Microsoft-authentication-library-for-dotnet: "AADSTS50155: Device is not authenticated" after ~3 months with "phone sign-in"

Created on 28 May 2019  路  11Comments  路  Source: AzureAD/microsoft-authentication-library-for-dotnet

Which Version of MSAL are you using ?
Microsoft.Identity.Client 3.0.8

Platform
UWP

What authentication flow has the issue?

  • Desktop / Mobile

    • [x] Interactive

    • [ ] Integrated Windows Auth

    • [ ] Username Password

    • [ ] Device code flow (browserless)

  • Web App

    • [ ] Authorization code

    • [ ] OBO

  • Web API

    • [ ] OBO

Is this a new or existing app?
Existing. I've come across this error in February, and resolved it by entering a password. I'm unsure if this falls in the MSAL bucket or AzureAD bucket. I don't know who to complain to. https://stackoverflow.com/questions/54730227/aadsts50155-device-is-not-authenticated

Repro

try
{
    msalar = await pca.AcquireTokenSilent(scopes, user)
                  .WithAuthority(authority)
                  .ExecuteAsync();
}
catch (MsalUiRequiredException)
{
    msalar = await pca.AcquireTokenInteractive(scopes)
                  .WithAuthority(authority)
                  .WithAccount(user)
                  .WithExtraScopesToConsent(graphscopes)
                  .ExecuteAsync();
}

Expected behavior
Code should work with AzureAD passwordless (phone sign-in). (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in)

Actual behavior
Roughly 3 months after signing in with a password then just using my iPhone for phone sign-in, I get a AADSTS50155 error.
Possible Solution
Prompt user to use a password if AADSTS50155 is encountered.

    msalar = await pca.AcquireTokenInteractive(scopes)
                .WithAuthority(authority)
                .WithAccount(user)
                .WithExtraScopesToConsent(graphscopes)
                //I think this is not encouraged, but does this prompt password?
                .WithPrompt(Prompt.ForceLogin)
                .ExecuteAsync();
Fixed Service Issue
Source
picture myokeeh

All 11 comments

Actually, it seems I need to click "use password instead" to get authentication to work now. phone sign-in (password-less) doesn't work anymore.

myokeeh picture myokeeh on 28 May 2019

@myokeeh
Did a tenant admin change the conditional access policies?
For password less to work you need to have a broker (Microsoft Authenticator or Company portal). MSAL.NET is going to support brokers soon (as soon as versions of these are available for the Microsoft identity platform v2.0).

But do I understand that you have an issue with Authenticator?

cc: @jennyf19

jmprieur picture jmprieur on 28 May 2019

@jmprieur this has been working well for the past 3 months, and yes we're using Microsoft Authenticator on our phones. No issues with Authenticator--it functions as expected. I get a AADSTS50155 on the UWP app if UI interaction is required. Interestingly--AcquireTokenSilent works fine, too. I wouldn't have know there was a problem if I didn't sign out and sign in again.

myokeeh picture myokeeh on 28 May 2019

@jmprieur : I believe it's more correct to say this requires the authenticator app, but not the broker. from what I can see @myokeeh is doing what is expected. Will have to understand why this error comes up. (aside: I have used pwd less for a very long time and I have never encountered such issues)
@myokeeh : do you have a correlation id from when you saw this?

henrik-me picture henrik-me on 28 May 2019

@henrik-me
f2cdde05-fdb3-4151-8eef-eb6ba7924d57
b91d7c46-88a2-49b5-8da4-4c48f7fcb487

myokeeh picture myokeeh on 28 May 2019
👍1

https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes, which are all subject to change mentions the error is:
DeviceAuthenticationFailed - Device authentication failed for this user.
Still investigating.

henrik-me picture henrik-me on 29 May 2019

According to the service logs you successfully authenticated for both those correlation id's today. Still trying to understand exactly what the logs means, both have triggered MFA flows (used for passwordless as it's similar to MFA by letting the device ack).
@myokeeh : a few questions
Did anything change for your account? E.g. MFA?
Is it an MSA (hotmail/live) account or an AAD account (work or school)?

henrik-me picture henrik-me on 29 May 2019

@henrik-me Right. If I just go by the results of the log-in UI, nothing's amiss--it sure projects a successful authentication. Actually, can you check this? I attached a log with some details redacted.

23df78f9-fbf8-476f-868a-44deafc921d5

There's only myself and another person who could change our AzureAD config/settings. No recent changes to MFA. We use AAD (work or school) accounts.

MSALLog.txt

myokeeh picture myokeeh on 29 May 2019

@myokeeh
There is an issue on the Azure AD (service) side, which is being fixed.
We'll update you when we know more about the ETA for deployment publicly

jmprieur picture jmprieur on 30 May 2019
👍1

@jmprieur As of today, this seems resolved, but given severity, would like to understand what happened, and if there's anything I can do in my app to handle it gracefully.

myokeeh picture myokeeh on 3 Jun 2019

@myokeeh It was a bug on our side (service), this error code should never have been surfaced in this scenario and there is nothing you could do in you app to fix the issue on you end.

jmprieur picture jmprieur on 4 Jun 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jennyf19 picture jennyf19  路  5Comments
yhvicey picture yhvicey  路  3Comments
alexzaitzev picture alexzaitzev  路  5Comments
jmprieur picture jmprieur  路  5Comments
msminski picture msminski  路  6Comments