required fields in the request body. Verify the API version (v1.0 vs beta) supports the endpoint.
tags: graph api, request, odata, syntax
InvalidAuthenticationToken

Token Invalid or Expired

The access token provided is invalid, expired, or has been revoked.

Common Cause
The bearer token has expired (default 60-90 minutes), was revoked, or is malformed.
How to Fix
Refresh the access token using the refresh token. Verify token acquisition logic. Check the token's exp claim. Ensure the token's audience matches the Graph API resource.
tags: graph api, token, expired, authentication
ErrorItemNotFound

Drive Item Not Found

The specified file or folder was not found in OneDrive or SharePoint via Graph API.

Common Cause
The item ID is wrong, the file was deleted, or the path has changed. Shared drive items may use different IDs.
How to Fix
Verify the item ID or path. Search for the file using the search endpoint. Check if the item was moved or renamed. For shared items, use the sharedWithMe endpoint.
tags: graph api, onedrive, sharepoint, file, drive

OneDrive (3)

0x8004de40

OneDrive Sync - Internet Connection Error

OneDrive cannot connect to the internet or SharePoint Online.

Common Cause
Network connectivity issue, proxy configuration blocking OneDrive, or the OneDrive client endpoints are not whitelisted in the firewall.
How to Fix
Check internet connectivity. Verify the user can reach onedrive.live.com and *.sharepoint.com. Check proxy settings in OneDrive client → Settings → Network. Whitelist OneDrive endpoints per Microsoft's URL list.
tags: onedrive, sync, connectivity, proxy, firewall
0x8004de85

OneDrive Sync - Tenant Disallowed

The OneDrive sync client is blocked because the tenant is not in the allowed list.

Common Cause
The organization has configured OneDrive to only sync with specific tenant IDs, and this tenant isn't in the allow list.
How to Fix
Add the tenant ID to the OneDrive allowed tenants list via Group Policy or Intune: AllowTenantList setting. Or remove the restriction if no longer needed.
tags: onedrive, sync, tenant, restriction, group policy
0x8004de90

OneDrive Sync - Too Many Files

The library or account contains more files than the OneDrive sync client supports.

Common Cause
Exceeding the 300,000 item sync limit per library, or overall system resources are exhausted.
How to Fix
Reduce the number of items in the library. Use 'Sync only specific folders' to selectively sync. Consider restructuring content across multiple libraries.
tags: onedrive, sync, file limit, performance

Power Automate (3)

0x80048d0b

Flow - Unauthorized Connection

The flow's connection credentials are no longer valid.

Common Cause
Connection expired, user changed password, MFA enforced, or connection owner left.
How to Fix
Edit the flow and re-authenticate the connection. Create new connections under a service account for production flows. Consider service principal connections.
tags: power automate, flow, connection, authentication
ConnectionNotConfigured

Flow - Connection Not Configured

The flow references a connection that hasn't been set up or authorized by the current user.

Common Cause
The flow was shared or imported but the new owner hasn't configured the required connections.
How to Fix
Open the flow, click on the connections panel, and configure/authorize each connection with valid credentials. For shared flows, each user needs their own connection or use a shared service account.
tags: power automate, flow, connection, shared
WorkflowTriggerNotFound

Flow - Trigger Removed or Changed

The flow's trigger is no longer valid - the source was deleted or reconfigured.

Common Cause
The SharePoint list, mailbox, or other trigger source was deleted, renamed, or the user lost access to it.
How to Fix
Update the trigger to point to the correct source. If the source was deleted, recreate it or choose a new trigger. Check that the connection user has access to the trigger source.
tags: power automate, trigger, flow, deleted

Power Platform (1)

DLP Policy Violation

DLP - Connector Blocked

A DLP policy prevents the connector combination used in this flow/app.

Common Cause
Connectors are in incompatible DLP groups (Business vs Non-Business).
How to Fix
Review DLP policies in Power Platform admin center. Adjust policy or redesign flow to use compatible connectors.
tags: dlp, connector, power apps, governance

SharePoint Online (5)

403 Forbidden

Access Denied

The user does not have permission to access the SharePoint resource.

Common Cause
Missing SharePoint permissions, CA policy blocking, expired sharing links, or site has unique permissions.
How to Fix
Check site permissions in SharePoint admin center. Review group memberships. Check CA policies. Regenerate sharing links if expired. Check if site is locked or read-only.
tags: permissions, access denied, sharing, conditional access
404 Not Found

Resource Not Found

The requested site, page, file, or list does not exist or has been deleted.

Common Cause
The URL is wrong, the item was deleted, the site was decommissioned, or the user doesn't have permission (SPO returns 404 instead of 403 in some cases).
How to Fix
Verify the URL. Check the SharePoint recycle bin (site-level and site collection-level). If the user should have access, check permissions - SPO sometimes returns 404 for permission denied.
tags: not found, deleted, url, recycle bin
503 Throttled

Too Many Requests - Throttled

SharePoint is throttling due to excessive API calls or resource usage.

Common Cause
Application or migration tool making too many requests. Custom solutions hitting API limits.
How to Fix
Implement exponential backoff with Retry-After header. Reduce parallelism for migrations. Use Graph API with proper throttling handling. Review custom apps for excessive calls.
tags: throttling, api, migration, rate limit
0x80070005

OneDrive Sync - Access Denied

OneDrive sync client cannot sync due to access denied.

Common Cause
Lost permissions, library requires checkout, IRM/DRM enabled, or too many items.
How to Fix
Verify edit permissions. Disable checkout requirement if not needed. Check item count is within sync limits (300,000). Unlink and re-link sync.
tags: onedrive, sync, access denied, permissions
SPRequestThrottled

CSOM/REST Request Throttled

SharePoint Online throttled the CSOM or REST API request due to excessive usage.

Common Cause
The application is making too many API calls. Per-user and per-app throttling limits are enforced.
How to Fix
Implement exponential backoff. Use batching to reduce calls. Switch to Microsoft Graph with delta queries. Check the Retry-After header and respect it. Use application-level (app-only) auth for higher limits.
tags: throttling, csom, rest, api, batch

Teams (7)

CAA10001

Configuration Error - Tenant Not Configured

Teams cannot find the configuration for the tenant or the tenant is not provisioned for Teams.

Common Cause
The tenant hasn't been provisioned for Teams, or the user doesn't have a Teams license assigned.
How to Fix
Verify the user has a Teams-enabled license (E3, E5, Business Basic, etc.) assigned. Check the Teams admin center for tenant-level configuration. If a new tenant, allow time for provisioning to complete.
tags: configuration, tenant, license, provisioning
CAA20001

Sign-In Failed - Account Issue

Teams desktop client sign-in failed due to an account or credential issue.

Common Cause
Cached credentials are invalid, the user's password changed since last sign-in, or the account has restrictions.
How to Fix
Sign out of Teams completely. Clear Teams cache (%appdata%/Microsoft/Teams). Try signing in via web (teams.microsoft.com) to isolate the issue. Check for account restrictions in Entra admin center.
tags: sign-in, credentials, cache, desktop
CAA20003

Token Acquisition Failed

Teams desktop client failed to acquire an authentication token.

Common Cause
Cached credentials corrupted, system clock out of sync, or network issues blocking Entra ID endpoints.
How to Fix
Clear Teams cache: close Teams, delete %appdata%/Microsoft/Teams, relaunch. Verify system clock. Check connectivity to login.microsoftonline.com. Review Conditional Access sign-in logs.
tags: authentication, token, cache, desktop
CAA50021

Device Registration Required

Teams sign-in failed - Conditional Access requires the device to be enrolled.

Common Cause
A CA policy requires a compliant or Entra-joined device, but the device doesn't meet the requirement.
How to Fix
Join/register the device with Entra ID. Enroll in Intune if compliance is required. Verify with dsregcmd /status. Check the CA policy's device conditions.
tags: conditional access, device, intune, compliance, enrollment
80080300

Meeting Join Failed

Unable to join Teams meeting - resource not found or link expired.

Common Cause
Meeting was cancelled, link expired, organizer's license removed, or Teams service issue.
How to Fix
Ask organizer to resend invite or create new meeting. Verify organizer has Teams license. Check Service Health dashboard.
tags: meeting, join, expired, service health
1001

Teams App Installation Failed

A Teams app (tab, bot, or connector) failed to install in the channel or chat.

Common Cause
The app is blocked by a Teams app permission policy, the app manifest is invalid, or the user lacks permission to install apps.
How to Fix
Check Teams admin center → Teams apps → Permission policies. Verify the user's app permission policy allows the specific app. For custom apps, validate the manifest. Check if org-wide app settings block third-party apps.
tags: app, installation, policy, manifest, permissions
BotNotInConversationRoster

Bot Not in Conversation

The bot tried to send a message to a conversation it's not a member of.

Common Cause
The bot was removed from the conversation, or it never joined. Proactive messaging requires the bot to have been installed first.
How to Fix
Have a user add the bot to the conversation/team. For proactive messaging, store the conversation reference when the bot is first installed. Check bot permissions in Teams admin center.
tags: bot, proactive, conversation, messaging