Microsoft.Identity.Client.MsalError
Error code returned as a property in MsalException
Access denied.
Accessing WS Metadata Exchange Failed.
What happens?
You tried to use AcquireTokenByUsernamePassword and the account is a federated account.Mitigation
None. The WS metadata was not found or does not correspond to what was expected.
What happens?
The response from the token endpoint does not contain the token_type parameter.Mitigation
This happens if the identity provider (AAD, B2C, ADFS, etc.) did not include the access token type in the token response. Verify the configuration of the identity provider.
On Android, you need to call AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object) passing
the activity. See https://aka.ms/msal-interactive-android
What happens?
Broker is configured with an ADFS authority, however, it does not support ADFS environments.Mitigation
Broker does not support ADFS environments.
Failed To Complete Android Broker Operation
public const string AndroidBrokerSignatureVerificationFailed = "broker_signature_verification_failed"
Failed to validate android broker signature
Authentication canceled.
What happens?
The user had canceled the authentication, for instance by closing the authentication dialogMitigation
None, you cannot get a token to call the protected API. You might want to inform the user
Authentication failed.
What happens?
The authentication failed. For instance the user did not enter the right passwordMitigation
Inform the user to retry.
The request could not be performed because of an unknown failure in the UI flow.*
Mitigation
Inform the user.
The request could not be performed because of a failure in the UI flow.
What happens?
The library failed to invoke the Web View required to perform interactive authentication. The exception might include the reasonMitigation
If the exception includes the reason, you could inform the user. This might be, for instance, a browser implementing chrome tabs is missing on the Android phone (that's only an example: this exception can apply to other platforms as well)
The cloud (authority URL host) defined at the application level cannot be different than the cloud at the request level.
What happens?
You did not define an authority at the application level, so it defaults to the public cloud (login.microsoft.com), but the authority at the request level is for a different cloud. Only the tenant can be changed at the request level.Mitigation
Add .WithAuthority("https://login.windows-ppe.net/common) at the application level and specify the tenant at the request level: .WithAuthority("https://login.windows-ppe.net/1234-567-890-12345678).
What happens?
You specified a tenant twice - once in WithAuthority() and once using WithTenant()Mitigation
Specify the tenant once.
What happens?
The authority configured at the application level is different than the authority configured at the request levelMitigation
Ensure the same authority type is used
Authority validation failed.
What happens?
The validation of the authority failed. This might be because the authority is not compliant with the OIDC standard, or there might be a security issueMitigation
Use a different authority. If you are absolutely sure that you can trust the authority you can use the WithAuthority passing the validateAuthority parameter to false (not recommended)
The B2C authority host is not the same as the one used when creating the client application.
What happens?
A broker application is required, but one could not be found or communicated with.Mitigation
Install a broker application, such as Authenticator, from the application store
What happens?
The request has broker enabled and Proof-of-Possession configured but the broker does not support Proof-of-PossessionMitigation
only configure Proof-of-Possession for public clients on windows.
Broker response nonce does not match the request nonce sent by MSAL.NET for iOS broker >= v6.3.19
What happens?
The request has Proof-of-Possession configured but does not have broker enabled. Broker is required to use Proof-of-Possession on public clientsMitigation
Enable the broker when Proof-of-Possession is configured.
Broker response hash did not match
Broker response returned an error
public const string CannotAccessUserInformationOrUserNotDomainJoined = "user_information_access_failed"
Cannot Access User Information or the user is not a user domain.
What happens?
You tried to use AcquireTokenByIntegratedWindowsAuth but the user is not a domain user (the machine is not domain or AAD joined)
MSAL is not able to invoke the broker. Possible reasons are the broker is not installed on the user's device,
or there were issues with the UiParent or CallerViewController being null. See https://aka.ms/msal-brokers
public const string CannotSwitchBetweenImdsVersionsForPreview = "cannot_switch_between_imds_versions_for_preview"
The system has already fallen back IMDS V1 and can only get Bearer tokens.
It needs to be restarted to get mTLS PoP tokens.
What happens?
The certificate provided is not of type RSA.Mitigation
Please use an RSA certificate.
What happens?
The certificate provided does not have a private key.Mitigation
Ensure the certificate has a private key.
public const string ClientCredentialAuthenticationTypeMustBeDefined = "Client_Credentials_Required_In_Confidential_Client_Application"
What happens?
You configured MSAL confidential client authentication without an authentication type (Certificate, Secret, Client Assertion)Mitigation
Either call ConfidentialClientApplicationBuilder.WithClientSecret, ConfidentialClientApplicationBuilder.WithCertificate, ConfidentialClientApplicationBuilder.WithClientAssertion
public const string ClientCredentialAuthenticationTypesAreMutuallyExclusive = "Client_Credential_Authentication_Types_Are_Mutually_Exclusive"
What happens?
You configured MSAL confidential client authentication with more than one authentication type (Certificate, Secret, Client Assertion)
What happens?
In the context of Device code flow (See https://aka.ms/msal-net-device-code-flow), this error happens when the device code expired before the user signed-in on another device (this is usually after 15 mins).Mitigation
None. Inform the user that they took too long to sign-in at the provided URL and enter the provided code.
Using combined flat storage, like a file, to store both app and user tokens is not supported. Use a partitioned token cache (for ex. distributed cache like Redis) or separate files for app and user token caches. See https://aka.ms/msal-net-token-cache-serialization .
A cryptographic exception occurred when trying to use the provided certificate
This error code comes back from AcquireTokenSilent calls when the
OperatingSystemAccount user is passed as the account parameter. Only some brokers (WAM) can login the current user.
Mitigation
On Windows, use the broker via .WithBroker(true), use a different account, or otherwise call AcquireTokenInteractive
What happens?
You have configured your own instance metadata using both an Uri and a string. Only one is supported.Mitigation
Call WithInstanceDiscoveryMetadata only once. See https://aka.ms/msal-net-custom-instance-metadata for more details.
Error code used when the CustomWebUI has returned a URI, but it does not match the Authority and AbsolutePath of
the configured redirect URI.
Error code used when the ICustomWebUi has returned a URI, but it is invalid - it is either null or has no code.
Consider throwing an exception if you are unable to intercept the URI containing the code.
RedirectUri validation failed.
Device certificate not found.
Duplicate query parameter was found in extraQueryParameters.
What happens?
You have used extraQueryParameter of overrides of token acquisition operations in public client and confidential client application and are passing a parameter which is already present in the URL (either because you had it in another way, or the library added it).Mitigation [App Development]
RemoveAccount the duplicate parameter from the token acquisition override.
Encoded token too long.
What happens
In a confidential client application call, the client assertion built by MSAL is longer than the max possible length for a JWT token.
Exactly one scope is expected.
What happens?
You are trying to use a feature which was marked as experimentalMitigation
When creating the PublicClientApplication or ConfidentialClientApplication, use .WithExperimentalFeatures() option. See https://aka.ms/msal-net-experimental-features for details.
public const string FailedToAcquireTokenSilentlyFromBroker = "failed_to_acquire_token_silently_from_broker"
Failed to acquire token silently. Used in broker scenarios.
What happens
you called AcquireTokenSilent or AcquireTokenSilent and your mobile (Xamarin) application leverages the broker (Microsoft Authenticator or Microsoft Company Portal), but the broker was not able to acquire the token silently.Mitigation
Call AcquireTokenInteractive
What happens?
You are trying to authenticate with the broker but MSAL is unable to read the response from the broker.Mitigation
The currently installed broker may not support MSAL.Xamarin, you need to ensure that you have installed either Intune Company Portal (5.0.4689.0 or greater) or Microsoft Authenticator (6.2001.0140 or greater). see https://aka.ms/Brokered-Authentication-for-Android"
Failed to refresh token.
What happens?
The token could not be refreshed. This can be because the user has not used the application for a long time. and therefore the refresh token maintained in the token cache has expiredMitigation
If you are in a public client application, that supports interactivity, send an interactive request AcquireTokenInteractive. Otherwise, use a different method to acquire tokens.
Federated service returned error.
Mitigation
None. The federated service returned an error. You can try to look at the Body of the exception for a better understanding of the error and choose the mitigation
public const string ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible"
What happened?
The operation attempted to force a token refresh while also using a token hash. These two options are incompatible because forcing a refresh bypasses token caching, which conflicts with token hash validation.Mitigation:
- Ensure that `force_refresh` is not set to `true` when using a token hash. - Review the request parameters to ensure they are not conflicting. - If token hashing is required, allow the cached token to be used instead of forcing a refresh.
Failed to get user name.
An HttpListenerException occurred while listening for the system browser to complete the login.
ErrorCode used when the HTTP response returns something different from 200 (OK)
Error code used when the HTTP response returns HttpStatusCode.NotFound
Represents the error code returned when an IMDS operation fails.
What happens?
Failure setting process security to enable WAM Account Picker in an elevated process.Mitigation
For troubleshooting details, see https://aka.ms/msal-net-wam .
public const string IntegratedWindowsAuthenticationFailed = "integrated_windows_authentication_failed"
This can occur if there is an configuration issue in the ADFS environment where this is authenticating. See https://aka.ms/msal-net-iwa-troubleshooting for more details
public const string IntegratedWindowsAuthNotSupportedForManagedUser = "integrated_windows_auth_not_supported_managed_user"
Integrated Windows Auth is only supported for "federated" users
Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user
so the user can do an interactive log-in to get a token with updated claims.
Mitigation:
If your application is a IPublicClientApplication call AcquireTokenInteractive perform an interactive authentication. If your application is a ConfidentialClientApplication chances are that the Claims member of the exception is not empty. See Claims for the right mitigation
What happened?
A cache-dependent API was called, but MSAL's internal token cache is disabled via DisableInternalCacheOptions. This can occur with APIs such as AcquireTokenSilent and AcquireTokenInLongRunningProcess(...).Mitigation
Use an authentication flow that does not depend on MSAL's internal cache, such as AcquireTokenByRefreshToken with the refresh token obtained from GetRefreshToken, or use another interactive flow, as appropriate for your application.
Internal error
What happens?
The ADAL cache is invalid as it contains multiple refresh token entries for one user.Mitigation
Delete the ADAL cache. If you do not maintain an ADAL cache, this may be a bug in MSAL.
Invalid authority
What happens
When the library attempts to discover the authority and get the endpoints it needs to acquire a token, it got an un-authorize HTTP code or an unexpected responseremediation
Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correct
Invalid authority type.
MSAL.NET does not know how to interact with the authority specified when the application was built.
Mitigation
Use a different authority
An authorization Uri has been intercepted, but it cannot be parsed. See the log for more details.
The certificate received from the Imds server is invalid.
Azure AD service error indicating a configuration issue.
Mitigation
See error message for details, then take corrective action in the app registration portal See https://aka.ms/msal-net-invalid-client for details.
Returned when a WithClientAssertion delegate provides
a null or empty JWT string.
Mitigation
Ensure the delegate returns a non‑empty, base‑64‑encoded JWT.
public const string InvalidClientCredentialConfiguration = "invalid_client_credential_configuration"
What happens?
You configured both a static certificate (WithCertificate(X509Certificate2)) and a dynamic certificate provider (WithCertificate(Func)).Mitigation
Choose one approach for providing the client certificate.
What happened?
The configured credential type is not compatible with the requested authentication mode. For example, a client secret cannot be used with mTLS Proof-of-Possession or SendCertificateOverMtls because mTLS requires a certificate to bind the token to the TLS transport.Mitigation:
Use a certificate-based credential via WithCertificate(), or a delegate that returns a ClientSignedAssertion with a TokenBindingCertificate when mTLS Proof-of-Possession is required.
Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user
so that the user does an interactive action in order to get a new token.
Mitigation:
If your application is a IPublicClientApplication call AcquireTokenInteractive perform an interactive authentication. If your application is a ConfidentialClientApplication chances are that the Claims member of the exception is not empty. See Claims for the right mitigation
AAD service error indicating that the configured authority does not exist
What happens?
You have configured a claims request, but the claims string is not in JSON formatMitigation
Ensure that the claims parameter is valid JSON. Inspect the inner exception for details about JSON parsing.
JWT was invalid.
What happens?
The library expected a JWT (for instance a token from the cache, or received from the STS), but the format is invalidMitigation
Make sure that the token cache was not tampered
Invalid managed identity endpoint.
The managed identity's source does not select a specific id type.
A required value is missing from the managed identity response.
Invalid owner window type.
What happens?
You used "AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object) but the parameter you passed is invalid.Remediation
On .NET Standard, the expected object is an Activity on Android, a UIViewController on iOS, a NSWindow on MAC, and a IWin32Window or IntPr on Windows. If you are in a WPF application, you can use WindowInteropHelper(wpfControl).Handle to get the window handle associated with a WPF control
Request is invalid.
What happens?
This can happen because you are using a token acquisition method which is not compatible with the authority. For instance: you called AcquireTokenByUsernamePassword but you used an authority ending with '/common' or '/consumers' as this requires a tenanted authority or '/organizations'.Mitigation
Adjust the authority to the AcquireTokenXX method you use (don't use 'common' or 'consumers' with AcquireTokenByUsernamePassword AcquireTokenByIntegratedWindowsAuth
A required value is missing from the token provider response
What happens?
You have configured your own instance metadata, but the json provided seems to be invalid.Mitigation
See https://aka.ms/msal-net-custom-instance-metadata for an example of a valid json that can be used.
JSON parsing failed.
What happens?
A JSON blob read from the token cache or received from the STS was not parseable. This can happen when reading the token cache, or receiving an IDToken from the STS.Mitigation
Make sure that the token cache was not tampered
What happens?
MSAL tried to open the browser on Linux using the xdg-open, gnome-open, or kfmclient tools, but failed.Mitigation
Make sure you can open a page using xdg-open tool. See https://aka.ms/msal-net-os-browser for details.
What happens?
The current redirect URL is not a loopback URL.Mitigation
To use the OS browser, a loopback URL, with or without a port, must be configured both during app registration and when initializing the IPublicClientApplication object. See https://aka.ms/msal-net-os-browser for details.
What happens?
MSAL has intercepted a Uri possibly containing an authorization code, but it does not match the configured redirect URL.Mitigation
If you are using an ICustomWebUi implementation, make sure the redirect URL matches the URL containing the auth code. If you are not using an ICustomWebUI, this could be a man-in-the middle attack.
public const string ManagedIdentityAllSourcesUnavailable = "managed_identity_all_sources_unavailable"
All managed identity sources are unavailable.
Managed Identity error response was received.
Managed Identity error response was received.
Managed Identity endpoint is not reachable.
Federation Metadata URL is missing for federated user.
The managed identity is missing a required environment variable.
No passive auth endpoint was found in the OIDC configuration of the authority
What happens?
When the libraries go to the authority and get its open id connect configuration it expects to find a Passive Auth Endpoint entry, and could not find it.remediation
Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correct
Missing Tenanted Authority.
MSAL.NET requires a tenanted authority (i.e., an authority with a tenant ID) for mTLS to be specified when the application is built, but none was provided.
Mitigation
Ensure that a tenanted authority, which includes a specific tenant ID, is specified during the application configuration. For example, use "https://login.microsoftonline.com/{tenantId}" or a similar URL structure.
What happened?
mTLS Bearer is configured but a region was not specified.Mitigation
Ensure that the AzureRegion configuration is set when using mTLS Bearer as it requires a regional endpoint.
What happened?
mTLS Proof of Possession (mTLS PoP) is configured but a certificate was not provided.Mitigation
Ensure that a valid certificate is provided in the configuration when using mTLS PoP as it is required for secure authentication.
What happened?
mTLS is not supported for managed identity authentication.
What happened?
mTLS Proof of Possession (mTLS PoP) is not supported for the specified sovereign cloud environment.Mitigation:
Use the supported alternative endpoint for the sovereign cloud environment.
mTLS PoP tokens are not supported in IMDS V1.
What happened?
mTLS Proof of Possession (mTLS PoP) is configured but a region was not specified.Mitigation
Ensure that the AzureRegion configuration is set when using mTLS PoP as it requires a regional endpoint.
This error code denotes that multiple accounts were found having the same login hint and MSAL
cannot choose one. Please use WithAccount to specify the account
Multiple Tokens were matched.
What happens?
This exception happens in the case of applications managing several identities, when calling AcquireTokenSilent or one of its overrides and the user token cache contains multiple tokens for this client application and the specified Account, but from different authorities.Mitigation [App Development]
specify the authority to use in the acquire token operation
The request could not be performed because the network is down.
Mitigation [App development]
In the application you could either inform the user that there are network issues or retry later
This error code denotes that no account was found having the given login hint.
What happens?
AcquireTokenSilent or WithLoginHint was called with a loginHint parameter which does not match any account in GetAccountsAsyncMitigation
If you are certain about the loginHint, call AcquireTokenInteractive
MSAL is not able to find a suitable account to use with broker
MSAL cannot find the broker application to authenticate accounts.
What happens?
You haven't set a client ID.Mitigation
Use the application ID (a GUID) from the application portal as client ID in this SDK
What happens?
The request has Proof-of-Possession configured but does not have a nonce configured. A nonce is required for Proof-of-Possession on public clientsMitigation
Provide a nonce when Proof-of-Possession is configured for public clients.
Non HTTPS redirects are not supported
What happens?
This error happens when the authorization flow, which collects user credentials, gets redirected to an page that is not supported, for example if the redirect occurs over http. This error does not trigger for the final redirect, which can be http://localhost, but for intermediary redirects.Mitigation
This usually happens when using a federated directory which is not setup correctly.
An error response was returned by the OAuth2 server and it could not be parsed
One of two conditions was encountered:
The Prompt.NoPrompt was passed in an interactive token call, but the constraint could not be honored because user interaction is required,
for instance because the user needs to re-sign-in, give consent for more scopes, or perform multiple factor authentication.
An error occurred during a silent web authentication that prevented the authentication flow from completing in a short enough time frame.
Remediation:
call AcquireTokenInteractive so that the user of your application signs-in and accepts consent.
No Redirect URI.
What happens?
You need to provide a Reply URI / Redirect URI, but have not called WithRedirectUri
No token was found in the token cache.
Mitigation:
If your application is a IPublicClientApplication call AcquireTokenInteractive so that the user of your application signs-in and accepts consent. If it's a web app you should have previously called IConfidentialClientApplication.AcquireTokenByAuthorizationCode as described in https://aka.ms/msal-net-authorization-code. You need to make sure that you have requested the right scopes. For details See https://github.com/Azure-Samples/ms-identity-aspnetcore-webapp-tutorial This error should not happen in web APIs
public const string NoUsernameOrAccountIDProvidedForSilentAndroidBrokerAuthentication = "no_username_or_accountid_provided_for_silent_android_broker_authentication"
Unable to query the Android account manager because no username or home account ID is provided in the silent authentication request.
Null intent was returned so broker activity cannot be launched
What happens?
The token cache does not contain a token with an OBO cache key that matches the longRunningProcessSessionKey passed into AcquireTokenInLongRunningProcess.Mitigation
Call InitiateLongRunningProcessInWebApi with this longRunningProcessSessionKey first or call AcquireTokenInLongRunningProcess with an already used longRunningProcessSessionKey.
Parsing WS Metadata Exchange Failed.
You can get this error when using AcquireTokenByUsernamePassword
In the case of a Federated user (that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant)
ID3242: The security token could not be authenticated or authorized.
The user does not exist or has entered the wrong password
Password is required for managed user.
What happens?
If can got this error when using AcquireTokenByUsernamePassword and you (or the user) did not provide a password.
The library is loaded on a platform which is not supported.
RedirectUri validation failed.
What happens?
The redirect URI / reply URI is invalidHow to fix
Pass a valid redirect URI.
What happens?
You configured WithAuthority at the request level, and also WithAzureRegion. This is not supported when the environment changes from application to request.Mitigation
Use WithTenantId at the request level instead.
What happens?
You configured both Regional Authority and Authority Validation. Authority validation is not currently supported for regional authorities.Mitigation
Set the validateAuthority flag to false to use Azure Regional authority. Do not disable authority validation if you read the authority from an untrusted source, for example from the WWWAuthenticate header of an HTTP request that resulted in a 401 response.
Region discovery failed.
What happens?
WithAzureRegion is set to trueMitigation
Region discovery cannot be performed for ADFS authority.
public const string RegionDiscoveryWithCustomInstanceMetadata = "region_discovery_with_custom_instance_metadata"
What happens?
You have configured both Region Discovery and Custom Instance Metadata. Custom metadata supersedes region discovery.Mitigation
Configure either Region Discovery or Custom Instance Discovery Metadata.
What happened?
mTLS Proof of Possession (mTLS PoP) requires a specific Azure region to be specified.Mitigation:
Ensure that the AzureRegion configuration is set when using mTLS PoP as it requires a regional endpoint.
Service returned HTTP error code 429 which indicates the request has been throttled.
For more details see https://aka.ms/msal-net-throttling
The HTTP Request to the STS timed out.
Mitigation
you can retry after a delay.
Resource Owner Password Credential (ROPC) grant attempted with an MSA (Microsoft personal) account.
ROPC does not support MSA accounts.
See https://aka.ms/msal-net-ropc for details.
What happens?
No scopes have been requestedMitigation
At least one scope must be specified for this authentication flow
Service is unavailable and returned HTTP error code within the range of 500-599
Mitigation
you can retry after a delay.
public const string SetCiamAuthorityAtRequestLevelNotSupported = "set_ciam_authority_at_request_level_not_supported"
Setting the CIAM authority (ex. "{tenantName}.ciamlogin.com") at the request level is not supported. The CIAM authority must be set during application creation.
What happens?
You have configured MSAL to request SSH certificates from AAD, and you are trying to format an HTTP authentication header.Mitigation
SSH certificates should not used as Bearer tokens. Developers are responsible for sending the certificates to the target machines.
State returned from the STS was different from the one sent by the library
What happens?
The library sends to the STS a state associated to a request, and expects the reply to be consistent. This errors indicates that the reply is not associated with the request. This could indicate an attempt to replay a responseMitigation
None
public const string StaticCacheWithExternalSerialization = "static_cache_with_external_serialization"
What happens?
You configured MSAL cache serialization at the same time with a static internal cache via WithCacheOptions These are mutually exclusive.Mitigation
Use only one option. Web site and web API scenarios should rely on external cache serialization, as internal cache serialization cannot scale. See https://aka.ms/msal-net-cca-token-cache-serialization
public const string SystemWebviewOptionsNotApplicable = "embedded_webview_not_compatible_default_browser"
What happens?
You configured MSAL interactive authentication to use an embedded WebView and you also configured SystemWebViewOptions. These are mutually exclusive.Mitigation
Either set WithUseEmbeddedWebView to true or do not use WithSystemWebViewOptions
What happens?
You have configured both a telemetry callback and a telemetry config.Mitigation
Only one telemetry mechanism can be configured.
Tenant discovery failed.
What happens?
While reading the OpenId configuration associated with the authority, the Authorize endpoint, or Token endpoint, or the Issuer was not foundMitigation
This indicates and authority which is not Open ID Connect compliant. Specify a different authority in the constructor of the application, or the token acquisition override ///
What happens?
You configured WithTenant at the request level, but the application is using a non-AAD authority These are mutually exclusive.Mitigation
WithTenantId can only be used in conjunction with AAD authorities.
This error code comes back from AcquireTokenSilent calls when
the user cache had not been set in the application constructor. This should never happen in MSAL.NET 3.x as the cache is created by the application
What happens?
You asked for one type of token, but did not receive it.Mitigation
This happens if the Identity Provider (AAD, B2C, ADFS etc.) does not support / implement the requested token type. In case of ADFS, consider upgrading to the latest version.
Cannot access the user from the OS (UWP)
What happens
You called AcquireTokenByIntegratedWindowsAuth, but the domain user name could not be found.Mitigation
This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwp
Cannot get the user from the OS (UWP)
What happens
You called AcquireTokenByIntegratedWindowsAuth, but the domain user name could not be found.Mitigation
This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwp
MSAL is unable to parse the authentication header returned from the endpoint. This can be a result of a malformed header returned in either the WWW-Authenticate or the Authentication-Info collections.
The client is unauthorized to access resource.
This commonly happens when Mobile App Management (MAM) policies are enabled. MSAL will throw an exception in that case with protection_policy_required sub-error.
Mitigation
Catch the exception and use the properties in it to obtain the right parameters from Intune SDK. IntuneAppProtectionPolicyRequiredException
Unknown broker error occurred.
Mitigation
None. You might want to inform the end user.
Unknown Error occurred.
Mitigation
None. You might want to inform the end user.
Unknown error response received.
What happens
You can get this error when using AcquireTokenByUsernamePassword The user is not known by the IdPMitigation
Inform the user. The login that the user provided might be incorrect (for instance empty)
What happens
You can get this error when using AcquireTokenByUsernamePassword The user is not recognized as a managed user, or a federated user. Azure AD was not able to identify the IdP that needs to process the userMitigation
Inform the user. the login that the user provided might be incorrect.
loginHint should be a UPN
What happens?
An override of a token acquisition operation was called in IPublicClientApplication which takes a loginHint as a parameters, but this login hint was not using the UserPrincipalName (UPN) format, e.g. john.doe@contoso.com expected by the serviceRemediation
Make sure in your code that you enforce loginHint to be a UPN
This error code comes back from AcquireTokenOnBehalfOf
calls when a null user assertion is passed as the UserAssertion parameter.
Mitigation
Pass a valid value for user assertion
public const string UserAssignedManagedIdentityNotConfigurableAtRuntime = "user_assigned_managed_identity_not_configurable_at_runtime"
User assigned managed identity is not configurable at runtime for service fabric.
public const string UserAssignedManagedIdentityNotSupported = "user_assigned_managed_identity_not_supported"
User assigned managed identity is not supported for this source.
User Mismatch.
This error code comes back from AcquireTokenSilent calls when a null user is
passed as the account parameter. This can be because you have called AcquireTokenSilent with an account parameter
set to accounts.FirstOrDefault() but accounts is empty.
Mitigation
Pass a different account, or otherwise call AcquireTokenInteractive
User Realm Discovery Failed.
public const string ValidateAuthorityOrCustomMetadata = "validate_authority_or_custom_instance_metadata"
What happens?
You have configured your own instance metadata, and have also set validate authority to true. These are mutually exclusive.Mitigation
Set the validate authority flag to false. See https://aka.ms/msal-net-custom-instance-metadata for more details.
What happens?
Windows Authentication Broker, which handles the interaction between the user and AAD, has failed.Mitigation
See the error message for more details.
WAM Signout failed.
WAM service exception that can occur when calling AcquireTokenInteractive
The Windows broker (WAM) is only supported in conjunction with "work and school" accounts
and with Microsoft accounts.
WAM service exception that can occur when calling AcquireTokenInteractive and the account picker
pops up
What happens?
No scopes have been requestedMitigation
At least one scope must be specified for MSAL Runtime WAM
When calling AcquireTokenInteractive with the WAM broker, the call must be made from the UI thread.
What happens?
The embedded WebView2 browser cannot be started because a runtime component cannot be loaded.Mitigation
For troubleshooting details, see https://aka.ms/msal-net-webview2 .
What happens?
The embedded browser cannot be started because a runtime component is missing.Mitigation
The embedded browser needs WebView2 runtime to be installed. An end user of the app can download and install the WebView2 runtime from https://go.microsoft.com/fwlink/p/?LinkId=2124703 and restart the app. The app developer can get the distributable version of the WebView2 runtime.
The selected WebView is not available on this platform. You can switch to a different WebView using WithUseEmbeddedWebView. See https://aka.ms/msal-net-os-browser for details
WS-Trust Endpoint Not Found in Metadata Document.