Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Level 3 Contributor

AADSTS50076 : com.microsoft.aad.adal4j.AdalClaimsChallengeException

For our production environment.

 

We have a CSP account from which we are trying to fetch  one of our customer's azure subscription resource data.

While fetching azure token I am seeing following exception.

 

 

2020-06-21 18:00:08.096 [instance-analysis-task-2] ERROR c.h.c.rtm.azure.AzureResourceService.createAzureClient@68 - Unexpected exception caught creating azure client. 
 Message: java.lang.RuntimeException: com.microsoft.aad.adal4j.AdalClaimsChallengeException: {"error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.\r\nTrace ID: de0a1c59-d978-4fe2-804e-1c892f233600\r\nCorrelation ID: 532f101d-1de6-4461-b9d3-6691644f0545\r\nTimestamp: 2020-06-21 18:00:08Z","error":"interaction_required","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50076"}  

 

 

 

We are using refresh token that was generated while giving consent by partner to fetch this data.

We also created grant to access the azure data for this customer subscription.

We are seeing this exception only getting azure subscription resource(Virtual Machines and other resources) data, while we are able to fetch that customers CSP data using partner center API without fail.

 

In one of the other post It was suggested to disable some Service settings under MFA which remember the MFA for default 14 days(we have that setting enabled under our CSP but not for the customer for which this exception we are getting).

 

MFA settings.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

is the above setting only used validate token for getting azure subscription data(for CSP customer) and not for partner center data?

 

The strange part is that We have another CSP account in other geographical region and there with this MFA setting we are able to fetch the cutomer azure subscription resources? We have almost verify all the settings for both these CSP accounts and almost all settings are similar.

 

So

1. how to getrid of this exception ?

2. And why its working in one CSP accounts customer and not in other CSP account customer?

 

Yesterday I did reconsent from partner login and used the newly generated refresh token to get customer azure subscription resources, but I am still seeing the same exception with this new refresh token.

1 ACCEPTED SOLUTION
Level 3 Contributor

Got resolved after MS support.

 

The problem is here

"I believe I found the discrepancy here. In terms of MFA, it seems that the "Partenr Account 1" is defaulting to security defaults which is causing the issue. 

The difference between the "Partner Account 1" and the "Partner Account 2" is the "Partner Account 1" is set to use per-user MFA and is showing enforced. The "Partner Account 2" is set to use security defaults.  "Partner Account 1"
      Multi-factor Auth Status : Enforced 

"Partner Account 2"
      Multi-factor Auth Status :  Disabled

You will need to get the "Partner Account 1" in the same config as the "Partner Account 2". 

I am including the documentation below.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates 

Paying special attention to this line in first paragraph. 

I believe you have the "Partner Account 2" and "Partner Account 1" as trusted but security defaults for the "Partner Account 1" user are superseding the Trusted Locations.

When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on)."

View solution in original post

5 REPLIES 5
Microsoft

n one of the other post It was suggested to disable some Service settings under MFA which remember the MFA for default 14 days(we have that setting enabled under our CSP but not for the customer for which this exception we are getting).

 

It might affect access to customers, if you hit the checkbox to remember MFA when authorizing the access the first time via your CSP tenant - the same setting in the customer tenant should not affect you.

 

Does it only fail for this one customer? If yes, I would check if this customer has some custom conditional access rules for external users set - those might affect your delegated access also.

 

Then you mentioned "almost all settings are similar" in both of your CSP accounts - so the question is what settings are not the same?

 

Level 3 Contributor

We have checked the customer tenant and there is NO "Conditional access" applied and even NO security defaults is there and also in customer tenant MFA is also not enabled.

 

sorry for word 'almost', the following settings we have checked and everything is same.

1) both partner tenant has MFA enabled and in MFA service setting the 'remember;' checkbox is ticked with value 14.

2) Customers tenant in both partner tenant has not enabled MFA.

3) Customers tenant in both partner tenant has not any security default and no conditional access.

4) we are using same APIs to get customer tenant azure subscription resources using partner tenant refresh token.

 

is there anything you want me to check?

 

We are using following code

AuthenticationResult authResult = tokenProvider.getAccessTokenByRefreshToken(customerId, "https://management.azure.com", refreshToken, appClientId,
                    appSecret);
Level 3 Contributor

We have again chekced the working partner account and found that MFA service setting the 'remember' checkbox was unchecked there so we have uncheck the MFA service setting the 'remember' checkbox in the non working partner account and reconsented the application again from partner center and then tried but no luck We are still getting the same exception .

Help is needed as we are into production.

Microsoft

I do not have additional ideas right now, would recommend to contact support reg. this (AzureAD support)

Level 3 Contributor

Got resolved after MS support.

 

The problem is here

"I believe I found the discrepancy here. In terms of MFA, it seems that the "Partenr Account 1" is defaulting to security defaults which is causing the issue. 

The difference between the "Partner Account 1" and the "Partner Account 2" is the "Partner Account 1" is set to use per-user MFA and is showing enforced. The "Partner Account 2" is set to use security defaults.  "Partner Account 1"
      Multi-factor Auth Status : Enforced 

"Partner Account 2"
      Multi-factor Auth Status :  Disabled

You will need to get the "Partner Account 1" in the same config as the "Partner Account 2". 

I am including the documentation below.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates 

Paying special attention to this line in first paragraph. 

I believe you have the "Partner Account 2" and "Partner Account 1" as trusted but security defaults for the "Partner Account 1" user are superseding the Trusted Locations.

When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on)."

View solution in original post