Inhalt

Other Entra ID / Azure AD SignIn errors

The challenge

Most of us analyzing Azure AD SignIn logs have been there. You come across a failed sign-in, but the ResultDescription is not really helpful, but only shows “Other”.

/entra-id-azure-ad-signin-errors/images/UnresolvedErrorMessages.png
Other? But what other?

When using the Entra ID portal UI most of those error codes will perfectly translate to a more helpful error message.

/entra-id-azure-ad-signin-errors/images/ErrorCodeResolvedInUI.png
What the sign-in logs cannot do, the portal UI is able to

So how can you have the same experience when using KQL?

First things first, let’s analyze which unresolved error types are in your environment.

union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs
| where ResultType != 0 and ResultDescription == "Other"
| summarize by ResultType

Based on this data you can do two things:

  1. Lookup the error code in the UI
  2. Use the official reference Azure AD Authentication and authorization error codes to lookup the error code
  3. Lookup the error code using the sign-in error lookup tool

Option #3 is the best of the three, because I don’t want to lookup hundreds of error codes manually and the official website does not cover everything you are looking for.

The way to the solution

Since the error code website by Microsoft has a super simple interface which is easy to parse, I created a small script that does the heavy lifting for me. Since I also didn’t want to miss any error codes I might not have in my initial list I also don’t just check the exact error message id, but also 20 error codes up and down the original error id. This way I checked a total of 2143 possible error messages. Of course some are invalid and others might already be resolved in the Sign-In logs. Of those 2143 checked error codes I was able to get 764 unique error messages which I saved as a JSON file.

And voila, now I can lookup the missing values right in your kusto query using the externaldata function.

/entra-id-azure-ad-signin-errors/images/UseExternalData.png
Much less Other, more real error messages

Since I want to keep the original format of the Sign-In logs I added a another line to replace the original ResultDescription if the value is “Other” and the lookup table contains a better description.

let ResolvedErrorCodes = externaldata(code: string, Message: string)['https://raw.githubusercontent.com/f-bader/EntraID-ErrorCodes/main/EntraIDErrorCodes.json'] with (format='multijson');
UnifiedSignInLogs
| where ResultType != 0
| lookup ResolvedErrorCodes on $left.ResultType == $right.code
| extend ResultDescription = iff(ResultDescription == "Other",iff(isempty(Message),"Other",Message),ResultDescription)
| project-away Message
| project-reorder TimeGenerated, ResultType, ResultDescription

/entra-id-azure-ad-signin-errors/images/OutputWithCorrectColumnNames.png
Now even the column name is the one you would expect.

/entra-id-azure-ad-signin-errors/images/meme.png

The solution

But always querying external data might not be the most performant way of doing this. A Sentinel watchlist should be the better solution for this.

UnifiedSignInLogs
| where ResultType != 0
| lookup _GetWatchlist('EntraIDErrorCodes') on $left.ResultType == $right.SearchKey
| extend ResultDescription = iff(ResultDescription == "Other", iff(isempty(Message), "Other", Message), ResultDescription)
| project-away Message, *1
| project-reorder TimeGenerated, ResultType, ResultDescription

For your convenience, I created a ARM template you can use to deploy a watchlist.

/entra-id-azure-ad-signin-errors/images/deploytoazure.png /entra-id-azure-ad-signin-errors/images/deploytoazuregov.png /entra-id-azure-ad-signin-errors/images/visualizebutton.png

I uploaded all this data to a new GitHub repository where you can consume it as JSON, CSV or find the ARM template to deploy the watchlist directly.

Entra ID - Azure AD Authentication and authorization error codes

ResultType Message
26000 The provided access grant requires interaction.
29200 QR Code requested. Generate QR code and display on UX page for interactive sign-ins.
29201 Invalid QR Code request. Client Id ({clientId}) or target client Id ({targetClientId}) is invalid.
29202 Invalid scope and response_type request parameters. scope=qrcode can only be used with response_type=none.
29203 Invalid target_client_id ‘{targetClientId}’ argument value.
29204 Failed to write QR Code token to Store.
29205 Generated QR Code string has exceeded maximum supported length.
29206 Invalid QR Code redemption request. Client Id ({clientId}) is invalid.
29207 Error processing session data. QR Code is either invalid or expired.
29208 Error processing session data. QR Code was already redeemed.
29210 QR Code sign-in is disabled via user credential policy.
29211 QR Code sign-in is not supported for passthrough users.
29212 QR Code sign-in is not supported for consumer user scenarios.
40002 The identity provider returned an error. The status returned was ‘{status}’ and the message was ‘{message}’.
40003 A required token was not emitted by an external Identity Provider.
40004 A required token was not emitted by an external Identity Provider.
40005 Invalid token received from external Identity Provider. Current time: {curTime}, expiry time of assertion {expTime}.
40008 There was an unexpected error from the external identity provider.
40009 The identity provider returned an error.
40010 The identity provider has failed with a transient error.
40013 Social IDP MicroService Federation disabled.
40014 Federated Identity Provider is unavailable.
40015 The identity provider returned an error.
40016 The Identity Provider returned an error.
50000 There was an error issuing a token or an issue with our sign-in service.
50001 The resource is disabled or the resource named could not be found. This can happen if the application has not been installed by the administrator of the tenant, or if the resource principal was not found in the directory or is invalid due to a typo.
50002 This tenant isn’t supported for this authentication method yet.
50003 Certificate roll is in progress. Please retry the operation later.
50004 A transient error has occurred. Please try again.
50005 User tried to log in to a device from a platform ({platform}) that’s currently not supported through Conditional Access policy. Supported device platforms are: iOS, Android, Mac, and Windows flavors.
50006 Signature verification failed because of an invalid signature.
50007 Encryption certificate was not found in the directory.
50008 The SAML token is invalid.
50010 Audience URI validation failed since no token audiences were configured.
50011 The {redirectTerm} ‘{replyAddress}’ specified in the request does not match the {redirectTerm}s configured for the application ‘{identifier}’. Make sure the {redirectTerm} sent in the request matches one added to your application in the Azure portal. Navigate to {akamsLink} to learn more about how to fix this. {detail}
50012 Authentication failed.
50013 Assertion failed signature validation. Possibly because the token issuer doesn’t match the API version within its valid time range, it’s expired or malformed, or the refresh token in the assertion is not a primary refresh token.
50014 The user’s redemption is in a pending state. The guest user account is not fully created yet.
50015 The user requires legal age group consent.
50016 Invalid Argument Redirect ErrorCode value.
50017 Validation of given certificate for certificate based authentication failed.
50019 This occurred due to an interrupt to select a certificate before the user signs in.
50020 User account ‘{email}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
50023 ClaimType ‘{claimType}’ is reserved for system use.
50024 Unable to decrypt client state.
50025 The issuer name must be specified.
50026 The mail is too long, maximum length is {length}.
50027 JWT token is invalid or malformed.
50029 The reply URI specified in the request contains invalid characters. Domain names of this form are not supported.
50030 Either forwardableOnBehalfOfOriginsAcceptedAudiencesList or ForwardableOnBehalfOfOriginsAcceptedPrecedingAppsList property in the first party app registration is not set. Both fields need to be filled on first party app portal for PFT OBO to be successful.
50032 RSA key size {actualSize} is less than the minimum required {minSize} bits.
50033 A transient error has occurred. Please try again.
50034 The user account {identifier} does not exist in the {tenant} directory. To sign into this application, the account must be added to the directory.
50035 ECC key size {actualSize} is less than the minimum required {minSize} bits.
50038 The API version isn’t supported.
50042 The salt required to generate a pairwise identifier is missing in the principal.
50043 Unable to generate a pairwise identifier with more than one salt in principal.
50045 The salt required to generate a pairwise identifier is malformed in principal.
50048 Subject must match the issuer claim in the client assertion.
50049 Unknown or invalid instance.
50050 The request is malformed: invalid format for ‘{name}’ value.
50051 The root key endpoint is missing the root keys.
50052 The password entered exceeds the maximum length. Please reach out to your admin to reset the password.
50053 The account is locked, you’ve tried to sign in too many times with an incorrect user ID or password.
50054 Looks like you entered your old password. Try again with your new one.
50055 The password is expired.
50056 Invalid or missing password: password does not exist in the directory for this user.
50057 The user account is disabled.
50058 Session information is not sufficient for single-sign-on.
50059 No tenant-identifying information found in either the request or implied by any provided credentials.
50060 Unable to sign out.
50061 Unable to complete signout. The request was invalid.
50062 Signout request is unauthorized.
50068 Signout failed. The initiating application is not a participant in the current session.
50069 Signout failed. The request specified a name identifier of ‘{identifier}’ which did not match the existing session(s).
50070 Signout failed. The request specified session indexes ‘{identifier}’ which did not match the existing session(s).
50071 Signout request has expired.
50072 Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access ‘{identifier}’.
50074 Strong Authentication is required.
50075 The tenant ‘{tenant}’ does not have security defaults enabled.
50076 Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access ‘{resource}’.
50077 The administrator created a conditional access policy that requires the authenticator to be used to provide GPS location.
50078 Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access ‘{resource}’.
50079 Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access ‘{identifier}’.
50080 Bad request received.
50081 The administrator created a conditional access policy that requires GPS location.
50082 The partitioned token signing key endpoint is missing the partitioned token signing keys.
50085 Refresh token needs a social identity provider login.
50087 A transient error has occurred during strong authentication. Please try again.
50088 Limit on telecom MFA calls reached. Please try again in a few minutes.
50089 Authentication failed due to flow token expired.
50091 Passed query string length exceeds supported limit.
50093 Missing value for the SAML NameID.
50094 Unknown source configured on the audience for the SAML NameID.
50095 Unknown source configured on the audience for the SAML email claim.
50096 Source configured on the audience for the SAML NameID is not compatible with the requested format.
50097 Device authentication is required.
50098 JWT body must contain ‘{field}’.
50099 Invalid nonce.
50100 There was an error transforming the claims for the token.
50101 Unknown claims transformer ‘{name}’ was specified for principal ‘{principalId}’.
50102 Unable to load CustomClaimsTransformer ‘{type}’ was specified for principal ‘{principalId}’.
50103 There was an error transforming the claims for the token: {errorMessage}
50105 Your administrator has configured the application {appName} (’{appId}’) to block users unless they are specifically granted (‘assigned’) access to the application. The signed in user ‘{user}’ is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
50107 The requested federation realm object ‘{name}’ does not exist.
50120 Unknown credential type, issue with the JWT header.
50123 Unknown claims transformation method ‘{method}’ was specified for principal ‘{principalId}’.
50124 Invalid regular expression configured for claims transformation for this application.
50125 Sign-in was interrupted due to a password reset or password registration entry.
50126 Error validating credentials due to invalid username or password.
50127 Client app is a MAM app and device is not registered.
50128 No tenant-identifying information found in either the request or implied by any provided credentials.
50129 The device is not workplace joined. Workplace join is required to register the device.
50130 The claim value(s) ‘{value}’ cannot be interpreted as known auth method(s).
50131 Device is not in required device state: {state}. Or, the request was blocked due to suspicious activity, access policy, or security policy decisions.
50132 The session is not valid due the following reasons: password expiration or recent password change, SSO Artifact is invalid or expired, session is not fresh enough for application, or a silent sign-in request was sent but the user’s session with Azure AD is invalid or has expired.
50133 The session is not valid due to password expiration or recent password change.
50134 Wrong data center. To authorize a request that was initiated by an app in the OAuth 2.0 device flow, the authorizing party must be in the same data center where the original request resides.
50135 Password change is required due to account risk.
50136 Single MSA session detected when requesting an MSA ticket.
50137 Password needs to be changed due to security policy rule.
50138 Invalid encryption key environment.
50139 Session is invalid due to missing an external refresh token.
50140 This occurred due to ‘Keep me signed in’ interrupt when the user was signing in.
50141 Protected key is not intended for the authenticated user.
50142 Password change is required due to a conditional access policy.
50143 Session mismatch. The session is invalid because user tenant does not match the domain hint.
50144 The user’s Active Directory password has expired.
50146 This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.
50147 Invalid size of the code challenge parameter.
50148 The code_verifier does not match the code_challenge supplied in the authorization request for PKCE.
50149 Invalid Code_Challenge_method parameter.
50150 The provided credentials does not have a valid user consent approval information.
50155 Device authentication failed.
50156 Device tokens are not supported for V2 resource.
50157 User redirection required for routing.
50158 External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.
50159 Claims sent by external provider are not enough.
50160 Different target tenant is preferred.
50161 Failed to validate authorization url of external claims provider.
50168 The client is capable of utilizing the Windows 10 Accounts extension to perform SSO but no SSO token was found in the request or the token was expired. Request has been interrupted to attempt to pull an SSO token.
50169 The realm ‘{realm}’ is not a configured realm of the current service namespace.
50170 The external controls mapping is missing.
50172 External claims provider {provider} is not approved.
50173 The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on ‘{authTime}’ and the TokensValidFrom date (before which tokens are not valid) for this user is ‘{validDate}’.
50176 Missing definition of external control: {controlId}.
50177 User account ‘{user}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
50178 User account ‘{user}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
50179 Client_info is not supported for this user.
50180 Integrated Windows Authentication is needed. Enable the tenant ‘{name}’ for Seamless SSO.
50181 Unable to validate the otp.
50182 OTP is already expired.
50183 Cannot lookup otp due to cache error.
50184 OTP is incorrect, or no cache entry exists for the tenant/user.
50185 Email OTP notification delivery failed.
50186 Unpermitted realm.
50187 Failed to perform device authentication.
50189 The device code is not correctly formatted.
50190 Region prefix to connection string mapping returned from settings is null.
50192 Invalid request.
50193 Internal use
50194 Application ‘{appId}’({appName}) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after ‘{time}’. Use a tenant-specific endpoint or configure the application to be multi-tenant.
50196 The server terminated an operation because it encountered a client request loop. Please contact your app vendor.
50197 Sorry, we could not find the user, please sign-in again.
50199 For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction.
50200 Unpermitted external trusted realm.
50201 This message prompt interrupt will be shown to the user during login when additional information should be provided to user.
50202 User is not registered in the organization and must explicitly consent to the sign-in.
50203 User has not registered the authenticator app and must register or snooze this notification.
50204 External user has not consented to the privacy statement.
50205 External user has consented to the privacy statement.
50206 The user or administrator has not consented connecting to the target-device: ‘{identifier}’. Send an interactive authorization request for this user and target-machine.
50207 This web native bridge interrupt will be shown to the user during login when the application is requesting login through the native broker and needs eSTS to ensure the broker is properly configured.
50208 This web native bridge interrupt was shown, but the native bridge unexpectedly returned a different user.
50209 User is performing a password reset.
53000 Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.
53001 Device is not in required device state: {state}. Conditional Access policy requires a domain joined device, and the device is not domain joined.
53002 Device is not in required device state: {state}. The app used is not an approved app for Conditional Access.
53003 Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
53004 Cannot configure multi-factor authentication methods due to suspicious activity.
53005 Application needs to enforce Intune protection policies.
53006 Authentication required from federated idP.
53007 Authentication required from federated IDP.
53008 Browser not supported.
53009 Application needs to enforce Intune protection policies.
53010 Cannot configure multi-factor authentication methods because the organization requires this information to be set from specific locations or devices.
53011 User blocked due to risk on home tenant.
54000 User is not allowed to access application {appName} due to Legal Age Group Requirement of application {audience}.
54005 OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.
54006 Unencrypted v2 access tokens are not supported for first party applications that support consumer accounts. The resource must add a certificate to the onboarding portal to encrypt tokens.
54007 Method not supported for IDP OAuth2 Federation.
54008 Multi-Factor authentication is required and the credential used ({credentialName}) is not supported as a First Factor. Contact your administrator for more information.
54009 Multi-Factor authentication is required and the credential used is not supported. Contact your administrator for more information.
54010 Proofup blocked due to credential used not supported. Contact your administrator for more information.
65001 The user or administrator has not consented to use the application with ID ‘{identifier}’{namePhrase}. Send an interactive authorization request for this user and resource.
65002 Consent between first party application ‘{applicationId}’ and first party resource ‘{resourceId}’ must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.
65003 Consent for first party token-to-self must be configured via preauthorization. If preauthorization has already been configured, update the request to use a URI identifier for the resource instead of ‘{resourceId}’ to work around this error.
65004 User declined to consent to access the app.
65005 The application ‘{name}’ asked for scope ‘{scope}’ that doesn’t exist.
65006 Resource ‘{resourceId}’ had no entitlements matching required permissions configured on the required resource access for client ‘{clientId}’. Requested permission IDs: ‘{permissionId}’. This is a problem with one or more invalid permission ids on the client RRA configuration or the resource entitlement configuration.
65007 Client ‘{clientId}’ required resource access configuration has changed and therefore the request could not be completed. Please try again.
70024 OIDC Provider Metadata missing required field ‘{fieldName}’.
70030 Remote authentication failed to read session from storage.
70031 Remote authentication session is in a bad state.
70033 The remote auth session with this device code has already been approved.
70034 The remote auth session with this device code has already been denied.
70035 Remote auth session with this device code doesn’t exist.
70036 Unsupported remote auth session state.
70037 Incorrect challenge response provided. Remote auth session denied.
70039 The remote auth session with this device code has expired.
70041 Unable to complete OAuth2 IdP’s sign in. The ’nonce’ claim does not match the expected value.
70043 The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}.
70044 The session has expired or is invalid due to sign-in frequency checks by conditional access.
70045 The refresh token is invalid due to sign-in frequency checks by conditional access. Additionally, since the sign-in frequency policy applies to all applications, the token will never be usable, and should be deleted. The authInstant in this token was {authInstant} and the maximum allowed lifetime for this request is {time}.
70046 The session has expired or is invalid due to re-authentication checks by conditional access.
81001 Service ticket size exceeded the maximum allowed.
81004 Kerberos authentication failed.
81005 Authentication package is not supported.
81006 No authorization header was found, returning 401 WWW-Authenticate.
81007 Tenant is not enabled for DesktopSSO.
81008 Failed to validate Kerberos ticket.
81009 Unable to validate the user’s Kerberos ticket, the authorization header value is not formatted correctly.
81010 Seamless SSO failed because the user’s Kerberos ticket has expired or is invalid.
81011 Failed to find user by on-premise SID in the user’s Kerberos ticket.
81012 The user trying to sign in to Azure AD is different from the user signed into the device.
81013 Failed to lookup the user whose kerberos ticket was used to login.
81014 The DesktopSSO auth token has expired.
81015 Rejecting DesktopSSO Kerberos ticket as it was obtained through delegation. Delegated Kerberos ticket does not originate from user directly. Please contact your tenant administrator to disable delegation on the AZUREADSSOACC account.
81016 Invalid STS request.
90000 Internal use
90002 Tenant ‘{tenant_name}’ not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.
90004 The request is not properly formatted.
90005 Unable to complete request. The request was invalid since SID and login_hint cannot be used together.
90006 A transient error has occurred. Please try again.
90007 Bad Request. The passed session ID cannot be parsed.
90008 The user or administrator has not consented to use the application with ID ‘{appId}’({appName}). This happened because application is misconfigured: it must require access to Microsoft Graph by specifying at least ‘Sign in and read user profile’ permission.
90009 Application ‘{appId}’({appName}) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
90010 Unable to create {algoName} algorithm.
90012 This request has timed out.
90013 Invalid input received from the user.
90014 The required field ‘{name}’ is missing from the credential. Ensure that you have all the necessary parameters for the login request.
90015 Requested query string is too long.
90016 Invalid access token. Required claim is missing.
90017 Unexpected field ‘{fieldName}’.
90019 No tenant-identifying information found in either the request or implied by any provided credentials.
90020 The SAML 1.1 Assertion is missing ImmutableID of the user.
90022 Principal name format is invalid for ‘{name}’. Expected format: name[/instance][@realm]. The principal name is required, host and realm are optional and may be set to null.
90023 Invalid STS request.
90024 A transient error has occurred. Please try again.
90025 Request processing has exceeded internal allowance. This operation will be retried internally and usually resolves without user impact. Please verify the end result of the transaction to verify status.
90026 Hostname contains an invalid wildcard ‘*’ character.
90027 We are unable to issue tokens from this API version on the MSA tenant. Please contact the application vendor as they need to use version 2.0 of the protocol to support this.
90028 Principal name format is invalid for name ‘{name}’. Primary component of the name is required.
90029 The realm ‘{name}’ is a Unicode domain name. Domain names of this form are not supported.
90030 A transient error has occurred. Try again after some time.
90031 A transient error has occurred. Try again after some time.
90032 A transient error has occurred. Try again after some time.
90033 A transient error has occurred. Please try again.
90035 Service is temporarily unavailable. Please retry later.
90036 An unexpected, non-retryable error stemming from the directory service has occurred.
90037 Non-retryable error has occurred.
90038 Tenant ‘{tenant_name}’ request is being redirected to the National Cloud ‘{cloud}’.
90039 Service is temporarily unavailable. Please retry later.
90040 A non-retryable error has occurred.
90041 A transient error has occurred. Please try again.
90042 National Cloud Name is missing in the postback request.
90043 OAuth2 grant was issued by National Cloud STS.
90044 National Cloud Request Process Switched off.
90045 Service is too busy. Please try again later.
90046 Internal use
90047 Internal use
90049 Application could not be found.
90050 Response content length from external IdP exceeds supported limit.
90051 Invalid Delegation Token. Invalid national Cloud ID ({cloudId}) is specified.
90052 Actual message content is runtime specific. Please see returned exception message for details.
90072 User account ‘{user}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{application}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
90073 Invalid Fairfax Gateway Redirect.
90081 An error occurred when the service tried to process a WS-Federation message. The message was invalid, malformatted, or contains potentially dangerous characters.
90082 Authentication policy ‘{name}’ selected for the request is not currently supported.
90083 Request is unsupported.
90084 Guest accounts are not allowed for this site.
90085 The service is unable to issue a token because the company object hasn’t been provisioned yet.
90086 The user DA token is expired.
90087 An error occurred while creating the WS-Federation message from the URI.
90088 Authentication failed due to email address domain is not in allowed domains list for identity provider.
90089 User token should not be used in App on behalf of flow.
90090 A transient error has occurred. Please try again.
90091 A transient error has occurred. Please try again.
90092 Non-retryable error has occurred.
90093 Actual message content is runtime specific. Please see returned exception message for details.
90094 Admin consent is required for the permissions requested by this application.
90095 Admin consent is required for the permissions requested by this application. An admin consent request may be sent to the admin.
90096 Admin consent is required for the permissions requested by this application. Admin consent request sent for processing.
90097 An error has occured during admin consent processing.
90098 An unexpected approval request ID was provided.
90099 The application ‘{appId}’ ({appName}) has not been authorized in the tenant ‘{tenant}’. Applications must be authorized to access the customer tenant before partner delegated administrators can use them.
90100 {name} parameter is empty or not valid.
90101 The supplied data isn’t a valid email address. Please provide it in the format someone@example.com
90102 ‘{name}’ value must be a valid absolute URI.
90107 The request is not valid. Make sure your data doesn’t have invalid characters.
90112 Application identifier is expected to be a GUID.
90114 The specified bulk AADJ token expiration timestamp will cause an expired token to be issued.
90116 {method} request is made, while POST is the only supported verb.
90117 Invalid request.
90119 The user code is null or missing.
90120 This request was already authorized or declined.
90121 Invalid empty request.
90122 User identifier is not present.
90123 The token can’t be issued because the identity or claim issuance provider denied the request. Response code: {errorCode}.
90124 {resConstant} ‘{resourceId}’ {resourceName} is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.
90125 {userName} isn’t in our system. Make sure you entered the user name correctly.
90126 User Type is not supported on this endpoint. The system can’t infer the user’s tenant from the user name: {userName}
90128 Unable to load OptIn store for user.
90129 {resConstant} ‘{resourceId}’ {resourceName} has a configured token version of ‘1’ and is not supported over the /common or /consumers endpoints.
90130 {appConstant} ‘{appId}’ {appName} is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.
90131 Invalid ambiguous request. sid cannot be used with prompt {prompt}.
90132 The provided value for the input parameter ‘device_code’ is not valid. Device codes supporting the personal Microsoft Account sign-in audience can only be used for v2 common or consumers tenants.
90134 Retrieving claims from identity provider ‘{idp}’ failed.
90135 The user decided not to continue the authentication. No remediation is required.
90136 Device Code flow is not supported for Confidential Clients.
90137 Token issuance cannot proceed because user declined consent approval to release their profile information.
90138 Invalid ambiguous request. sid cannot be used with login_hint.
90139 Invalid request. The device code flow connect mode in your request is only supported for the /consumers/ tenant.
90150 Failed to read request.
130001 Signature key ID is not provided.
130004 UserPrincipal doesn’t have the NGC key configured.
130005 NGC key signature verification failed.
130006 The NGC transport key isn’t configured on the device.
130007 The device is disabled.
130008 Device referenced by the NGC key is not found.
130009 Device key was found weak.
130500 Phone sign in was blocked due to User Credential Policy.
130501 Sign in was blocked due to User Credential Policy.
130502 Temporary Access Pass sign in was blocked due to User Credential Policy.
130503 Your Temporary Access Pass is incorrect. If you don’t know your pass, contact your administrator.
130504 Your Temporary Access Pass has expired. Contact your administrator to obtain a new pass.
130505 Your one-time Temporary Access Pass has been redeemed. Contact your admin to get a new pass.
130506 Access Pass must be used for Web Sign In. Contact your admin to get an Access Pass.
130507 An access pass could not be found or verified for the user.
135000 Fido signature verification failed.
135001 UserPrincipal doesn’t have the key ID configured.
135002 Fido key does not have authenticator data.
135003 Fido assertion verification failed. Invalid gesture provided.
135004 Invalid postBackUrl parameter.
135005 Invalid cancelUrl parameter.
135006 Invalid resumeUrl parameter.
135007 Client data type is not valid.
135008 Relying Party Origin is not valid.
135009 Flow Token Scenario must be login scenario.
135010 UserPrincipal doesn’t have the key ID configured.
135011 Device used during the authentication is disabled.
135012 UserObjectId from the UserHandle does not match with UserPrincipal UserObjectId.
135013 Invalid UserHandle prefix.
135014 Invalid UserHandle length.
135015 The FIDO exclude list was not a valid JSON blob.
135016 FIDO sign-in is disabled via policy.
135017 Unexpected Signature Counter received from authenticator.
135018 Invalid challenge received from fido assertion.
135019 Expired Challenge received from Fido assertion.
135020 Invalid Fido assertion.
135021 Invalid UserHandle prefix.
135022 Redirect uri provided by MSA is not valid.
140000 Request nonce is expired. Current time: {curTime}, expiry time of assertion {expTime}.
140001 The session key is not valid.
140002 Key not found
140003 Nonce purpose not supported
140004 Invalid Ticket Granting Ticket request.
140005 Invalid Ticket Granting Ticket request.
140006 Invalid Ticket Granting Ticket request.
140007 Invalid Ticket Granting Service request.
140008 Invalid ApReq assertion provided.
140009 Kerberos crypto bad request
140010 Kerberos ticket validation failure
160011 Selected user account was invalid.
160021 Application requested a user session which does not exist.
240000 Limit for BulkAADJ tokens is reached for the tenant.
240001 User is not authorized to register devices in Azure AD.
240002 Input id_token cannot be used as ‘urn:ietf:params:oauth:grant-type:jwt-bearer’ grant.
240003 Unexpected result from authorize endpoint call.
240004 Authorization code not received from authorize endpoint call. Error: {errorInfo}
240005 Missing required user role to acquire a bulk AADJ token. For more information please go to https://go.microsoft.com/fwlink/?linkid=2224591.
399206 An unexpeted and non-retryable error happened when fetching bloomfilter data from blob storage.
399207 The token request does not contain one or more supported response token type(s): ‘{ResType}’.
399208 Registered certificates must not be used for token binding for public clients. Please use ephemeral client certificates.
399209 Application ‘{appIdentifier}’ does not have certificate-bound access tokens enabled.
399210 A verifiable credential is required to access this resource.
399211 Unable to find the requested DiskCache.
399212 Requested DiskCache is expired.
399213 The device key supplied is invalid.
399214 The algorithm in the request is invalid.
399215 HttpRequestException occurred in request to Dsts.
399216 Timeout occurred in request to Dsts.
399217 Non-retryable error has occurred.
399218 For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction.
399219 MSA Data Accessor transient timeout.
399220 More than one service principal returned
399229 Multiple MAM Browser client IDs are present in the claims collection. Values: {values}
399230 MAM Browser application principal ‘{appPrincipalId}’ is not valid in the directory
399231 MAM Browser application principal ‘{appPrincipalId}’ does not have any usable reply address in the directory
399232 MAM Browser application principal ‘{appPrincipalId}’ reply address validation failed. Reason: ‘{reason}’
399233 DstsCache is missing the Signingkey info
399234 Recieved public Signingkey response has XML parsing error
399235 Invalid Soap Headers passed to Dsts request
399236 Invalid Soap Body passed to Dsts request
399237 Failure when proxying a request from DstsCache to legacy dSTS
500011 The resource principal named {name} was not found in the tenant named {tenant}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
500012 Resource application name ‘{name}’ is not valid.
500013 Resource identifier is not provided.
500014 The service principal for resource ‘{identifier}’ is disabled. This indicate that a subscription within the tenant has lapsed, or that the administrator for this tenant has disabled the application, preventing tokens from being issued for it.
500015 MSA provisioned resources are not supported in the tenant named {tenant}.
500016 Application ‘{appIdentifier}’ is not supported as a resource application to execute the flow.
500017 Application ‘{appIdentifier}’ is not allowed as a resource application to execute the flow.
500021 Access to ‘{tenant}’ tenant is denied.
500022 Access to ‘{tenant}’ tenant is denied.
500023 ‘{headerFromCredential}’ is not the same as ‘{headerFromRequest}’.
500024 Conflicting tenant restrictions signals received by the server on the login request. The header indicated ‘{headerFromRequest}’ while the application added a claims request for ‘{headerFromClaims}’. This can indicate conflicting network and device policies, which Azure AD does not support.
500025 Conflicting tenant restrictions signals received by the server from a claims request. The header from the Id Token ‘{headerFromIdToken}’ is different than the header from the access token ‘{headerFromAccessToken}’.
500031 Cannot find signing certificate configured.
500032 Cannot find signing certificate/private key to issue a certificate.
500033 There is an issue with the key ‘{kid}’. It has both x5t and x5c values, but they do not match. Please make sure the x5t value is the Base64Url-encoded SHA-1 thumbprint of the first certificate in x5c.
500081 SAML assertion validation failed: no supported token signature is provided.
500082 SAML assertion is not present in the token.
500083 Unable to verify token signature. No trusted realm was found with identifier ‘{issuer}’.
500084 Cannot read SecurityToken. Expected element is ({expectedName}, {expectedNamespace}) the actual element is ({localName}, {actualNamespace}).
500085 SAML Assertion with MajorVersion ‘{actualMajor}’ and MinorVersion ‘{actualMinor}’ is not supported. The supported version is MajorVersion ‘{major}’ and MinorVersion ‘{minor}’.
500086 SAML Assertion AssertionId ‘{id}’ is not a valid xsd:ID value.
500087 SAML Assertion does not have any SAML Statement elements. SAML Assertion must have at least one SAML Statement element.
500088 SAML Assertion is missing the required ‘{name}’ Attribute.
500089 SAML 2.0 assertion validation failed: {details}
500101 Audience URI validation failed. No token audiences were found.
500102 Audience URI validation failed. No allowed audiences are configured.
500103 Validation of Audience URI(s) {uri} failed. No match was found with allowed audience(s) {audience}.
500111 The reply uri specified in the request has an invalid scheme.
500112 The reply address ‘{actual}’ does not match the reply address ‘{provided}’ provided when requesting Authorization code.
500113 No reply address is registered for the application{idPhrase}.
500114 Protocol not specified for reply address validation.
500115 The reply uri specified in the request is missing or not a valid URL.
500116 The reply uri specified in the request is not a valid URL. Allowed schemes: ‘{schemes}’.
500117 The reply uri specified in the request isn’t using a secure scheme.
500118 The reply uri specified in the request failed validation. The reply uri host must match one of the registered DNS host names ‘{host}’ for site with ID ‘{id}’.
500119 Redirect URIs with urn: schemes are prohibited. Use a different scheme, or https://login.microsoftonline.com/common/oauth2/nativeclient
500121 Authentication failed during strong authentication request.
500122 SWT assertion failed signature validation. Actual message content is runtime specific. Please see returned exception message for details.
500123 SWT assertion failed signature validation. Actual message content is runtime specific. Please see returned exception message for details.
500124 No device secret is provisioned in the store.
500125 Invalid device secret is provided.
500126 External ID token from issuer ‘{issuer}’ failed signature verification. KeyID of token is ‘{identifier}’.
500127 No authenticated credentials found in request.
500128 No session key found.
500129 No NGC transport key found.
500131 Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was ‘{tokenAudience}’ and the expected audience is ‘{expectedAudience}’ or one of the Application Uris of this application with App ID ‘{appId}’({appName}). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.
500132 Assertion is malformed and cannot be read.
500133 Assertion is not within its valid time range. Ensure that the access token is not expired before using it for user assertion, or request a new token. Current time: {curTime}, expiry time of assertion {expTime}.
500135 Authentication code is missing in the assertion.
500136 The token issuer doesn’t match the api version: A version 2 token can only be used with the v2 endpoint.
500137 The token issuer doesn’t match the api version: A version 1 token cannot be used with the v2 endpoint.
500138 No Refresh Token claim provided in the assertion.
500139 Refresh token in the assertion is not a primary refresh token.
500141 The user’s redemption is complete but the request was not initiated by the target application.
500142 The user’s redemption is complete and the sign-in should continue.
500183 Certificate has been revoked.
500184 Client assertion JWT token failed verification during certificate based authentication. The token is not signed by the certificate provided in the token.
500185 Tenant differs between user login and certificate user.
500186 User not allowed by policy conditions.
500187 Selected certificate does not meet the criteria.
500200 User account ‘{email}’ is a personal Microsoft account. Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization. Try signing out and signing back in with an organizational account.
500201 We are unable to issue tokens from this API version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this.
500202 User account ‘{email}’ from external identity provider ‘{idp}’ is not supported for API version ‘{version}’. Microsoft account pass-thru users and guests are not supported by the tenant-independent endpoint.
500204 Microsoft account ‘{email}’ can’t be used to log in to application {appName}. Please get this user invited to {tenant} directory or sign out and sign in again with a Work or School account.
500205 A consumer (B2C) account can’t be used to log into non consumer applications.
500206 The account type can’t be used for the application you’re trying to log into.
500207 The account type can’t be used for the resource you’re trying to access.
500208 The domain is not a valid login domain for the account type.
500209 Unspecific Tenant is not supported in this domain.
500210 Domain name does not match with the tenant identifier
500211 User account ‘{email}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
500212 The user’s administrator has set an outbound access policy that does not allow access to the resource tenant.
500213 The resource tenant’s cross-tenant access policy does not allow this user to access this tenant.
500331 An error occurred while attempting to create a certificate from bytes.
500341 The user account {identifier} has been deleted from the {tenant} directory. To sign into this application, the account must be added to the directory.
500342 User account is not configured for remote NGC.
500343 Could not create remote sign-in session.
500344 User Account is not found for Fido Sign in flow.
500346 E-Mail OTP user cannot sign in with local password.
500571 The guest user account is disabled.
500581 Rendering JavaScript. Fetching sessions for single-sign-on on V2 with prompt=none requires javascript to verify if any MSA accounts are signed in.
500582 Microsoft Account session_id with prompt=none not supported on AAD tenant.
500583 Storage Access required.
500881 Limit on telecom MFA calls reached. Please retry with PhoneAppNotification or try again in a few minutes.
500882 Limit on telecom MFA calls reached. Please retry with PhoneAppCode or try again in a few minutes.
500883 Limit on telecom MFA calls reached. Please retry with CompanionAppsNotification or try again in a few minutes.
501271 Broker app needs to be installed for device authentication to succeed.
501291 Client app is a Mam app, device is not registered and request is sent using a broker. Work place join needs to be done to register the device before the app can be accessed.
501292 Client application cannot satisfy app protection requirement. If it’s a first party app, then it’s not whitelisted to be used with app protection policies, otherwise, the app has not advertised as app-compliant capable, or the authentication library used does not support app protection policies.
501293 The device is not workplace joined. To proceed with the ‘Sign in from another device’ option, this device must be workplace joined.
501311 Browser not supported.
501312 Device used during the authentication is not registered for the account.
501313 Your device is required to be managed to access this resource.
501314 Silent interrupt required to recognize browser capabilities. Used to differentiate between Safari running in iPadOS or Mac.
501471 Missing code_challenge parameter.
501481 The Code_Verifier does not match the code_challenge supplied in the authorization request.
501482 The Code_Verifier length is less than invalid.
501491 Invalid size of Code_Challenge parameter.
501811 OTP is incorrect, or no cache entry exists for the tenant/user.
530001 Browser not supported.
530002 Your device is required to be compliant to access this resource.
530003 Your device is required to be managed to access this resource.
530004 AcceptCompliantDevice setting isn’t configured for this organization. The admin needs to configure this setting to allow external users access to protected resources.
530011 Browser not supported.
530021 Application does not meet the conditional access approved app requirements.
530022 Browser not supported.
530031 Access policy does not allow token issuance.
530032 User blocked due to risk on home tenant.
530033 Remote device flow blocked due to device based conditional access.
530034 A delegated administrator was blocked from accessing the tenant due to account risk.
530035 Access has been blocked by security defaults.
650041 User terminated the request.
650051 Actual message content is runtime specific. Please see returned exception message for details.
650052 The app is trying to access a service ‘{appId}’({appName}) that your organization ‘{organization}’ lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
650053 The application ‘{name}’ asked for scope ‘{scope}’ that doesn’t exist on the resource ‘{resource}’. Contact the app vendor.
650054 The application ‘{name}’ asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor.
650055 The application ‘{name}’ required resource access list does not contain applications discoverable by ‘{resource}’.
650056 Misconfigured application. This could be due to one of the following: the client has not listed any permissions for ‘{name}’ in the requested permissions in the client’s application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it’s valid. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: {id}.
650057 Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client’s application registration. Client app ID: {appId}({appName}). Resource value from request: {resource}. Resource app ID: {resourceAppId}. List of valid resources from app registration: {regList}.
650058 The app needs access to a service that your organization has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.
650061 The client application {appDisplayName} ({applicationId}) requested the role {roleName} ({roleId}) on the resource application {resourceDisplayName} ({resourceId}) but this role is only assignable to users. Either the client application vendor must remove the role from the requested roles, or the owner of the resource application must allow the role to be assignable to applications. For more information, see https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
700001 Application: {samlAudience} needs to opt-in for ‘aio’ optional claim for On Behalf Of flow to work with SAML tokens issued to this application
700002 SAML 1.1 Bearer assertion must be a valid Base64 encoded value.
700003 Device object was not found in the tenant ‘{tenantName}’ directory.
700004 onpremobjectguid ‘{objGuid}’ attribute in the presented grant is malformed.
700005 Provided Authorization Code is intended to use against other tenant, thus rejected.
700006 The Audience: {audience} of the token is NOT an absolute Uri
700007 The grant was issued for a different client id.
700008 Social IDP users are not expected to have home tenant.
700009 Reply address must be provided when presenting an authorization code requested with an explicit reply address.
700011 Application with identifier {appIdentifier} was not found in the directory.
700012 Missing Authorization header with bearer token. Client was not authenticated.
700013 Client is not authorized to request managed browser purpose token.
700014 Mobile Edge app needs to provide an enrollment id in order to acquire a purpose token that can satisfy the compliant app requirement.
700016 Application with identifier ‘{appIdentifier}’ was not found in the directory ‘{tenantName}’. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
700017 {resourceConstant} ‘{resourceIdentifier}’ is not supported as resource.
700018 {resourceConstant} ‘{resourceIdentifier}’ is not supported as resource.
700019 Application ID {identifier} cannot be used or is not authorized.
700020 Application ID {identifier} is a reserved identifier and should be removed on the application: {applicationId}.
700021 Client assertion application identifier doesn’t match ‘client_id’ parameter. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
700022 No Subject claim provided in the assertion. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
700023 Client assertion audience claim does not match Realm issuer. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
700024 Client assertion is not within its valid time range. Current time: {curTime}, assertion valid from {validTime}, expiry time of assertion {expTime}. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
700025 Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented.
700026 Client application has no configured keys.
700027 Client assertion failed signature validation.
700028 Certificate with thumbprint {thumbprint} is not authorized.
700029 Invalid signing certificate.
700030 Invalid certificate - subject name in certificate is not authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: {certificateSubjects}.
700031 Invalid certificate - SubjectName or SubjectAlternativeName is missing
700032 Invalid certificate - Trusted Certificate Subjects for application are missing
700033 For asserting custom_claims, client must provide either xms_actor_token or subject name issuer certificate with custom claim allowed values.
700034 Client assertion contains an invalid xms_actor_token claim.
700035 Client assertion contains custom_claims in the incorrect format.
700036 Client is not authorized to override managed identity claim in the token.
700037 Client assertion must declare x5c header when overriding managed resource ID.
700038 00000000-0000-0000-0000-000000000000 is not a valid application identifier.
700039 00000000-0000-0000-0000-000000000000 is not a valid resource identifier
700040 Managed Resource ID ‘{inputManagedResourceId}’ is not a valid resource identifier.
700041 Post-logout redirect uri is not in approved list. Requested post-logout url: {url}.
700042 The reply address does not match the reply addresses configured for the application.
700043 The redirect address ‘{address}’ does not match the redirect addresses configured for service identity ‘{serviceId}’.
700044 The redirect address ‘{address}’ corresponding to this authorization code does not match the redirect address ‘{requestAddress}’ specified in the request.
700045 Redirect address ‘{address}’ specified by the client does not match any configured addresses ‘{configuredAddress}’ or any addresses on the OIDC approve list.
700046 Invalid Reply Address. Reply Address must have scheme brk-{brkApplicationId}:// and be of Single Page Application type.
700047 Invalid Reply Address. Broker must use Single-Page Application Reply Address.
700048 Client assertion contains an invalid xms_actor_token claim. The audience of the claim is not correctly set.
700049 Claim override is only allowed for User Assigned Managed Service Identities. Make sure the caller app is a Managed Identity, and the override is being done for a User Assigned identity.
700050 Actor token is not within its valid time range. Current time: {curTime}, expiry time of actor token {expTime}.
700051 response_type ’token’ is not enabled for the application.
700052 The token request contains one or more unsupported response token type(s): ‘{ResType}’.
700053 response_type ‘id_token’ requires the ‘openid’ scope.
700054 response_type ‘id_token’ is not enabled for the application.
700055 Redirection to B2C first party app is permitted only to the /authresp endpoint.
700056 User account does not exist in organization.
700081 The refresh token has expired due to maximum lifetime. The token was issued on {issueDate} and the maximum allowed lifetime for this application is {time}.
700082 The refresh token has expired due to inactivity. The token was issued on {issueDate} and was inactive for {time}.
700083 The primary refresh token has expired due to maximum lifetime. The token was issued on {issueDate} and the maximum allowed lifetime for this application is {time}.
700084 The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of {time}, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on {issueDate}.
900143 ‘{name}’ is required for the ‘{type}’ grant type.
900144 The request body must contain the following parameter: ‘{name}’.
900161 Invalid access token. Required tenant ID claim is missing.
900941 Administrator consent is required. App is considered risky.
900942 Admin consent is required in order to allow token to be issued for clients to access resource.
1000005 Invalid definition for external identity provider, domain is missing
1000006 Invalid definition for external identity provider with domain ‘{domain}’. Reason: Following properties are mandatory: domain, issuer URI, passive authentication URL.
1000007 Invalid definition for external identity provider with domain ‘{domain}’. Reason: The value ‘{url}’ in the property ‘{urlType}’ must be an absolute URL.
1000008 Invalid definition for external identity provider with domain ‘{domain}’. Reason: The value ‘{url}’ in the property ‘{urlType}’ must be https.
1000009 Invalid definition for external identity provider with domain ‘{domain}’. Reason: Only WsFederation/SamlP/OAuth2 protocols are allowed.
1000010 Invalid definition for external identity provider with domain ‘{domain}’. Reason: Domain ‘{value}’ is not in expected format.
1000011 Invalid definition for external identity provider with domain ‘{domain}’. Reason: Issuer ‘{value}’ is not in expected format.
1000012 Invalid definition for external identity provider with domain ‘{domain}’. Reason: Domain ‘{value}’ is a reserved value.
1000013 Invalid definition for external identity provider with domain ‘{domain}’. Reason: Issuer ‘{value}’ is a reserved value.
1000014 Cannot issue On-Behalf-Of token for tenant ‘{tenant1}’ as JWT bearer token was issued for ‘{tenant2}’.
1000015 Direct federation users are not expected to have home tenant.
1000018 Realm with domain ‘{domain}’ is not an external realm.
1000019 The provided certificate authority type ‘{certificateAuthorityType}’ is not valid.
1000020 The provided application ‘{applicationId}’ may not be used on this endpoint.
1000021 External Claims Provider unavailable: general exception.
1000022 External Claims Provider unavailable: WebException status code ‘{status}’.
1000023 The GitHub access token forwarded exceeds the configured length of ‘{sizeLimit}’.
1000024 Requested claim ‘ClientIpReportedByRP’ should have a single and valid ip address.
1000025 Received invalid stk_jwk.
1000026 Received invalid Primary Refresh Token.
1000027 Session Transport Key is not present.
1000028 Received invalid Windows SSO Credential.
1000029 The provided confirmation request (req_cnf or pop_jwk) is not properly formatted.
1000030 Microsoft Account granted Refresh Token Credential is not supported on AAD tenant.
1000031 Application {appDisplayName} cannot be accessed at this time. Contact your administrator.
1000032 Received invalid stk_jwk key thumbprint.
1000033 Stk_jwk key doesn’t match session transport key thumbprint specified at the beginning of the session.
1000034 Stk_jwk key must not be submitted via x5c.
1000035 There was an error issuing Bound RT token.
1000036 BoundRT use as a bearer refresh token is unsupported.
1000037 Stk_jwk thumbprint is not provided for SSO Bound RT redemption.
1000038 Received invalid req_cnf key thumbprint.
1000039 Req_cnf key ‘{kid}’ doesn’t match proof of possession key thumbprint specified at the beginning of the session.
1000040 Received invalid dk_jwk key thumbprint.
1000501 Unable to read session document from Session Store.
1000502 The provided certificate is not within its specified validity window.
1000503 Request contains mismatched device ids.
1002001 The device template was not found in the tenant ‘{tenantName}’.
1002002 The Cert Based Auth Configuration was not found in the tenant ‘{tenantName}’ or was invalid.
1002003 The TLS certificate provided does not match the certificate on the device.
1002004 The MTLS subject was not found in the subject or SAN list.
1002005 Device in tenant ‘{tenantName}’ does not have suitable credentials.
1002006 Request contains empty or invalid subject.
1002007 Missing required roles to access token evaluation data endpoint, roles present in the token is {roles}
1002008 Unable to authorize to the token evaluation data endpoint. Tenant Identifier in the request: {requestTenant} does not match tenant identifier in the token: {tenantIdInToken}
1002009 Unable to authorize to the token evaluation data endpoint. Unexpected scope present in the bearer token, app delegation(service principal obo) token is not supported to access the endpoint.
1002010 There was an error on fetching revocaton data or issue with token evaluation data endpoint.
1002011 The tenant branding cdn domains are not configured for the private link.
1002012 The provided value for scope {scope} is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
1002014 Unable to complete request. The request was invalid since domain_hint and opaque login_hint cannot be used together.
1002016 You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD. Your TenantID is: {tenantId}. Please refer to https://go.microsoft.com/fwlink/?linkid=2161187 and conduct needed actions to remediate the issue. For further questions, please contact your administrator.
1002017 Bad Request. The passed logout_hint cannot be parsed.
1002021 The version of client library you are using is not supported for accessing resources in another Microsoft cloud as a guest.
1002022 A transient error occurred while attempting to fetch bloom filter data. Please try again later.
1002023 Invalid grant. Device authentication is required from a specific tenant.
1002024 A primary refresh token must be redeemed with a prt protocol version.
1002026 Common endpoint for app tokens is on the deprecation path and not supported on regional AAD. Please use the tenanted endpoint instead.
1002027 Some of the collected attributes were invalid.
1002028 Missing required roles to access partitioned token signing key endpoint, roles present in the token is {roles}
1002029 Unable to authorize to the partitioned token signing key endpoint. Unexpected scope present in the bearer token, app delegation(service principal obo) token is not supported to access the endpoint.
1002030 Internal service error occured in first party app token validator.
1003012 The custom extension returned an invalid action type defined for that custom extension type.
1003013 Invalid request. Nonce from artifact has expired.
1003014 The custom extension resourceId should be in the format of api://fully qualified domain name/appid.
1003015 The targetUrl and resourceId of the custom extension should have the same fully qualified domain name.
1003016 The appId of the custom extension resourceId should correspond to a real service principal in the tenant.
1003017 The Azure Active Directory Authentication Extensions service principal not found in tenant.
1003018 The Azure Active Directory Authentication Extensions service principal is disabled in this tenant.
1003019 The custom extension resource service principal is disabled in this tenant.
1003020 The target URL is in an improper format. It’s must be a valid URL that start with https://
1003021 The permission CustomAuthenticationExtension.Receive.Payload is not granted to the service principal of the resource app.
1003022 The MS Graph service principal is disabled or not found in this tenant.
1003023 The endpoint used for the custom extension is blocked by the service.
1003024 The custom extension response size exceeded the maximum limit.
1003025 The total size of claims in the custom extension response exceeded the maximum limit.
1003026 The custom extension API responded with claims containing null or empty key.
1003027 Error connecting to the custom extension API.
1003030 A transient error occurred while authenticating an MSA (consumer) user.
1003031 Misconfigured required resource access in client application registration.
1003032 The bluestone storage account in TokenEvaluationData endpoint has not been successfully initialized
1003033 The remote ngc session was denied.
1003034 Your organization is not configured to sign in this type of personal Microsoft account. Visit https://aka.ms/MSAUnprotectedAccountsGuidance for more details.
1003035 The json web key supplied is invalid.
1003036 Partitioned token signing key feature is not set properly.
1003037 It looks like you may already have an account with us using this email address. Try signing in again with another identity provider.
1003038 Root token signing key is not found.
1003039 Partitioned token signing key is not found.
5000611 Symmetric Key Derivation Function version ‘{version}’ is invalid.
5001210 Unsupported transport key format.
5001211 Unable to create primary refresh token.
5001212 Device authentication is required to issue primary refresh token.
5001213 Windows Integrated authentication is needed. Unable to use Seamless SSO to authenticate the user.
5001214 Authentication failed.
7000011 Requested SAML 2.0 assertion has invalid SubjectConfirmation Method: {method}.
7000012 The grant was obtained for a different tenant.
7000013 The grant is not supported by API version {apiVersion}.
7000014 The provided value for the input parameter ‘device_code’ is not valid.
7000015 The grant was obtained for a different tenant.
7000016 Primary refresh token is not signed with session key.
7000017 Broker restricted refresh token can’t be used as credential.
7000018 Token binding header is empty.
7000019 Token binding hash does not match.
7000020 SAML 2.0 Bearer assertion must be a valid Base64Url encoded value.
7000021 Unrecognized grant type {type}.
7000022 VSM Binding Key missing from Ticket Granting Ticket request.
7000023 VSM Binding key mismatch.
7000024 Inconsistent broker application IDs asserted by incoming credentials.
7000025 Ambiguous request. The grant contains duplicate claims.
7000026 Provided grant is invalid or malformed. The grant requires an encrypted response, but the client is not indicating it understands encrypted responses.
7000027 An emergency refresh token is present but rejected.
7000028 Attestation key is required for this request but it doesn’t exist in the device. Please consider re-enrolling the device.
7000029 The token binding claim is invalid because it was not generated on the same device as attestation key. Please verify the legitimacy of the device.
7000030 The token binding claim is invalid because the thumbprint of binding key does not match the thumbprint in the binding claim or the thumbprint in the binding claim is missing. Please verify the legitimacy of the device.
7000031 The signing algorithm {algorithm} of attestation key is not supported. Please consider re-enrolling the device and update the attestation key.
7000032 The security enclave type {enclave} of the token binding key is unknown. Please consider re-enrolling the device.
7000033 Token doesn’t contain expected claim: ‘{claim}’.
7000034 The token binding claim is malformatted. Please consider re-enrolling the device.
7000110 Request is ambiguous, multiple application identifiers found.
7000112 Application ‘{appIdentifier}’({appName}) is disabled.
7000113 Application ‘{appIdentifier}’ is not authorized to make application on-behalf-of calls.
7000114 Application ‘{appIdentifier}’ is not allowed to make application on-behalf-of calls.
7000115 This grant is reedemable only by broker application.
7000116 Client application ‘{appIdentifier}’({appName}) is disabled in tenant {tenant}. Please review the documentation: https://go.microsoft.com/fwlink/?linkid=2167553
7000117 Resource application ‘{appIdentifier}’({appName}) is disabled in tenant {tenant}. Please review the documentation: https://go.microsoft.com/fwlink/?linkid=2167553
7000210 Unable to find source of Trusted Certificate Authority policy.
7000211 Trusted Certificate Authority policy is not configured on the tenant ‘{tenantId}’.
7000212 No matching Trusted Certificate Authority policy found for authorized subject name.
7000213 Invalid certificate chain.
7000214 Certificate has been revoked.
7000215 Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app ‘{identifier}’.
7000216 ‘client_assertion’, ‘client_secret’ or ‘request’ is required for the ‘client_credentials’ grant type.
7000217 The service principal named {appPhrase} was not found in the tenant named {tenant_name}. This can happen if the application has not been installed by the administrator of the tenant.
7000218 The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.
7000219 ‘client_assertion’ or ‘client_secret’ is required for the ‘{type}’ grant type.
7000220 Client application identifier in the provided grant doesn’t match ‘client_id’ parameter.
7000221 Certificate Subject must match Issuer claim in the client assertion.
7000222 The provided client secret keys for app ‘{identifier}’ are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.
7000223 Application {brokerAppId} is not authorized to broker tokens.
7000224 Application {childAppId} is not authorized to have tokens brokered on its behalf.
7000225 Invalid credentials: An MSI certificate was included in the request for the app, but the app (object ID: {oid}, application id: {clientId}) is not an MSI. Ensure that your code is matching MSI identities and certificates appropriately.
7000226 No federated identity credential policy found on application ({appid}). The client_assertion used to authenticate the request does not match the subject or application being requested. Ensure that the application ID in the request is correct, that the app has a policy applied to it, and that the correct client_assertion is being provided in the request.
7000227 No Federated Identity Credential policy found on application that matched the presented MSI-signed client assertion. Expecting a Federated Identity Credential with subject: ‘{msiSpid}’, issuer: ‘{expectedIssuer}’ and audience: ‘{expectedAudience}’.
7000228 Application {brokerAppId} is not authorized to broker tokens.
7000229 The client application {appId} is missing service principal in the tenant {tenantId}. See instructions here: https://go.microsoft.com/fwlink/?linkid=2225119
9002310 Invalid request. The transforms element must contain at least one transform.
9002311 Invalid request. Unsupported canonicalization algorithm.
9002312 Invalid request. XML is empty.
9002313 Invalid request. Request is malformed or invalid.
9002314 Resource hostname is required.
9002315 Invalid request. Cannot use /consumers/ on v1 signout.
9002316 Invalid request. Cannot select consumer user session if the endpoint does not support consumer logout.
9002317 Invalid issuer specified.
9002318 Invalid request. Cannot select consumer user session and enterprise user session at the same time.
9002319 Public clients can’t send a client secret.
9002320 The realm ‘{realm}’ is not a configured realm of the tenant.
9002321 No credentials found with the necessary validated claims that map to external user information.
9002322 Protected forwarded token request is not in correct format.
9002323 Certificate must be a valid base64 encoded certificate.
9002324 Request should not contain more than one client credential parameters, this includes ‘client_secret’, ‘client_assertion’ and ‘request’ parameters.
9002325 Proof Key for Code Exchange is required for cross-origin authorization code redemption.
9002326 Cross-origin token redemption is permitted only for the ‘Single-Page Application’ client-type. Request origin: ‘{origin}’.
9002327 Tokens issued for the ‘Single-Page Application’ client-type may only be redeemed via cross-origin requests.
9002328 Invalid request. Cannot use /common or /consumers on admin-consent. Please specify the tenant in GUID or friendly name format OR generically reference it with /organizations.
9002329 Misconfigured client or resource Service Principal ‘{appId}’. Missing Salt Key.
9002330 Invalid Request. Wam_compat version is not supported.
9002331 Application ‘{principalId}’({principalName}) is configured for use by Microsoft Account users only. Please use the /consumers endpoint to serve this request.
9002332 Application ‘{principalId}’({principalName}) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.
9002333 Invalid request. The RDP request is missing the PoP key via req_cnf.
9002334 Invalid request. The RDP logon request is missing the RDP assertion.
9002335 Invalid request. The RDP assertion is invalid or is missing mandatory properties.
9002336 Invalid RDP request.
9002337 Invalid request. The application is registered in the legacy Microsoft Account tenant using apps.dev.microsoft.com, but is configured for use by Azure Active Directory tenants only. Use of /common is not supported for this registration. Please use a tenanted endpoint to request a token.
9002338 Invalid request. Request is malformed or invalid.
9002339 Unsupported user account for this endpoint. The user is a Microsoft Accounts user, but this app does not have the Microsoft account audience enabled. Either enable Microsoft account support to use the /common endpoint or use the tenanted endpoint to target a specific Azure AD tenant for auth.
9002340 The permission (scope) list {scopeListString} is missing Rdp flow allowed permissions.

References