Azure-docs: AADSTS50126: Invalid username or password

@ManuelMos Thank you for your feedback . We will investigate and update further on this.

Hi @ManuelMos,

I executed the ROPC flow and am able to get the token. Could you please check your scope value, or try to execute with different username and password.
For reference please check the below screenshot:

Please let us know if it helps.

Thank you.

Hi @ManuelMos,

I hope the above information is helpful. We will now close this issue. Should you have any further queries, please tag me or @shashishailaj to your reply and we can gladly continue the conversation.

Thank you.

Hi @MohitDhingra-MSFT @shashishailaj , I am still getting the same error. can we have a email conversation on that issue?

@MohitDhingra-MSFT @shashishailaj
Sorry for the late response.
Still having the same issue:

Is there any admin setting in azure to prohibit the use of ROPC flow?

If i try to use the .onmicrosoft.com mail address as username i instantly get:

AADSTS50034: The user account Microsoft.AzureAD.Telemetry.Diagnostics.PII does not exist in the stracloud.onmicrosoft.com directory.

So i guess i have to use our default Mail Address we also use to login with the standard azure login.

We are running into the same issue, have tried with multiple user accounts. I feel like some information is missing?

@ManuelMos Apologies for the late reply. Could you please email us at azcommunity [at] microsoft [dot] com along with your Azure subscription ID and we will help you with alternative support options.

Thank you.

Even I'm getting same error. This is for VMware tenant

Guys my issue has been fixed, i reset my password after that it is working
fine

On Thu, May 16, 2019, 8:51 PM Srinivas Sunka notifications@github.com
wrote:

Even I'm getting same error. This is for VMware tenant

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/azure-docs/issues/30802?email_source=notifications&email_token=ACQPRMOQFS2DJJOKBFS3KVDPVV3ZLA5CNFSM4HLPGLY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVSE6CA#issuecomment-493113096,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACQPRMNLTKE2B3Q4IQLXPFLPVV3ZLANCNFSM4HLPGLYQ
.

@ManuelMos Did you get through this? if yes please post the resolution steps provided.

All my account details are correct still getting the same error. Thanks

@shashishailaj

I've registered a native app (for Power BI push operation) and added the necessary API permissions.
Global admin granted the consent. But the access token method fails.

equivalent PS script used to get access token

$authUrl = "https://login.windows.net/common/oauth2/token"
$body = @{
    "resource" = “https://analysis.windows.net/powerbi/api";
    "client_id" = "myclientid";
    "grant_type" = "password";
    "username" = "myuser";
    "password" = "mypass";
    "scope" = "openid"
}
$authResponse = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body

$authResponse.access_token

But getting the same error:

Invoke-RestMethod : {"error":"invalid_grant","error_description":"AADSTS50126: Invalid username or password.

The master account used is synchronised to Azure AD from windows active directory server.

Blocked around this issue for a while. Any quick help is appreciated. Thanks in advance.

@ajiljins @MohitDhingra-MSFT @shashishailaj Still having the same issue.

I guess it’s a tenant setting or something like that. Currently waiting for a response from azcommunity mail.

@MohitDhingra-MSFT
This Ticket should be reopened, since we still have this issue.

@ManuelMos My sincere apologies for the delay . Somehow the spam filters caught that email . I have responded to you on the email thread on the next course of action.

@ajiljins We are getting this worked internally and will update the findings on this thread.

Getting the same error. Using the ROPC request from postman collection. Does this flow work?

so it was "solved" for us. We had missed out that ROPC was not supported in hybrid set ups. In case anyone else is stuck for the same reason.

I tried to execute ROPC flow using postman and I am able to get the token. Below is the screenshot.

I hope this time the above information is helpful. We will now close this issue. Should you have any further queries, please tag me to your reply and we can gladly continue the conversation.

Thank you.

I hope this time the above information is helpful. We will now close this issue. Should you have any further queries, please tag me to your reply and we can gladly continue the conversation.

Thank you.

Found the problem. Need to go to app's Authentication tab, scroll down and select Yes in the Default client type section

Hi,

I am getting the same error: "AADSTS50126: Invalid username or password.\rnTrace ID: \rnCorrelation ID: \rnTimestamp: 2019-09-30 10:31:04Z ".

Request:

POST https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token

grant_type: password
client_id: client id from app registratio
client_secret: secret key from certificates and secret
username: username
password: password
scope: https://graph.microsoft.com/.default

I have changed "Default Client type" to YES to activate ROPC flow.

Postman:

Error i am getting:

@MohitDhingra-MSFT could you please respond?

Thanks in advance.

@MohitDhingra-MSFT : I have the same issue as @vskgit in the previous comment. Our client is and has always been "Default client type" = Yes. Nonetheless, we're getting this error code 50126 "Invalid password".

@MohitDhingra-MSFT : I have the same issue as @vskgit in the previous comment. Our client is and has always been "Default client type" = Yes. Nonetheless, we're getting this error code 50126 "Invalid password".

I am still facing this issue. is it resolved?

I am facing the same issue when using https://login.microsoftonline.com/common/oauth2/token attempting to get a token for a Power BI app

I am facing the same issue when using https://login.microsoftonline.com/common/oauth2/token attempting to get a token for a Power BI app

Was this issue ever resolved? I am facing the same issue.

Hello,
I am also facing the same issue.
Can someone help us?

BTW: I am trying to access this API:
https://login.microsoftonline.com/[Tenant_ID]/oauth2/v2.0/token

@MohitDhingra-MSFT I am facing the same issue. Can you kindly help?

This is the project for MS documentation, but it appears that this is a software bug, in that the wrong error code is returned. Does anybody have a way to report bugs to Microsoft, in a way that MS listens and actually fixes them?

We apologise for the lack of response. The issue is marked Closed so this hasn’t been bubbling up to the top. Our small team can help address doc issues but for software issues, here are the various ways to get help: https://docs.microsoft.com/en-us/azure/active-directory/develop/developer-support-help-options

Thank you.

Hi Everyone,
If you have Federated authentication enabled for user sign-in, you get redirected to the federated IDP for credentials validation. Now when you are using ROPC flow via postman, this redirection is not possible and it results in Invalid username or password error.

In order for this to work, you would need to disable federated authentication and use managed authentication so that AAD can verify the credentials locally and no redirection is required. You can confirm this by requesting a token for cloud only user account.

As you supply your credentials in the request body in case of ROPC, the redirection won't happen based on UPN Suffix, If you use other flows like Implicit or Code Grant flow, you get ADAL prompt (as shown below) which supports redirection and federated auth would work in that case.

@amanmcse : Sorry, but you're speaking a different language than I do ("federated IDP", "ROPC", "Implicit or Code Grant flow", "ADAL" etc.). But that aside:

I think that you're assuming a different situation. You seem to be presuming that I'm a domain admin ("you would need to disable federated authentication"). I am talking from the perspective of a software developer that needs to authenticate their users, and uses OAuth2. It must work for all users, no matter the configuration. Neither we nor our users have admin rights on the domain. Things working for some users and not for others, depending on the domain config, is pure nightmare, for all parties involved.

The problem here is something else, and is simple: The Microsoft servers return the wrong error code and message. The error message and code are flat out wrong.

From the software side, we must unambiguously distinguish between a) an actually invalid password, where the user entered the wrong password, and b) some technical problem or incompatibility with the domain setup. The reason why it's crucial to differentiate is because the error recovery is very different. In the first case a), I tell the user that his password is wrong and he needs to enter it again. In the second case b), I either do some fallback code or tell the user that I cannot support his account. If I pick the wrong case, because the error code I get is wrong - as in this case -, then I'll keep asking the user to re-enter the passwords, which is completely useless, confusing, and might even lead him to enter other passwords, which is dangerous. In any case, it's a really bad end user experience.

The documentation specifically says that this error code means that is an invalid password. The password is right, so the error message is flat out wrong. The error message is correct in most configurations, where it's really returned only for wrong passwords, just not in this one.

The bug here is just that a MS developer was re-using the wrong error code, instead of creating a new error code as he should. This must be fixed in the Microsoft software. That's the only place where it can be fixed. There's no other way to fix this properly.

This leads to hurt and setup pains for end users. Please fix it.

@benbucksch Yes, it makes sense to provide a different error in this case and you can provide a feedback regarding this on https://feedback.azure.com which is monitored by the product team.

But, to return a different error certain checks would be required to perform and it will be complicated task to perform those checks which may affect the overall time to provide authentication response. Maybe if you read about "federated IDP", "ROPC", "Implicit or Code Grant flow", "ADAL" etc. this will make more sense.

@amanmcse :+1:

Thanks for your acknowledgment! That is appreciated.

may affect the overall time to provide authentication response

Given that this is an error situation, a slower response is fine, if that gives a more correct response. The effects of the current situation cost the user a _lot_ of time or lead to a complete failure of the entire process. With a proper error message, the error may be rectifiable. This is well worth a few ms or even a few seconds.

Worse, the current situation means that I cannot trust the error code in any situation, even where it's valid and correct.

@Everybody affected by this:

you can provide a feedback regarding this on https://feedback.azure.com which is monitored by the product team.

and as the document referenced by @CelesteDG says:

If you already have an Azure Support Plan, open a support request

@benbucksch Please post a feedback and share the feedback link here. So that others can vote on your feedback.

https://feedback.azure.com/forums/34192--general-feedback/suggestions/40491214-aadsts50126-invalid-username-or-password-return

@Everybody: Please vote for it (you can put 3 votes on the same issue), and maybe even point your paid support to it.

Hello All,

Has anyone found a solution to this problem? Or got any alternative?. Please share if there is any.

Hi All,
I am facing same issue.
Please share the solution.

I have the same issue. Nobody is looking at it?

I have the same issue too. Any response?

Please check https://github.com/MicrosoftDocs/azure-docs/issues/30802#issuecomment-632708429

I have posted another solution to this problem here: https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d?sk=7c4c55332c5b27d0546abf3d3487e85b

@amanmcse
I have the same issue.
I've tried your solution with HomeRealmDiscoveryPolicy applied to principal. No changes at all.
Still getting 400 with bad credentials response.

"timestamp": "2020-07-19 13:53:14Z",
"trace_id": "87892273-8a5f-474a-a79e-2ef8d1fd2201",
"correlation_id": "feaee5d2-7301-483a-8e8e-5baa2e8a7e7d",

@tochilavictor Thanks for your feedback. There was a minor mistake in New-AzureADPolicy command. I have corrected that. Please try following the steps here again and let me know if that helps.

We've debugged this further with engineering of a large customer, and we found that error 50126 is returned in cases where an Office365 domain uses a third party MFA provider, and the email client software is trying OAuth2 with password. In this case, the Microsoft servers are returning this error code 50126.

This is clearly a bug of the Microsoft server, because error code 50126 is very clearly specified to be an user error, that the user entered the wrong password. However, the password is correct, just the authentication method is wrong.

As already explained above, the difference between the cases is very important, because the email client software needs to either ask the user to correct the password, or try another authentication methods, which also requires user interaction, but a different one. So, the software needs to decide what to do. But due to this bug that both cases return the same error code (and also there's no other way that we know of to find out the enabled authentication methods before-hand), we're stuck. It's impossible to implement this correctly.

@amanmcse : Could you please see for this to be fixed? I filed the "suggestion box", but it was not only ignored, but simply deleted :-( .

@benbucksch @amanmcse

is there any solution apart from this we have a client who is having Hybrid AD and the user created in cloud cannot be given access to the power bi workspace as the user will not get synced.

How do we get the access token so that we can embed the power bi report in the web app.

Hi there. I'm facing same issue. I entered the correct credential and able to access with the browser but not in postman.
Hope anybody can help me cause I'm stuck. thanks in advance
parameters:
grant_type: password
client_id: xxxxxprovidedxxxxxx
client_secret: xxxxxxprovidedxxxxxx
scope: https://graph.microsoft.com/.default
username: xxxxxxprovidedxxxxxx (can be accessed through browser https://developer.microsoft.com/en-us/graph/graph-explorer)
password: xxxxxxprovidedxxxxxx

error return
{
"error": "invalid_grant",
"error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\rnTrace ID: d9cc74aa-91da-4bd2-b77f-ecaa6ec28d00\rnCorrelation ID: 38941c60-5898-462b-9ab7-cb4bfa0cb18e\rnTimestamp: 2020-12-10 05:09:57Z",
"error_codes": [
50126
],
"timestamp": "2020-12-10 05:09:57Z",
"trace_id": "d9cc74aa-91da-4bd2-b77f-ecaa6ec28d00",
"correlation_id": "38941c60-5898-462b-9ab7-cb4bfa0cb18e",
"error_uri": "https://login.microsoftonline.com/error?code=50126"
}