Secure Application Model
Learn and ask questions on how to implement secure application model

Don't see your topic? Start a Topic
Reply
Level 1 Contributor

Refresh token lifetime, error AADSTS50076

Hi, I've switched our production to the new model and I'm therefore using refresh tokens.

 

However, in less than 24h, I usually start getting AADSTS50076 on all of my calls. The error message states:

Spoiler
Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'SampleBECApp'

Contrary to the error message, I've got this error without moving nor doing anything on the tenant configuration. Since this is now in production, I really need to know what's causing this "change" detection on Microsoft side.

 

Here are the Ids of a request that failed after ~3h of lifetime of a refresh token (with no actions on my side in between):

Trace ID: 558dc046-59d0-44c4-8fde-214edfc55500

Correlation ID: b7e8f17a-cd0b-48d0-a339-20f2a0d69de5

Timestamp: 2019-02-11 08:21:10

Microsoft

Re: Refresh token lifetime, error AADSTS50076

Hi Luke, 

I am adding @aamini to the thread, so he can comment as well. By chance are you using conditional access? 

Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Highlighted
Level 1 Contributor

Re: Refresh token lifetime, error AADSTS50076

Here's the screenshot of conditional access section.

 

policy.png

 

Side note: it happened again.

{'error':'interaction_required','error_description':'AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access \'SampleBECApp\'.\\r\\nTrace ID: 9570779e-0ce7-4bc0-aff7-ab40572fa600\\r\\nCorrelation ID: 09b81afe-7f5f-4571-bd67-61b45a62d135\\r\\nTimestamp: 2019-02-12 09:15:17Z','error_codes':[50076],'timestamp':'2019-02-12 09:15:17Z','trace_id':'9570779e-0ce7-4bc0-aff7-ab40572fa600','correlation_id':'09b81afe-7f5f-4571-bd67-61b45a62d135','suberror':'basic_action'}

Microsoft

Re: Refresh token lifetime, error AADSTS50076

Hi @LukeMarlin,

Typically when you encounter this error it is an indication of conditional access, see What is the location condition in Azure Active Directory conditional access? if you would like to learn more about this feature. However, since you do not have any policies we can rule this out as the cause. Through my testing I have been using Azure multi-factor authentication and I have not been able to reproduce the issue you are encoutering. To continue troubleshooting this it would be helpful to know what you are using for multi-factor authentication. Also, are the request originating from the same location each time? 

Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner