PREVIEW

AD FS Help Connect Health and Azure sign-ins data for AD FS

Connect Health and Azure sign-ins data for AD FS

Below is a list of all Connect Health error codes that are relevant to AD FS. Learn more about Connect Health for AD FS >

Error codes
Error code Error number Description Remediation information
TokenIssuanceError 50000 The user was not able to sign in because of issuance authorization errors. Check the Issuance Authorization rules and check if it has "Permit All". If not, go through the custom authorization rules to check if the condition in that rule will evaluate true for the affected user. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
InvalidRelyingPartyError 50001 The user was not able to sign in because the resource being accessed is disabled or the name could not be found. This can happen if the application has not been installed by the administrator of the tenant, or if the resource principal was not found in the directory or is invalid due to a typo. Check your app's code to ensure that you have specified the exact and correct resource URL for the resource you are trying to access. Please see the returned exception message for details.
CertificateValidationFailed 50017 The user was not able to sign in because certificate based authentication failed. Troubleshoot certificate based authentication here. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
UserDisabled 50057 The user was not able to sign in because the user's account is disabled. Verify if account has been locked out in Active Directory and re-enable the user if necessary. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
InvalidUserNameOrPassword 50126 The user was not able to sign in because the user did not enter the right credentials. Check if the affected user's password is incorrect, newly changed, or expired. If these do not apply, check service account permissions and AD trust. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
InvalidPasswordExpiredOnPremPassword 50144 The user was not able to sign in because the user's password is expired. The user should change their password at the next attempted log in.
DeviceAuthenticationFailed 50155 The user was not able to sign in because device authentication failed. Verify that the device is synced from cloud to on-prem or is not disabled. Sync cycles may be delayed since it syncs the Key after the object is synced.
UnspecifiedError 90000 Catch call for any other error conditions. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
AuthorityCertificateResolveError 300010 The user was not able to sign in because AD FS rejected the token from a 3rd party IDP. Verify the correct configuration of the signing certificate and encyrption certificate on AD FS and the Claims Provider Trust. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
MfaTokenValidationFailure 300020 The use was not able to sign in because to a problem during token validation at the MFA layer. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
AccountExtranetLockedOut 300030 The user was not able to sign in because the user was locked out from the extranet. Troubleshoot extranet lockout settings and multiple user lockouts here. Reset the user lockout with Reset-ADFSAccountLockout Powershell commandlet. For additional information on ESL, view this document.
WsFedRequestFailure 300040 The user was not able to sign in because AD FS rejected the WS Federation passive request because it is malformed or invalid For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.