Error AADSTS50126 when trying to authenticate to Azure AD in PHP

Question

I have a PHP application which authenticates user logins with Azure Active Directory (AAD).

It uses the API at https://login.microsoftonline.com/common/oauth2/token , sending it POST data like this:

array(7) {
  ["grant_type"]=>  string(8) "password"
  ["username"]=>  string(13) "me@example.com"
  ["password"]=>  string(8) "********"
  ["scope"]=>  string(20) "openid profile email"
  ["resource"]=>  string(25) "https://graph.windows.net"
  ["client_id"]=>  string(36) "********-****-****-****-************"
  ["client_secret"]=>  string(40) "****************************************"
}

It works correctly for several clients with different domains, ids and secrets.

For a new client, I keep getting this error response from the API:

"AADSTS50126: Error validating credentials due to invalid username or password."

I am certain that all of the data is correct.

What could be the cause of this? Could there be something different about this client's Azure AD configuration that would lead to this error?

Answer 1

If you are 100% sure that your credentials are correct, you are probably trying to use the ROPC flow (grant_type = password) with a federated account, i.e., an account that is managed on your on-prem AD and that is synced to your AAD.

The error message should be clearer but the issue occurs due to the following:

• A federated user must authenticate on his on-prem AD
• This means that, when going to AAD, the user must be redirected to is on-prem AD, to perform the authentication
• Since the ROPC flow is a silent flow, it can't do this redirection
• Without the redirection, AAD can't validate the user password, and so the mentioned AADSTS50126 error is thrown

If this is the case, you have 3 options:

1. Change the authentication flow

The ROPC flow has several drawbacks. You can read more about it here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

On the best case scenario, the best approach would be to change the flow to one with UI interaction, to allow the redirection to your on-prem AD. Check the Auth code flow here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

2. Change the user account

If the ROPC flow is really needed on your scenario, an option that can be selected is to use cloud-only accounts. A cloud-only account (from any of the tenant managed domains) will not face this issue, since the user is managed on AAD.

Also, please note that this only works for users without any kind of MFA. The main goal of using MFA is to ensure that users provide a 2nd piece of information that always require UI interaction. Since this flow does not allow UI interaction, if your user has MFA enabled, this will never work as well.

3. Define an Home Realm Discovery Policy

This option is only valid if the PasswordHashSync option is enabled in the tenant.

If this is the case, a Home Realm Discovery (HRD) policy can be applied to the app registration. This policy would allow essentially your federated users using ROPC to authenticate against AAD an not AD - that's is why this only works if the PasswordHash is synced.

Read more about HRD here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal?pivots=powershell-hrd

The below PS script is an example on how to apply a HRD policy to a specific Service Principal:

# Add the object ID of the Service Principal. You can find it within Azure Active Directory > Enterprise Applications > Application you’re looking for > Properties > ObjectID)
$spId = "GUID HERE"
 
$policy = New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName EnableDirectAuth -Type HomeRealmDiscoveryPolicy -IsOrganizationDefault $false
 
Add-AzureADServicePrincipalPolicy -Id $spId -RefObjectId $policy.Id