Other Entra ID / Azure AD SignIn errors

Fabian Bader included in Azure AD Entra KQL Sentinel Entra ID

2023-08-06 11178 words 53 minutes

Contents

The challenge

Most of us analyzing Azure AD SignIn logs have been there. You come across a failed sign-in, but the ResultDescription is not really helpful, but only shows “Other”.

/en/entra-id-azure-ad-signin-errors/images/UnresolvedErrorMessages.png — Other? But what other?

When using the Entra ID portal UI most of those error codes will perfectly translate to a more helpful error message.

/en/entra-id-azure-ad-signin-errors/images/ErrorCodeResolvedInUI.png — What the sign-in logs cannot do, the portal UI is able to

So how can you have the same experience when using KQL?

First things first, let’s analyze which unresolved error types are in your environment.

union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs
| where ResultType != 0 and ResultDescription == "Other"
| summarize by ResultType

Based on this data you can do two things:

Lookup the error code in the UI
Use the official reference Azure AD Authentication and authorization error codes to lookup the error code
Lookup the error code using the sign-in error lookup tool

Option #3 is the best of the three, because I don’t want to lookup hundreds of error codes manually and the official website does not cover everything you are looking for.

The way to the solution

Since the error code website by Microsoft has a super simple interface which is easy to parse, I created a small script that does the heavy lifting for me. Since I also didn’t want to miss any error codes I might not have in my initial list I also don’t just check the exact error message id, but also 20 error codes up and down the original error id. This way I checked a total of 2143 possible error messages. Of course some are invalid and others might already be resolved in the Sign-In logs. Of those 2143 checked error codes I was able to get 764 unique error messages which I saved as a JSON file.

And voila, now I can lookup the missing values right in your kusto query using the externaldata function.

/en/entra-id-azure-ad-signin-errors/images/UseExternalData.png — Much less Other, more real error messages

Since I want to keep the original format of the Sign-In logs I added a another line to replace the original ResultDescription if the value is “Other” and the lookup table contains a better description.

let ResolvedErrorCodes = externaldata(code: string, Message: string)['https://raw.githubusercontent.com/f-bader/EntraID-ErrorCodes/main/EntraIDErrorCodes.json'] with (format='multijson');
UnifiedSignInLogs
| where ResultType != 0
| lookup ResolvedErrorCodes on $left.ResultType == $right.code
| extend ResultDescription = iff(ResultDescription == "Other",iff(isempty(Message),"Other",Message),ResultDescription)
| project-away Message
| project-reorder TimeGenerated, ResultType, ResultDescription

/en/entra-id-azure-ad-signin-errors/images/OutputWithCorrectColumnNames.png — Now even the column name is the one you would expect.

The solution

But always querying external data might not be the most performant way of doing this. A Sentinel watchlist should be the better solution for this.

UnifiedSignInLogs
| where ResultType != 0
| lookup _GetWatchlist('EntraIDErrorCodes') on $left.ResultType == $right.SearchKey
| extend ResultDescription = iff(ResultDescription == "Other", iff(isempty(Message), "Other", Message), ResultDescription)
| project-away Message, *1
| project-reorder TimeGenerated, ResultType, ResultDescription

For your convenience, I created a ARM template you can use to deploy a watchlist.

I uploaded all this data to a new GitHub repository where you can consume it as JSON, CSV or find the ARM template to deploy the watchlist directly.

Entra ID - Azure AD Authentication and authorization error codes

ResultType	Message
26000	The provided access grant requires interaction.
29200	QR Code requested. Generate QR code and display on UX page for interactive sign-ins.
29201	Invalid QR Code request. Client Id ({clientId}) or target client Id ({targetClientId}) is invalid.
29202	Invalid scope and response_type request parameters. scope=qrcode can only be used with response_type=none.
29203	Invalid target_client_id ‘{targetClientId}’ argument value.
29204	Failed to write QR Code token to Store.
29205	Generated QR Code string has exceeded maximum supported length.
29206	Invalid QR Code redemption request. Client Id ({clientId}) is invalid.
29207	Error processing session data. QR Code is either invalid or expired.
29208	Error processing session data. QR Code was already redeemed.
29210	QR Code sign-in is disabled via user credential policy.
29211	QR Code sign-in is not supported for passthrough users.
29212	QR Code sign-in is not supported for consumer user scenarios.
40002	The identity provider returned an error. The status returned was ‘{status}’ and the message was ‘{message}’.
40003	A required token was not emitted by an external Identity Provider.
40004	A required token was not emitted by an external Identity Provider.
40005	Invalid token received from external Identity Provider. Current time: {curTime}, expiry time of assertion {expTime}.
40008	There was an unexpected error from the external identity provider.
40009	The identity provider returned an error.
40010	The identity provider has failed with a transient error.
40013	Social IDP MicroService Federation disabled.
40014	Federated Identity Provider is unavailable.
40015	The identity provider returned an error.
40016	The Identity Provider returned an error.
50000	There was an error issuing a token or an issue with our sign-in service.
50001	The resource is disabled or the resource named could not be found. This can happen if the application has not been installed by the administrator of the tenant, or if the resource principal was not found in the directory or is invalid due to a typo.
50002	This tenant isn’t supported for this authentication method yet.
50003	Certificate roll is in progress. Please retry the operation later.
50004	A transient error has occurred. Please try again.
50005	User tried to log in to a device from a platform ({platform}) that’s currently not supported through Conditional Access policy. Supported device platforms are: iOS, Android, Mac, and Windows flavors.
50006	Signature verification failed because of an invalid signature.
50007	Encryption certificate was not found in the directory.
50008	The SAML token is invalid.
50010	Audience URI validation failed since no token audiences were configured.
50011	The {redirectTerm} ‘{replyAddress}’ specified in the request does not match the {redirectTerm}s configured for the application ‘{identifier}’. Make sure the {redirectTerm} sent in the request matches one added to your application in the Azure portal. Navigate to {akamsLink} to learn more about how to fix this. {detail}
50012	Authentication failed.
50013	Assertion failed signature validation. Possibly because the token issuer doesn’t match the API version within its valid time range, it’s expired or malformed, or the refresh token in the assertion is not a primary refresh token.
50014	The user’s redemption is in a pending state. The guest user account is not fully created yet.
50015	The user requires legal age group consent.
50016	Invalid Argument Redirect ErrorCode value.
50017	Validation of given certificate for certificate based authentication failed.
50019	This occurred due to an interrupt to select a certificate before the user signs in.
50020	User account ‘{email}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
50023	ClaimType ‘{claimType}’ is reserved for system use.
50024	Unable to decrypt client state.
50025	The issuer name must be specified.
50026	The mail is too long, maximum length is {length}.
50027	JWT token is invalid or malformed.
50029	The reply URI specified in the request contains invalid characters. Domain names of this form are not supported.
50030	Either forwardableOnBehalfOfOriginsAcceptedAudiencesList or ForwardableOnBehalfOfOriginsAcceptedPrecedingAppsList property in the first party app registration is not set. Both fields need to be filled on first party app portal for PFT OBO to be successful.
50032	RSA key size {actualSize} is less than the minimum required {minSize} bits.
50033	A transient error has occurred. Please try again.
50034	The user account {identifier} does not exist in the {tenant} directory. To sign into this application, the account must be added to the directory.
50035	ECC key size {actualSize} is less than the minimum required {minSize} bits.
50038	The API version isn’t supported.
50042	The salt required to generate a pairwise identifier is missing in the principal.
50043	Unable to generate a pairwise identifier with more than one salt in principal.
50045	The salt required to generate a pairwise identifier is malformed in principal.
50048	Subject must match the issuer claim in the client assertion.
50049	Unknown or invalid instance.
50050	The request is malformed: invalid format for ‘{name}’ value.
50051	The root key endpoint is missing the root keys.
50052	The password entered exceeds the maximum length. Please reach out to your admin to reset the password.
50053	The account is locked, you’ve tried to sign in too many times with an incorrect user ID or password.
50054	Looks like you entered your old password. Try again with your new one.
50055	The password is expired.
50056	Invalid or missing password: password does not exist in the directory for this user.
50057	The user account is disabled.
50058	Session information is not sufficient for single-sign-on.
50059	No tenant-identifying information found in either the request or implied by any provided credentials.
50060	Unable to sign out.
50061	Unable to complete signout. The request was invalid.
50062	Signout request is unauthorized.
50068	Signout failed. The initiating application is not a participant in the current session.
50069	Signout failed. The request specified a name identifier of ‘{identifier}’ which did not match the existing session(s).
50070	Signout failed. The request specified session indexes ‘{identifier}’ which did not match the existing session(s).
50071	Signout request has expired.
50072	Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access ‘{identifier}’.
50074	Strong Authentication is required.
50075	The tenant ‘{tenant}’ does not have security defaults enabled.
50076	Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access ‘{resource}’.
50077	The administrator created a conditional access policy that requires the authenticator to be used to provide GPS location.
50078	Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access ‘{resource}’.
50079	Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access ‘{identifier}’.
50080	Bad request received.
50081	The administrator created a conditional access policy that requires GPS location.
50082	The partitioned token signing key endpoint is missing the partitioned token signing keys.
50085	Refresh token needs a social identity provider login.
50087	A transient error has occurred during strong authentication. Please try again.
50088	Limit on telecom MFA calls reached. Please try again in a few minutes.
50089	Authentication failed due to flow token expired.
50091	Passed query string length exceeds supported limit.
50093	Missing value for the SAML NameID.
50094	Unknown source configured on the audience for the SAML NameID.
50095	Unknown source configured on the audience for the SAML email claim.
50096	Source configured on the audience for the SAML NameID is not compatible with the requested format.
50097	Device authentication is required.
50098	JWT body must contain ‘{field}’.
50099	Invalid nonce.
50100	There was an error transforming the claims for the token.
50101	Unknown claims transformer ‘{name}’ was specified for principal ‘{principalId}’.
50102	Unable to load CustomClaimsTransformer ‘{type}’ was specified for principal ‘{principalId}’.
50103	There was an error transforming the claims for the token: {errorMessage}
50105	Your administrator has configured the application {appName} (’{appId}’) to block users unless they are specifically granted (‘assigned’) access to the application. The signed in user ‘{user}’ is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
50107	The requested federation realm object ‘{name}’ does not exist.
50120	Unknown credential type, issue with the JWT header.
50123	Unknown claims transformation method ‘{method}’ was specified for principal ‘{principalId}’.
50124	Invalid regular expression configured for claims transformation for this application.
50125	Sign-in was interrupted due to a password reset or password registration entry.
50126	Error validating credentials due to invalid username or password.
50127	Client app is a MAM app and device is not registered.
50128	No tenant-identifying information found in either the request or implied by any provided credentials.
50129	The device is not workplace joined. Workplace join is required to register the device.
50130	The claim value(s) ‘{value}’ cannot be interpreted as known auth method(s).
50131	Device is not in required device state: {state}. Or, the request was blocked due to suspicious activity, access policy, or security policy decisions.
50132	The session is not valid due the following reasons: password expiration or recent password change, SSO Artifact is invalid or expired, session is not fresh enough for application, or a silent sign-in request was sent but the user’s session with Azure AD is invalid or has expired.
50133	The session is not valid due to password expiration or recent password change.
50134	Wrong data center. To authorize a request that was initiated by an app in the OAuth 2.0 device flow, the authorizing party must be in the same data center where the original request resides.
50135	Password change is required due to account risk.
50136	Single MSA session detected when requesting an MSA ticket.
50137	Password needs to be changed due to security policy rule.
50138	Invalid encryption key environment.
50139	Session is invalid due to missing an external refresh token.
50140	This occurred due to ‘Keep me signed in’ interrupt when the user was signing in.
50141	Protected key is not intended for the authenticated user.
50142	Password change is required due to a conditional access policy.
50143	Session mismatch. The session is invalid because user tenant does not match the domain hint.
50144	The user’s Active Directory password has expired.
50146	This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.
50147	Invalid size of the code challenge parameter.
50148	The code_verifier does not match the code_challenge supplied in the authorization request for PKCE.
50149	Invalid Code_Challenge_method parameter.
50150	The provided credentials does not have a valid user consent approval information.
50155	Device authentication failed.
50156	Device tokens are not supported for V2 resource.
50157	User redirection required for routing.
50158	External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.
50159	Claims sent by external provider are not enough.
50160	Different target tenant is preferred.
50161	Failed to validate authorization url of external claims provider.
50168	The client is capable of utilizing the Windows 10 Accounts extension to perform SSO but no SSO token was found in the request or the token was expired. Request has been interrupted to attempt to pull an SSO token.
50169	The realm ‘{realm}’ is not a configured realm of the current service namespace.
50170	The external controls mapping is missing.
50172	External claims provider {provider} is not approved.
50173	The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on ‘{authTime}’ and the TokensValidFrom date (before which tokens are not valid) for this user is ‘{validDate}’.
50176	Missing definition of external control: {controlId}.
50177	User account ‘{user}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
50178	User account ‘{user}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
50179	Client_info is not supported for this user.
50180	Integrated Windows Authentication is needed. Enable the tenant ‘{name}’ for Seamless SSO.
50181	Unable to validate the otp.
50182	OTP is already expired.
50183	Cannot lookup otp due to cache error.
50184	OTP is incorrect, or no cache entry exists for the tenant/user.
50185	Email OTP notification delivery failed.
50186	Unpermitted realm.
50187	Failed to perform device authentication.
50189	The device code is not correctly formatted.
50190	Region prefix to connection string mapping returned from settings is null.
50192	Invalid request.
50193	Internal use
50194	Application ‘{appId}’({appName}) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after ‘{time}’. Use a tenant-specific endpoint or configure the application to be multi-tenant.
50196	The server terminated an operation because it encountered a client request loop. Please contact your app vendor.
50197	Sorry, we could not find the user, please sign-in again.
50199	For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction.
50200	Unpermitted external trusted realm.
50201	This message prompt interrupt will be shown to the user during login when additional information should be provided to user.
50202	User is not registered in the organization and must explicitly consent to the sign-in.
50203	User has not registered the authenticator app and must register or snooze this notification.
50204	External user has not consented to the privacy statement.
50205	External user has consented to the privacy statement.
50206	The user or administrator has not consented connecting to the target-device: ‘{identifier}’. Send an interactive authorization request for this user and target-machine.
50207	This web native bridge interrupt will be shown to the user during login when the application is requesting login through the native broker and needs eSTS to ensure the broker is properly configured.
50208	This web native bridge interrupt was shown, but the native bridge unexpectedly returned a different user.
50209	User is performing a password reset.
53000	Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.
53001	Device is not in required device state: {state}. Conditional Access policy requires a domain joined device, and the device is not domain joined.
53002	Device is not in required device state: {state}. The app used is not an approved app for Conditional Access.
53003	Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
53004	Cannot configure multi-factor authentication methods due to suspicious activity.
53005	Application needs to enforce Intune protection policies.
53006	Authentication required from federated idP.
53007	Authentication required from federated IDP.
53008	Browser not supported.
53009	Application needs to enforce Intune protection policies.
53010	Cannot configure multi-factor authentication methods because the organization requires this information to be set from specific locations or devices.
53011	User blocked due to risk on home tenant.
54000	User is not allowed to access application {appName} due to Legal Age Group Requirement of application {audience}.
54005	OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.
54006	Unencrypted v2 access tokens are not supported for first party applications that support consumer accounts. The resource must add a certificate to the onboarding portal to encrypt tokens.
54007	Method not supported for IDP OAuth2 Federation.
54008	Multi-Factor authentication is required and the credential used ({credentialName}) is not supported as a First Factor. Contact your administrator for more information.
54009	Multi-Factor authentication is required and the credential used is not supported. Contact your administrator for more information.
54010	Proofup blocked due to credential used not supported. Contact your administrator for more information.
65001	The user or administrator has not consented to use the application with ID ‘{identifier}’{namePhrase}. Send an interactive authorization request for this user and resource.
65002	Consent between first party application ‘{applicationId}’ and first party resource ‘{resourceId}’ must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.
65003	Consent for first party token-to-self must be configured via preauthorization. If preauthorization has already been configured, update the request to use a URI identifier for the resource instead of ‘{resourceId}’ to work around this error.
65004	User declined to consent to access the app.
65005	The application ‘{name}’ asked for scope ‘{scope}’ that doesn’t exist.
65006	Resource ‘{resourceId}’ had no entitlements matching required permissions configured on the required resource access for client ‘{clientId}’. Requested permission IDs: ‘{permissionId}’. This is a problem with one or more invalid permission ids on the client RRA configuration or the resource entitlement configuration.
65007	Client ‘{clientId}’ required resource access configuration has changed and therefore the request could not be completed. Please try again.
70024	OIDC Provider Metadata missing required field ‘{fieldName}’.
70030	Remote authentication failed to read session from storage.
70031	Remote authentication session is in a bad state.
70033	The remote auth session with this device code has already been approved.
70034	The remote auth session with this device code has already been denied.
70035	Remote auth session with this device code doesn’t exist.
70036	Unsupported remote auth session state.
70037	Incorrect challenge response provided. Remote auth session denied.
70039	The remote auth session with this device code has expired.
70041	Unable to complete OAuth2 IdP’s sign in. The ’nonce’ claim does not match the expected value.
70043	The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}.
70044	The session has expired or is invalid due to sign-in frequency checks by conditional access.
70045	The refresh token is invalid due to sign-in frequency checks by conditional access. Additionally, since the sign-in frequency policy applies to all applications, the token will never be usable, and should be deleted. The authInstant in this token was {authInstant} and the maximum allowed lifetime for this request is {time}.
70046	The session has expired or is invalid due to re-authentication checks by conditional access.
81001	Service ticket size exceeded the maximum allowed.
81004	Kerberos authentication failed.
81005	Authentication package is not supported.
81006	No authorization header was found, returning 401 WWW-Authenticate.
81007	Tenant is not enabled for DesktopSSO.
81008	Failed to validate Kerberos ticket.
81009	Unable to validate the user’s Kerberos ticket, the authorization header value is not formatted correctly.
81010	Seamless SSO failed because the user’s Kerberos ticket has expired or is invalid.
81011	Failed to find user by on-premise SID in the user’s Kerberos ticket.
81012	The user trying to sign in to Azure AD is different from the user signed into the device.
81013	Failed to lookup the user whose kerberos ticket was used to login.
81014	The DesktopSSO auth token has expired.
81015	Rejecting DesktopSSO Kerberos ticket as it was obtained through delegation. Delegated Kerberos ticket does not originate from user directly. Please contact your tenant administrator to disable delegation on the AZUREADSSOACC account.
81016	Invalid STS request.
90000	Internal use
90002	Tenant ‘{tenant_name}’ not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.
90004	The request is not properly formatted.
90005	Unable to complete request. The request was invalid since SID and login_hint cannot be used together.
90006	A transient error has occurred. Please try again.
90007	Bad Request. The passed session ID cannot be parsed.
90008	The user or administrator has not consented to use the application with ID ‘{appId}’({appName}). This happened because application is misconfigured: it must require access to Microsoft Graph by specifying at least ‘Sign in and read user profile’ permission.
90009	Application ‘{appId}’({appName}) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
90010	Unable to create {algoName} algorithm.
90012	This request has timed out.
90013	Invalid input received from the user.
90014	The required field ‘{name}’ is missing from the credential. Ensure that you have all the necessary parameters for the login request.
90015	Requested query string is too long.
90016	Invalid access token. Required claim is missing.
90017	Unexpected field ‘{fieldName}’.
90019	No tenant-identifying information found in either the request or implied by any provided credentials.
90020	The SAML 1.1 Assertion is missing ImmutableID of the user.
90022	Principal name format is invalid for ‘{name}’. Expected format: name[/instance][@realm]. The principal name is required, host and realm are optional and may be set to null.
90023	Invalid STS request.
90024	A transient error has occurred. Please try again.
90025	Request processing has exceeded internal allowance. This operation will be retried internally and usually resolves without user impact. Please verify the end result of the transaction to verify status.
90026	Hostname contains an invalid wildcard ‘*’ character.
90027	We are unable to issue tokens from this API version on the MSA tenant. Please contact the application vendor as they need to use version 2.0 of the protocol to support this.
90028	Principal name format is invalid for name ‘{name}’. Primary component of the name is required.
90029	The realm ‘{name}’ is a Unicode domain name. Domain names of this form are not supported.
90030	A transient error has occurred. Try again after some time.
90031	A transient error has occurred. Try again after some time.
90032	A transient error has occurred. Try again after some time.
90033	A transient error has occurred. Please try again.
90035	Service is temporarily unavailable. Please retry later.
90036	An unexpected, non-retryable error stemming from the directory service has occurred.
90037	Non-retryable error has occurred.
90038	Tenant ‘{tenant_name}’ request is being redirected to the National Cloud ‘{cloud}’.
90039	Service is temporarily unavailable. Please retry later.
90040	A non-retryable error has occurred.
90041	A transient error has occurred. Please try again.
90042	National Cloud Name is missing in the postback request.
90043	OAuth2 grant was issued by National Cloud STS.
90044	National Cloud Request Process Switched off.
90045	Service is too busy. Please try again later.
90046	Internal use
90047	Internal use
90049	Application could not be found.
90050	Response content length from external IdP exceeds supported limit.
90051	Invalid Delegation Token. Invalid national Cloud ID ({cloudId}) is specified.
90052	Actual message content is runtime specific. Please see returned exception message for details.
90072	User account ‘{user}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{application}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
90073	Invalid Fairfax Gateway Redirect.
90081	An error occurred when the service tried to process a WS-Federation message. The message was invalid, malformatted, or contains potentially dangerous characters.
90082	Authentication policy ‘{name}’ selected for the request is not currently supported.
90083	Request is unsupported.
90084	Guest accounts are not allowed for this site.
90085	The service is unable to issue a token because the company object hasn’t been provisioned yet.
90086	The user DA token is expired.
90087	An error occurred while creating the WS-Federation message from the URI.
90088	Authentication failed due to email address domain is not in allowed domains list for identity provider.
90089	User token should not be used in App on behalf of flow.
90090	A transient error has occurred. Please try again.
90091	A transient error has occurred. Please try again.
90092	Non-retryable error has occurred.
90093	Actual message content is runtime specific. Please see returned exception message for details.
90094	Admin consent is required for the permissions requested by this application.
90095	Admin consent is required for the permissions requested by this application. An admin consent request may be sent to the admin.
90096	Admin consent is required for the permissions requested by this application. Admin consent request sent for processing.
90097	An error has occured during admin consent processing.
90098	An unexpected approval request ID was provided.
90099	The application ‘{appId}’ ({appName}) has not been authorized in the tenant ‘{tenant}’. Applications must be authorized to access the customer tenant before partner delegated administrators can use them.
90100	{name} parameter is empty or not valid.
90101	The supplied data isn’t a valid email address. Please provide it in the format someone@example.com
90102	‘{name}’ value must be a valid absolute URI.
90107	The request is not valid. Make sure your data doesn’t have invalid characters.
90112	Application identifier is expected to be a GUID.
90114	The specified bulk AADJ token expiration timestamp will cause an expired token to be issued.
90116	{method} request is made, while POST is the only supported verb.
90117	Invalid request.
90119	The user code is null or missing.
90120	This request was already authorized or declined.
90121	Invalid empty request.
90122	User identifier is not present.
90123	The token can’t be issued because the identity or claim issuance provider denied the request. Response code: {errorCode}.
90124	{resConstant} ‘{resourceId}’ {resourceName} is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.
90125	{userName} isn’t in our system. Make sure you entered the user name correctly.
90126	User Type is not supported on this endpoint. The system can’t infer the user’s tenant from the user name: {userName}
90128	Unable to load OptIn store for user.
90129	{resConstant} ‘{resourceId}’ {resourceName} has a configured token version of ‘1’ and is not supported over the /common or /consumers endpoints.
90130	{appConstant} ‘{appId}’ {appName} is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.
90131	Invalid ambiguous request. sid cannot be used with prompt {prompt}.
90132	The provided value for the input parameter ‘device_code’ is not valid. Device codes supporting the personal Microsoft Account sign-in audience can only be used for v2 common or consumers tenants.
90134	Retrieving claims from identity provider ‘{idp}’ failed.
90135	The user decided not to continue the authentication. No remediation is required.
90136	Device Code flow is not supported for Confidential Clients.
90137	Token issuance cannot proceed because user declined consent approval to release their profile information.
90138	Invalid ambiguous request. sid cannot be used with login_hint.
90139	Invalid request. The device code flow connect mode in your request is only supported for the /consumers/ tenant.
90150	Failed to read request.
130001	Signature key ID is not provided.
130004	UserPrincipal doesn’t have the NGC key configured.
130005	NGC key signature verification failed.
130006	The NGC transport key isn’t configured on the device.
130007	The device is disabled.
130008	Device referenced by the NGC key is not found.
130009	Device key was found weak.
130500	Phone sign in was blocked due to User Credential Policy.
130501	Sign in was blocked due to User Credential Policy.
130502	Temporary Access Pass sign in was blocked due to User Credential Policy.
130503	Your Temporary Access Pass is incorrect. If you don’t know your pass, contact your administrator.
130504	Your Temporary Access Pass has expired. Contact your administrator to obtain a new pass.
130505	Your one-time Temporary Access Pass has been redeemed. Contact your admin to get a new pass.
130506	Access Pass must be used for Web Sign In. Contact your admin to get an Access Pass.
130507	An access pass could not be found or verified for the user.
135000	Fido signature verification failed.
135001	UserPrincipal doesn’t have the key ID configured.
135002	Fido key does not have authenticator data.
135003	Fido assertion verification failed. Invalid gesture provided.
135004	Invalid postBackUrl parameter.
135005	Invalid cancelUrl parameter.
135006	Invalid resumeUrl parameter.
135007	Client data type is not valid.
135008	Relying Party Origin is not valid.
135009	Flow Token Scenario must be login scenario.
135010	UserPrincipal doesn’t have the key ID configured.
135011	Device used during the authentication is disabled.
135012	UserObjectId from the UserHandle does not match with UserPrincipal UserObjectId.
135013	Invalid UserHandle prefix.
135014	Invalid UserHandle length.
135015	The FIDO exclude list was not a valid JSON blob.
135016	FIDO sign-in is disabled via policy.
135017	Unexpected Signature Counter received from authenticator.
135018	Invalid challenge received from fido assertion.
135019	Expired Challenge received from Fido assertion.
135020	Invalid Fido assertion.
135021	Invalid UserHandle prefix.
135022	Redirect uri provided by MSA is not valid.
140000	Request nonce is expired. Current time: {curTime}, expiry time of assertion {expTime}.
140001	The session key is not valid.
140002	Key not found
140003	Nonce purpose not supported
140004	Invalid Ticket Granting Ticket request.
140005	Invalid Ticket Granting Ticket request.
140006	Invalid Ticket Granting Ticket request.
140007	Invalid Ticket Granting Service request.
140008	Invalid ApReq assertion provided.
140009	Kerberos crypto bad request
140010	Kerberos ticket validation failure
160011	Selected user account was invalid.
160021	Application requested a user session which does not exist.
240000	Limit for BulkAADJ tokens is reached for the tenant.
240001	User is not authorized to register devices in Azure AD.
240002	Input id_token cannot be used as ‘urn:ietf:params:oauth:grant-type:jwt-bearer’ grant.
240003	Unexpected result from authorize endpoint call.
240004	Authorization code not received from authorize endpoint call. Error: {errorInfo}
240005	Missing required user role to acquire a bulk AADJ token. For more information please go to https://go.microsoft.com/fwlink/?linkid=2224591.
399206	An unexpeted and non-retryable error happened when fetching bloomfilter data from blob storage.
399207	The token request does not contain one or more supported response token type(s): ‘{ResType}’.
399208	Registered certificates must not be used for token binding for public clients. Please use ephemeral client certificates.
399209	Application ‘{appIdentifier}’ does not have certificate-bound access tokens enabled.
399210	A verifiable credential is required to access this resource.
399211	Unable to find the requested DiskCache.
399212	Requested DiskCache is expired.
399213	The device key supplied is invalid.
399214	The algorithm in the request is invalid.
399215	HttpRequestException occurred in request to Dsts.
399216	Timeout occurred in request to Dsts.
399217	Non-retryable error has occurred.
399218	For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction.
399219	MSA Data Accessor transient timeout.
399220	More than one service principal returned
399229	Multiple MAM Browser client IDs are present in the claims collection. Values: {values}
399230	MAM Browser application principal ‘{appPrincipalId}’ is not valid in the directory
399231	MAM Browser application principal ‘{appPrincipalId}’ does not have any usable reply address in the directory
399232	MAM Browser application principal ‘{appPrincipalId}’ reply address validation failed. Reason: ‘{reason}’
399233	DstsCache is missing the Signingkey info
399234	Recieved public Signingkey response has XML parsing error
399235	Invalid Soap Headers passed to Dsts request
399236	Invalid Soap Body passed to Dsts request
399237	Failure when proxying a request from DstsCache to legacy dSTS
500011	The resource principal named {name} was not found in the tenant named {tenant}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
500012	Resource application name ‘{name}’ is not valid.
500013	Resource identifier is not provided.
500014	The service principal for resource ‘{identifier}’ is disabled. This indicate that a subscription within the tenant has lapsed, or that the administrator for this tenant has disabled the application, preventing tokens from being issued for it.
500015	MSA provisioned resources are not supported in the tenant named {tenant}.
500016	Application ‘{appIdentifier}’ is not supported as a resource application to execute the flow.
500017	Application ‘{appIdentifier}’ is not allowed as a resource application to execute the flow.
500021	Access to ‘{tenant}’ tenant is denied.
500022	Access to ‘{tenant}’ tenant is denied.
500023	‘{headerFromCredential}’ is not the same as ‘{headerFromRequest}’.
500024	Conflicting tenant restrictions signals received by the server on the login request. The header indicated ‘{headerFromRequest}’ while the application added a claims request for ‘{headerFromClaims}’. This can indicate conflicting network and device policies, which Azure AD does not support.
500025	Conflicting tenant restrictions signals received by the server from a claims request. The header from the Id Token ‘{headerFromIdToken}’ is different than the header from the access token ‘{headerFromAccessToken}’.
500031	Cannot find signing certificate configured.
500032	Cannot find signing certificate/private key to issue a certificate.
500033	There is an issue with the key ‘{kid}’. It has both x5t and x5c values, but they do not match. Please make sure the x5t value is the Base64Url-encoded SHA-1 thumbprint of the first certificate in x5c.
500081	SAML assertion validation failed: no supported token signature is provided.
500082	SAML assertion is not present in the token.
500083	Unable to verify token signature. No trusted realm was found with identifier ‘{issuer}’.
500084	Cannot read SecurityToken. Expected element is ({expectedName}, {expectedNamespace}) the actual element is ({localName}, {actualNamespace}).
500085	SAML Assertion with MajorVersion ‘{actualMajor}’ and MinorVersion ‘{actualMinor}’ is not supported. The supported version is MajorVersion ‘{major}’ and MinorVersion ‘{minor}’.
500086	SAML Assertion AssertionId ‘{id}’ is not a valid xsd:ID value.
500087	SAML Assertion does not have any SAML Statement elements. SAML Assertion must have at least one SAML Statement element.
500088	SAML Assertion is missing the required ‘{name}’ Attribute.
500089	SAML 2.0 assertion validation failed: {details}
500101	Audience URI validation failed. No token audiences were found.
500102	Audience URI validation failed. No allowed audiences are configured.
500103	Validation of Audience URI(s) {uri} failed. No match was found with allowed audience(s) {audience}.
500111	The reply uri specified in the request has an invalid scheme.
500112	The reply address ‘{actual}’ does not match the reply address ‘{provided}’ provided when requesting Authorization code.
500113	No reply address is registered for the application{idPhrase}.
500114	Protocol not specified for reply address validation.
500115	The reply uri specified in the request is missing or not a valid URL.
500116	The reply uri specified in the request is not a valid URL. Allowed schemes: ‘{schemes}’.
500117	The reply uri specified in the request isn’t using a secure scheme.
500118	The reply uri specified in the request failed validation. The reply uri host must match one of the registered DNS host names ‘{host}’ for site with ID ‘{id}’.
500119	Redirect URIs with urn: schemes are prohibited. Use a different scheme, or https://login.microsoftonline.com/common/oauth2/nativeclient
500121	Authentication failed during strong authentication request.
500122	SWT assertion failed signature validation. Actual message content is runtime specific. Please see returned exception message for details.
500123	SWT assertion failed signature validation. Actual message content is runtime specific. Please see returned exception message for details.
500124	No device secret is provisioned in the store.
500125	Invalid device secret is provided.
500126	External ID token from issuer ‘{issuer}’ failed signature verification. KeyID of token is ‘{identifier}’.
500127	No authenticated credentials found in request.
500128	No session key found.
500129	No NGC transport key found.
500131	Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was ‘{tokenAudience}’ and the expected audience is ‘{expectedAudience}’ or one of the Application Uris of this application with App ID ‘{appId}’({appName}). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.
500132	Assertion is malformed and cannot be read.
500133	Assertion is not within its valid time range. Ensure that the access token is not expired before using it for user assertion, or request a new token. Current time: {curTime}, expiry time of assertion {expTime}.
500135	Authentication code is missing in the assertion.
500136	The token issuer doesn’t match the api version: A version 2 token can only be used with the v2 endpoint.
500137	The token issuer doesn’t match the api version: A version 1 token cannot be used with the v2 endpoint.
500138	No Refresh Token claim provided in the assertion.
500139	Refresh token in the assertion is not a primary refresh token.
500141	The user’s redemption is complete but the request was not initiated by the target application.
500142	The user’s redemption is complete and the sign-in should continue.
500183	Certificate has been revoked.
500184	Client assertion JWT token failed verification during certificate based authentication. The token is not signed by the certificate provided in the token.
500185	Tenant differs between user login and certificate user.
500186	User not allowed by policy conditions.
500187	Selected certificate does not meet the criteria.
500200	User account ‘{email}’ is a personal Microsoft account. Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization. Try signing out and signing back in with an organizational account.
500201	We are unable to issue tokens from this API version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this.
500202	User account ‘{email}’ from external identity provider ‘{idp}’ is not supported for API version ‘{version}’. Microsoft account pass-thru users and guests are not supported by the tenant-independent endpoint.
500204	Microsoft account ‘{email}’ can’t be used to log in to application {appName}. Please get this user invited to {tenant} directory or sign out and sign in again with a Work or School account.
500205	A consumer (B2C) account can’t be used to log into non consumer applications.
500206	The account type can’t be used for the application you’re trying to log into.
500207	The account type can’t be used for the resource you’re trying to access.
500208	The domain is not a valid login domain for the account type.
500209	Unspecific Tenant is not supported in this domain.
500210	Domain name does not match with the tenant identifier
500211	User account ‘{email}’ from identity provider ‘{idp}’ does not exist in tenant ‘{tenant}’ and cannot access the application ‘{appId}’({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
500212	The user’s administrator has set an outbound access policy that does not allow access to the resource tenant.
500213	The resource tenant’s cross-tenant access policy does not allow this user to access this tenant.
500331	An error occurred while attempting to create a certificate from bytes.
500341	The user account {identifier} has been deleted from the {tenant} directory. To sign into this application, the account must be added to the directory.
500342	User account is not configured for remote NGC.
500343	Could not create remote sign-in session.
500344	User Account is not found for Fido Sign in flow.
500346	E-Mail OTP user cannot sign in with local password.
500571	The guest user account is disabled.
500581	Rendering JavaScript. Fetching sessions for single-sign-on on V2 with prompt=none requires javascript to verify if any MSA accounts are signed in.
500582	Microsoft Account session_id with prompt=none not supported on AAD tenant.
500583	Storage Access required.
500881	Limit on telecom MFA calls reached. Please retry with PhoneAppNotification or try again in a few minutes.
500882	Limit on telecom MFA calls reached. Please retry with PhoneAppCode or try again in a few minutes.
500883	Limit on telecom MFA calls reached. Please retry with CompanionAppsNotification or try again in a few minutes.
501271	Broker app needs to be installed for device authentication to succeed.
501291	Client app is a Mam app, device is not registered and request is sent using a broker. Work place join needs to be done to register the device before the app can be accessed.
501292	Client application cannot satisfy app protection requirement. If it’s a first party app, then it’s not whitelisted to be used with app protection policies, otherwise, the app has not advertised as app-compliant capable, or the authentication library used does not support app protection policies.
501293	The device is not workplace joined. To proceed with the ‘Sign in from another device’ option, this device must be workplace joined.
501311	Browser not supported.
501312	Device used during the authentication is not registered for the account.
501313	Your device is required to be managed to access this resource.
501314	Silent interrupt required to recognize browser capabilities. Used to differentiate between Safari running in iPadOS or Mac.
501471	Missing code_challenge parameter.
501481	The Code_Verifier does not match the code_challenge supplied in the authorization request.
501482	The Code_Verifier length is less than invalid.
501491	Invalid size of Code_Challenge parameter.
501811	OTP is incorrect, or no cache entry exists for the tenant/user.
530001	Browser not supported.
530002	Your device is required to be compliant to access this resource.
530003	Your device is required to be managed to access this resource.
530004	AcceptCompliantDevice setting isn’t configured for this organization. The admin needs to configure this setting to allow external users access to protected resources.
530011	Browser not supported.
530021	Application does not meet the conditional access approved app requirements.
530022	Browser not supported.
530031	Access policy does not allow token issuance.
530032	User blocked due to risk on home tenant.
530033	Remote device flow blocked due to device based conditional access.
530034	A delegated administrator was blocked from accessing the tenant due to account risk.
530035	Access has been blocked by security defaults.
650041	User terminated the request.
650051	Actual message content is runtime specific. Please see returned exception message for details.
650052	The app is trying to access a service ‘{appId}’({appName}) that your organization ‘{organization}’ lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
650053	The application ‘{name}’ asked for scope ‘{scope}’ that doesn’t exist on the resource ‘{resource}’. Contact the app vendor.
650054	The application ‘{name}’ asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor.
650055	The application ‘{name}’ required resource access list does not contain applications discoverable by ‘{resource}’.
650056	Misconfigured application. This could be due to one of the following: the client has not listed any permissions for ‘{name}’ in the requested permissions in the client’s application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it’s valid. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: {id}.
650057	Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client’s application registration. Client app ID: {appId}({appName}). Resource value from request: {resource}. Resource app ID: {resourceAppId}. List of valid resources from app registration: {regList}.
650058	The app needs access to a service that your organization has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.
650061	The client application {appDisplayName} ({applicationId}) requested the role {roleName} ({roleId}) on the resource application {resourceDisplayName} ({resourceId}) but this role is only assignable to users. Either the client application vendor must remove the role from the requested roles, or the owner of the resource application must allow the role to be assignable to applications. For more information, see https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
700001	Application: {samlAudience} needs to opt-in for ‘aio’ optional claim for On Behalf Of flow to work with SAML tokens issued to this application
700002	SAML 1.1 Bearer assertion must be a valid Base64 encoded value.
700003	Device object was not found in the tenant ‘{tenantName}’ directory.
700004	onpremobjectguid ‘{objGuid}’ attribute in the presented grant is malformed.
700005	Provided Authorization Code is intended to use against other tenant, thus rejected.
700006	The Audience: {audience} of the token is NOT an absolute Uri
700007	The grant was issued for a different client id.
700008	Social IDP users are not expected to have home tenant.
700009	Reply address must be provided when presenting an authorization code requested with an explicit reply address.
700011	Application with identifier {appIdentifier} was not found in the directory.
700012	Missing Authorization header with bearer token. Client was not authenticated.
700013	Client is not authorized to request managed browser purpose token.
700014	Mobile Edge app needs to provide an enrollment id in order to acquire a purpose token that can satisfy the compliant app requirement.
700016	Application with identifier ‘{appIdentifier}’ was not found in the directory ‘{tenantName}’. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
700017	{resourceConstant} ‘{resourceIdentifier}’ is not supported as resource.
700018	{resourceConstant} ‘{resourceIdentifier}’ is not supported as resource.
700019	Application ID {identifier} cannot be used or is not authorized.
700020	Application ID {identifier} is a reserved identifier and should be removed on the application: {applicationId}.
700021	Client assertion application identifier doesn’t match ‘client_id’ parameter. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
700022	No Subject claim provided in the assertion. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
700023	Client assertion audience claim does not match Realm issuer. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
700024	Client assertion is not within its valid time range. Current time: {curTime}, assertion valid from {validTime}, expiry time of assertion {expTime}. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
700025	Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented.
700026	Client application has no configured keys.
700027	Client assertion failed signature validation.
700028	Certificate with thumbprint {thumbprint} is not authorized.
700029	Invalid signing certificate.
700030	Invalid certificate - subject name in certificate is not authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: {certificateSubjects}.
700031	Invalid certificate - SubjectName or SubjectAlternativeName is missing
700032	Invalid certificate - Trusted Certificate Subjects for application are missing
700033	For asserting custom_claims, client must provide either xms_actor_token or subject name issuer certificate with custom claim allowed values.
700034	Client assertion contains an invalid xms_actor_token claim.
700035	Client assertion contains custom_claims in the incorrect format.
700036	Client is not authorized to override managed identity claim in the token.
700037	Client assertion must declare x5c header when overriding managed resource ID.
700038	00000000-0000-0000-0000-000000000000 is not a valid application identifier.
700039	00000000-0000-0000-0000-000000000000 is not a valid resource identifier
700040	Managed Resource ID ‘{inputManagedResourceId}’ is not a valid resource identifier.
700041	Post-logout redirect uri is not in approved list. Requested post-logout url: {url}.
700042	The reply address does not match the reply addresses configured for the application.
700043	The redirect address ‘{address}’ does not match the redirect addresses configured for service identity ‘{serviceId}’.
700044	The redirect address ‘{address}’ corresponding to this authorization code does not match the redirect address ‘{requestAddress}’ specified in the request.
700045	Redirect address ‘{address}’ specified by the client does not match any configured addresses ‘{configuredAddress}’ or any addresses on the OIDC approve list.
700046	Invalid Reply Address. Reply Address must have scheme brk-{brkApplicationId}:// and be of Single Page Application type.
700047	Invalid Reply Address. Broker must use Single-Page Application Reply Address.
700048	Client assertion contains an invalid xms_actor_token claim. The audience of the claim is not correctly set.
700049	Claim override is only allowed for User Assigned Managed Service Identities. Make sure the caller app is a Managed Identity, and the override is being done for a User Assigned identity.
700050	Actor token is not within its valid time range. Current time: {curTime}, expiry time of actor token {expTime}.
700051	response_type ’token’ is not enabled for the application.
700052	The token request contains one or more unsupported response token type(s): ‘{ResType}’.
700053	response_type ‘id_token’ requires the ‘openid’ scope.
700054	response_type ‘id_token’ is not enabled for the application.
700055	Redirection to B2C first party app is permitted only to the /authresp endpoint.
700056	User account does not exist in organization.
700081	The refresh token has expired due to maximum lifetime. The token was issued on {issueDate} and the maximum allowed lifetime for this application is {time}.
700082	The refresh token has expired due to inactivity. The token was issued on {issueDate} and was inactive for {time}.
700083	The primary refresh token has expired due to maximum lifetime. The token was issued on {issueDate} and the maximum allowed lifetime for this application is {time}.
700084	The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of {time}, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on {issueDate}.
900143	‘{name}’ is required for the ‘{type}’ grant type.
900144	The request body must contain the following parameter: ‘{name}’.
900161	Invalid access token. Required tenant ID claim is missing.
900941	Administrator consent is required. App is considered risky.
900942	Admin consent is required in order to allow token to be issued for clients to access resource.
1000005	Invalid definition for external identity provider, domain is missing
1000006	Invalid definition for external identity provider with domain ‘{domain}’. Reason: Following properties are mandatory: domain, issuer URI, passive authentication URL.
1000007	Invalid definition for external identity provider with domain ‘{domain}’. Reason: The value ‘{url}’ in the property ‘{urlType}’ must be an absolute URL.
1000008	Invalid definition for external identity provider with domain ‘{domain}’. Reason: The value ‘{url}’ in the property ‘{urlType}’ must be https.
1000009	Invalid definition for external identity provider with domain ‘{domain}’. Reason: Only WsFederation/SamlP/OAuth2 protocols are allowed.
1000010	Invalid definition for external identity provider with domain ‘{domain}’. Reason: Domain ‘{value}’ is not in expected format.
1000011	Invalid definition for external identity provider with domain ‘{domain}’. Reason: Issuer ‘{value}’ is not in expected format.
1000012	Invalid definition for external identity provider with domain ‘{domain}’. Reason: Domain ‘{value}’ is a reserved value.
1000013	Invalid definition for external identity provider with domain ‘{domain}’. Reason: Issuer ‘{value}’ is a reserved value.
1000014	Cannot issue On-Behalf-Of token for tenant ‘{tenant1}’ as JWT bearer token was issued for ‘{tenant2}’.
1000015	Direct federation users are not expected to have home tenant.
1000018	Realm with domain ‘{domain}’ is not an external realm.
1000019	The provided certificate authority type ‘{certificateAuthorityType}’ is not valid.
1000020	The provided application ‘{applicationId}’ may not be used on this endpoint.
1000021	External Claims Provider unavailable: general exception.
1000022	External Claims Provider unavailable: WebException status code ‘{status}’.
1000023	The GitHub access token forwarded exceeds the configured length of ‘{sizeLimit}’.
1000024	Requested claim ‘ClientIpReportedByRP’ should have a single and valid ip address.
1000025	Received invalid stk_jwk.
1000026	Received invalid Primary Refresh Token.
1000027	Session Transport Key is not present.
1000028	Received invalid Windows SSO Credential.
1000029	The provided confirmation request (req_cnf or pop_jwk) is not properly formatted.
1000030	Microsoft Account granted Refresh Token Credential is not supported on AAD tenant.
1000031	Application {appDisplayName} cannot be accessed at this time. Contact your administrator.
1000032	Received invalid stk_jwk key thumbprint.
1000033	Stk_jwk key doesn’t match session transport key thumbprint specified at the beginning of the session.
1000034	Stk_jwk key must not be submitted via x5c.
1000035	There was an error issuing Bound RT token.
1000036	BoundRT use as a bearer refresh token is unsupported.
1000037	Stk_jwk thumbprint is not provided for SSO Bound RT redemption.
1000038	Received invalid req_cnf key thumbprint.
1000039	Req_cnf key ‘{kid}’ doesn’t match proof of possession key thumbprint specified at the beginning of the session.
1000040	Received invalid dk_jwk key thumbprint.
1000501	Unable to read session document from Session Store.
1000502	The provided certificate is not within its specified validity window.
1000503	Request contains mismatched device ids.
1002001	The device template was not found in the tenant ‘{tenantName}’.
1002002	The Cert Based Auth Configuration was not found in the tenant ‘{tenantName}’ or was invalid.
1002003	The TLS certificate provided does not match the certificate on the device.
1002004	The MTLS subject was not found in the subject or SAN list.
1002005	Device in tenant ‘{tenantName}’ does not have suitable credentials.
1002006	Request contains empty or invalid subject.
1002007	Missing required roles to access token evaluation data endpoint, roles present in the token is {roles}
1002008	Unable to authorize to the token evaluation data endpoint. Tenant Identifier in the request: {requestTenant} does not match tenant identifier in the token: {tenantIdInToken}
1002009	Unable to authorize to the token evaluation data endpoint. Unexpected scope present in the bearer token, app delegation(service principal obo) token is not supported to access the endpoint.
1002010	There was an error on fetching revocaton data or issue with token evaluation data endpoint.
1002011	The tenant branding cdn domains are not configured for the private link.
1002012	The provided value for scope {scope} is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
1002014	Unable to complete request. The request was invalid since domain_hint and opaque login_hint cannot be used together.
1002016	You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD. Your TenantID is: {tenantId}. Please refer to https://go.microsoft.com/fwlink/?linkid=2161187 and conduct needed actions to remediate the issue. For further questions, please contact your administrator.
1002017	Bad Request. The passed logout_hint cannot be parsed.
1002021	The version of client library you are using is not supported for accessing resources in another Microsoft cloud as a guest.
1002022	A transient error occurred while attempting to fetch bloom filter data. Please try again later.
1002023	Invalid grant. Device authentication is required from a specific tenant.
1002024	A primary refresh token must be redeemed with a prt protocol version.
1002026	Common endpoint for app tokens is on the deprecation path and not supported on regional AAD. Please use the tenanted endpoint instead.
1002027	Some of the collected attributes were invalid.
1002028	Missing required roles to access partitioned token signing key endpoint, roles present in the token is {roles}
1002029	Unable to authorize to the partitioned token signing key endpoint. Unexpected scope present in the bearer token, app delegation(service principal obo) token is not supported to access the endpoint.
1002030	Internal service error occured in first party app token validator.
1003012	The custom extension returned an invalid action type defined for that custom extension type.
1003013	Invalid request. Nonce from artifact has expired.
1003014	The custom extension resourceId should be in the format of api://fully qualified domain name/appid.
1003015	The targetUrl and resourceId of the custom extension should have the same fully qualified domain name.
1003016	The appId of the custom extension resourceId should correspond to a real service principal in the tenant.
1003017	The Azure Active Directory Authentication Extensions service principal not found in tenant.
1003018	The Azure Active Directory Authentication Extensions service principal is disabled in this tenant.
1003019	The custom extension resource service principal is disabled in this tenant.
1003020	The target URL is in an improper format. It’s must be a valid URL that start with https://
1003021	The permission CustomAuthenticationExtension.Receive.Payload is not granted to the service principal of the resource app.
1003022	The MS Graph service principal is disabled or not found in this tenant.
1003023	The endpoint used for the custom extension is blocked by the service.
1003024	The custom extension response size exceeded the maximum limit.
1003025	The total size of claims in the custom extension response exceeded the maximum limit.
1003026	The custom extension API responded with claims containing null or empty key.
1003027	Error connecting to the custom extension API.
1003030	A transient error occurred while authenticating an MSA (consumer) user.
1003031	Misconfigured required resource access in client application registration.
1003032	The bluestone storage account in TokenEvaluationData endpoint has not been successfully initialized
1003033	The remote ngc session was denied.
1003034	Your organization is not configured to sign in this type of personal Microsoft account. Visit https://aka.ms/MSAUnprotectedAccountsGuidance for more details.
1003035	The json web key supplied is invalid.
1003036	Partitioned token signing key feature is not set properly.
1003037	It looks like you may already have an account with us using this email address. Try signing in again with another identity provider.
1003038	Root token signing key is not found.
1003039	Partitioned token signing key is not found.
5000611	Symmetric Key Derivation Function version ‘{version}’ is invalid.
5001210	Unsupported transport key format.
5001211	Unable to create primary refresh token.
5001212	Device authentication is required to issue primary refresh token.
5001213	Windows Integrated authentication is needed. Unable to use Seamless SSO to authenticate the user.
5001214	Authentication failed.
7000011	Requested SAML 2.0 assertion has invalid SubjectConfirmation Method: {method}.
7000012	The grant was obtained for a different tenant.
7000013	The grant is not supported by API version {apiVersion}.
7000014	The provided value for the input parameter ‘device_code’ is not valid.
7000015	The grant was obtained for a different tenant.
7000016	Primary refresh token is not signed with session key.
7000017	Broker restricted refresh token can’t be used as credential.
7000018	Token binding header is empty.
7000019	Token binding hash does not match.
7000020	SAML 2.0 Bearer assertion must be a valid Base64Url encoded value.
7000021	Unrecognized grant type {type}.
7000022	VSM Binding Key missing from Ticket Granting Ticket request.
7000023	VSM Binding key mismatch.
7000024	Inconsistent broker application IDs asserted by incoming credentials.
7000025	Ambiguous request. The grant contains duplicate claims.
7000026	Provided grant is invalid or malformed. The grant requires an encrypted response, but the client is not indicating it understands encrypted responses.
7000027	An emergency refresh token is present but rejected.
7000028	Attestation key is required for this request but it doesn’t exist in the device. Please consider re-enrolling the device.
7000029	The token binding claim is invalid because it was not generated on the same device as attestation key. Please verify the legitimacy of the device.
7000030	The token binding claim is invalid because the thumbprint of binding key does not match the thumbprint in the binding claim or the thumbprint in the binding claim is missing. Please verify the legitimacy of the device.
7000031	The signing algorithm {algorithm} of attestation key is not supported. Please consider re-enrolling the device and update the attestation key.
7000032	The security enclave type {enclave} of the token binding key is unknown. Please consider re-enrolling the device.
7000033	Token doesn’t contain expected claim: ‘{claim}’.
7000034	The token binding claim is malformatted. Please consider re-enrolling the device.
7000110	Request is ambiguous, multiple application identifiers found.
7000112	Application ‘{appIdentifier}’({appName}) is disabled.
7000113	Application ‘{appIdentifier}’ is not authorized to make application on-behalf-of calls.
7000114	Application ‘{appIdentifier}’ is not allowed to make application on-behalf-of calls.
7000115	This grant is reedemable only by broker application.
7000116	Client application ‘{appIdentifier}’({appName}) is disabled in tenant {tenant}. Please review the documentation: https://go.microsoft.com/fwlink/?linkid=2167553
7000117	Resource application ‘{appIdentifier}’({appName}) is disabled in tenant {tenant}. Please review the documentation: https://go.microsoft.com/fwlink/?linkid=2167553
7000210	Unable to find source of Trusted Certificate Authority policy.
7000211	Trusted Certificate Authority policy is not configured on the tenant ‘{tenantId}’.
7000212	No matching Trusted Certificate Authority policy found for authorized subject name.
7000213	Invalid certificate chain.
7000214	Certificate has been revoked.
7000215	Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app ‘{identifier}’.
7000216	‘client_assertion’, ‘client_secret’ or ‘request’ is required for the ‘client_credentials’ grant type.
7000217	The service principal named {appPhrase} was not found in the tenant named {tenant_name}. This can happen if the application has not been installed by the administrator of the tenant.
7000218	The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.
7000219	‘client_assertion’ or ‘client_secret’ is required for the ‘{type}’ grant type.
7000220	Client application identifier in the provided grant doesn’t match ‘client_id’ parameter.
7000221	Certificate Subject must match Issuer claim in the client assertion.
7000222	The provided client secret keys for app ‘{identifier}’ are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.
7000223	Application {brokerAppId} is not authorized to broker tokens.
7000224	Application {childAppId} is not authorized to have tokens brokered on its behalf.
7000225	Invalid credentials: An MSI certificate was included in the request for the app, but the app (object ID: {oid}, application id: {clientId}) is not an MSI. Ensure that your code is matching MSI identities and certificates appropriately.
7000226	No federated identity credential policy found on application ({appid}). The client_assertion used to authenticate the request does not match the subject or application being requested. Ensure that the application ID in the request is correct, that the app has a policy applied to it, and that the correct client_assertion is being provided in the request.
7000227	No Federated Identity Credential policy found on application that matched the presented MSI-signed client assertion. Expecting a Federated Identity Credential with subject: ‘{msiSpid}’, issuer: ‘{expectedIssuer}’ and audience: ‘{expectedAudience}’.
7000228	Application {brokerAppId} is not authorized to broker tokens.
7000229	The client application {appId} is missing service principal in the tenant {tenantId}. See instructions here: https://go.microsoft.com/fwlink/?linkid=2225119
9002310	Invalid request. The transforms element must contain at least one transform.
9002311	Invalid request. Unsupported canonicalization algorithm.
9002312	Invalid request. XML is empty.
9002313	Invalid request. Request is malformed or invalid.
9002314	Resource hostname is required.
9002315	Invalid request. Cannot use /consumers/ on v1 signout.
9002316	Invalid request. Cannot select consumer user session if the endpoint does not support consumer logout.
9002317	Invalid issuer specified.
9002318	Invalid request. Cannot select consumer user session and enterprise user session at the same time.
9002319	Public clients can’t send a client secret.
9002320	The realm ‘{realm}’ is not a configured realm of the tenant.
9002321	No credentials found with the necessary validated claims that map to external user information.
9002322	Protected forwarded token request is not in correct format.
9002323	Certificate must be a valid base64 encoded certificate.
9002324	Request should not contain more than one client credential parameters, this includes ‘client_secret’, ‘client_assertion’ and ‘request’ parameters.
9002325	Proof Key for Code Exchange is required for cross-origin authorization code redemption.
9002326	Cross-origin token redemption is permitted only for the ‘Single-Page Application’ client-type. Request origin: ‘{origin}’.
9002327	Tokens issued for the ‘Single-Page Application’ client-type may only be redeemed via cross-origin requests.
9002328	Invalid request. Cannot use /common or /consumers on admin-consent. Please specify the tenant in GUID or friendly name format OR generically reference it with /organizations.
9002329	Misconfigured client or resource Service Principal ‘{appId}’. Missing Salt Key.
9002330	Invalid Request. Wam_compat version is not supported.
9002331	Application ‘{principalId}’({principalName}) is configured for use by Microsoft Account users only. Please use the /consumers endpoint to serve this request.
9002332	Application ‘{principalId}’({principalName}) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.
9002333	Invalid request. The RDP request is missing the PoP key via req_cnf.
9002334	Invalid request. The RDP logon request is missing the RDP assertion.
9002335	Invalid request. The RDP assertion is invalid or is missing mandatory properties.
9002336	Invalid RDP request.
9002337	Invalid request. The application is registered in the legacy Microsoft Account tenant using apps.dev.microsoft.com, but is configured for use by Azure Active Directory tenants only. Use of /common is not supported for this registration. Please use a tenanted endpoint to request a token.
9002338	Invalid request. Request is malformed or invalid.
9002339	Unsupported user account for this endpoint. The user is a Microsoft Accounts user, but this app does not have the Microsoft account audience enabled. Either enable Microsoft account support to use the /common endpoint or use the tenanted endpoint to target a specific Azure AD tenant for auth.
9002340	The permission (scope) list {scopeListString} is missing Rdp flow allowed permissions.