Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Level 1 Contributor

Conditional Access breaking SAM for ExOL??

I've arrived here by way of this GitHub Issue: https://github.com/microsoft/Partner-Center-PowerShell/issues/259.


I'm trying to get to the bottom of why I receive the error when trying to use Kelvin's new ExchangeOnlineManagement.SAM module:

Could not generate Secure Application Model token to logon: Authentication Error Occured {"error":"invalid_grant","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'


I also receive ''Basic Authorization failed for user <UPN>' when I try and connect using the (Microsoft sanctioned) methods documented here or here. I've generated a new RefreshToken for Exchange, but continue to get this error.

We've got Conditional Access enabled on our tenant, but only for connections external to our network. I'm also not sure if CA is the cause of this error due to the ambiguity of the error message.

Level 6 Contributor

Hi @jameskirsop ,


I don't know the exact cause, the error I was receiving was similar (AADSTS50078 instead of your AADSTS50076) and we don't have Duo - we were testing it and at the time the only Conditional Access Policy we had was for the Duo Test Users group (I forget what, either enforcing Duo for them, or excluding them from MFA so they could use Duo). We just use MS MFA now, with the MS Auth App and push notifications. I've never had Duo on my account, and my account is the one I use for Consenting.


I have found that the "remember multi-factor authentication" setting must remain off for both our CSP Tenancy and for any client/customer Tenancy we want to access using Delegated Admin Permissions. If someone enables that for a Customer Tenancy my scripts will fail for them immediately with a similar error about not having consented.


Also you MUST have Consented using an account that was prompted for MFA when generating the initial Refresh Token - if you have MFA enabled only for external access not internal access (I think that may violate the intent of the CSP agreement stating you must use MFA at all times, but I could be wrong?) then you NEED to either do the Consent externally or temporarily turn off that CA Policy so you are prompted for MFA when you Consent.


You can check by redeeming the Refresh Token for an Access Token and pasting it into a JWT (JSON Web Token) checker, such as: https://adfshelp.microsoft.com/JwtDecoder/GetToken

You need the AMR section to contain "mfa", it'll look something like:

amr: [

If it doesn't you weren't prompted for MFA. You may need to disable Duo, enable MFA, and Consent perhaps - though I don't know what will happen when you revert. As far as I know the account/UPN use you must have MFA enabled, needs to be an Admin Agent in CSP, but doesn't need to be a Global Admin.  However you probably need Global Admin to Consent for the Azure AD Native App's API Permissions. Mine has been working fine for ages now (I Consented with MFA for the Exch Online UPN part, used my Admin account for the AAD App, which also has MFA, and renew the Refresh Token every week - though it lasts 90 days).


And test with the official Exch Online connection first, not just Kelvin's ExchangeOnlineManagement.SAM module. Check your AccessToken/JWT for "mfa" and if it's present try posting a minimal working code sample for what you're trying to do (maybe both the official way and the ExOMgmt.SAM way).



Level 1 Contributor

Dropping some more details here:

- I've checked to ensure that we've not allowed "remember Multi-Factor Authentication" - it is mentioned elsewhere by @JanoschUlmer that disabling this will resolve the issue. Because it's not enabled on our tenancy, this doesn't seem to be the appropriate remediation in our case.

- Like @sansbacher in this thread, we're using DUO for our MFA

- I've made an exception to our CA/DUO policies for my account that I'm using to obtain the Refresh Token (then in turn using that for the Access Token) so that Duo is not required for access via that account.

- I've tried the newer Partner Center module with the ExchangeOnline flag mentioned here with no positive outcome