Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Level 2 Contributor

Refresh token lifetime, error AADSTS50076

Hi, I've switched our production to the new model and I'm therefore using refresh tokens.

 

However, in less than 24h, I usually start getting AADSTS50076 on all of my calls. The error message states:

Spoiler
Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'SampleBECApp'

Contrary to the error message, I've got this error without moving nor doing anything on the tenant configuration. Since this is now in production, I really need to know what's causing this "change" detection on Microsoft side.

 

Here are the Ids of a request that failed after ~3h of lifetime of a refresh token (with no actions on my side in between):

Trace ID: 558dc046-59d0-44c4-8fde-214edfc55500

Correlation ID: b7e8f17a-cd0b-48d0-a339-20f2a0d69de5

Timestamp: 2019-02-11 08:21:10

13 REPLIES 13
Highlighted
Microsoft

Re: Refresh token lifetime, error AADSTS50076

Hi Luke, 

I am adding @aamini to the thread, so he can comment as well. By chance are you using conditional access? 

Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Refresh token lifetime, error AADSTS50076

Here's the screenshot of conditional access section.

 

policy.png

 

Side note: it happened again.

{'error':'interaction_required','error_description':'AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access \'SampleBECApp\'.\\r\\nTrace ID: 9570779e-0ce7-4bc0-aff7-ab40572fa600\\r\\nCorrelation ID: 09b81afe-7f5f-4571-bd67-61b45a62d135\\r\\nTimestamp: 2019-02-12 09:15:17Z','error_codes':[50076],'timestamp':'2019-02-12 09:15:17Z','trace_id':'9570779e-0ce7-4bc0-aff7-ab40572fa600','correlation_id':'09b81afe-7f5f-4571-bd67-61b45a62d135','suberror':'basic_action'}

Microsoft

Re: Refresh token lifetime, error AADSTS50076

Hi @LukeMarlin,

Typically when you encounter this error it is an indication of conditional access, see What is the location condition in Azure Active Directory conditional access? if you would like to learn more about this feature. However, since you do not have any policies we can rule this out as the cause. Through my testing I have been using Azure multi-factor authentication and I have not been able to reproduce the issue you are encoutering. To continue troubleshooting this it would be helpful to know what you are using for multi-factor authentication. Also, are the request originating from the same location each time? 

Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Refresh token lifetime, error AADSTS50076

Hi,

Sorry for the delay, I was on holidays. The issue still goes on.

The 2nd factor is a phone code.

Yes, the request originates from the same machine. It's a user that has been dedicated to a program and it's therefore not used anywhere else. Note that it seems really close to a 24h cycle, might it be possible that there is some kind of "hidden" policy on my tenant?

Also, using the correlation ids I've provided, can't you check on your side if the locations stay the same, or even better, what invalidates my token?

Microsoft

Re: Refresh token lifetime, error AADSTS50076

Hi @LukeMarlin,

The only other time I have seen an error like this persist is when you are authenticating using user credentials when MFA is enabled. This happens because the user either need to authenticate interactively or by using the refresh token. I am not saying this is what you are running into, but I would recommend that you are using the following process to obtain access tokens for all operations involving the Partner Center API

  1. Obtain the refresh token from the secure location where you stored it
  2. Request a new access token using the refresh token 
  3. Perform the request to the Partner Center API/SDK using the access token obtained above

In addition to this I would recommend that you review the How to validate your solution blog post. That will help you ensure there are not any issues with your process that could be causing this behavior. 

Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Refresh token lifetime, error AADSTS50076

Hi,

Step 1, 2 and 3 is precisely what we do. Here's what we use these steps.

And yes, we do use 2FA as it's going to be a requirement (and should already be without the postpone)

1)

$credential = Get-Credential # appId & appSecret
$token = New-PartnerAccessToken -Consent -Credential $credential -Resource https://api.partnercenter.microsoft.com -ServicePrincipal

# We then store $token.refreshToken

2)

// Truncated code, might miss some lines, it's just to give an idea
private const string loginUrl = "https://login.microsoftonline.com/<our tenant id>/oauth2/token/"; private const string PC_API = "https://api.partnercenter.microsoft.com"; WebRequest request = WebRequest.Create(loginUrl); request.Method = "POST"; request.ContentType = "application/x-www-form-urlencoded"; string content = string.Format( "resource={0}&client_id={1}&client_secret={2}&grant_type=refresh_token&refresh_token={3}&scope=openid", HttpUtility.UrlEncode(PC_API), HttpUtility.UrlEncode(applicationId), HttpUtility.UrlEncode(applicationSecret), HttpUtility.UrlEncode(refreshToken));

using (StreamWriter writer = new StreamWriter(request.GetRequestStream()))
{
writer.Write(content);
}

WebResponse response = request.GetResponse();
// Extract access token from respons

3) Use the extracted access token to call the PC API with the C# SDK

 

I didn't try your solution yet, however as far as I understand it'll simply validate that the token was acquired with a 2nd factor, which is something I could already verify by looking at the JWT claims: "mfa" is there. If there's another reason to try it, please tell me so. Also, is there a way to do that in the partner center SDK?

 

Level 1 Contributor

Re: Refresh token lifetime, error AADSTS50076

Was this ever resolved? We seem to have the same scenario with refresh token no longer working after 24 hours.

Level 1 Contributor

Re: Refresh token lifetime, error AADSTS50076

Just so that I understand fully... You get refresh token via user who has got MFA enabled right? Then it will allow you to get access tokens for the first 23 hours but breaks with the MFA-like error message?

I have only seen the error message when I got my refresh token with MFA disabled account but then it never works for MFA enabled Azure ADs...

Level 1 Contributor

Re: Refresh token lifetime, error AADSTS50076

Correct. We recently enabled MFA on our service accounts for our applications which call Microsoft APIs. We use the refresh token to get access tokens. Everything works fine for about a day, then generates unauthorized access tokens. Manually establishing a new refresh token resolves this issue for another day. We have multiple tenants with Microsoft. However, this only occurs on our US tenant.

Level 2 Contributor

Re: Refresh token lifetime, error AADSTS50076

Hi @msallmen , no, this is yet to be solved, despite that discussion being open for quite some time now! And Indeed, we have MFA enabled.

@idwilliams, Being tired of login with MFA every day, we decided to drop MFA to ease the task. However it seems that now the token survives for more than one day (4th or 5th day today). It therefore seem to be an issue with MFA, and I might not be alone according to other posts here. Can you please bring up this issue so we can reenable MFA safely when the day will come?

Level 1 Contributor

Re: Refresh token lifetime, error AADSTS50076

After the refresh token failed to give us valid access tokens every 24 hours for three days, we found this highlighted checkbox.

MFA settings.pngUncheck remember multi-factor authentication under the service settings.

We unchecked the highlighted checkbox and generated a new refresh token, and we are past 48 hours of that refresh token working for us. I really thought this would only apply to users logging into the portal; strangely, it seems to have resolved our issue. I'd be interested to know if anyone else has seen this behavior.

Level 1 Contributor

Re: Refresh token lifetime, error AADSTS50076

Yeah I think we are seeing the same thing. We have set this to 14 days and since I have issued refresh token I had to change it twice as it stopped working.
Level 1 Contributor

Re: Refresh token lifetime, error AADSTS50076

@idwilliamsCan we get information if this is bug in Azure AD?