Merge pull request #10507 from MicrosoftDocs/main

Auto Publish – main to live - 2026-01-14 18:00 UTC

Author: learn-build-service-prod[bot]

support/power-platform/dataverse/working-with-solutions/error-importing-savedquery-in-dynamics-365.md

@@ -47,7 +47,7 @@ For Saved Query the managed component can be found with a Web API query and then
 
     Example:
 
-    `https://MyOrganization.crm11.dynamics.com/api/data/v9.1/savedqueries?$filter=savedqueryid eq '1d0f4d57-6d49-e911-a98d-00224800ce20'`
+    `https://MyOrganization.crm11.dynamics.com/api/data/v9.1/savedqueries?$filter=savedqueryid eq 'aaaabbbb-0000-cccc-1111-dddd2222eeee'`
 
     This is the output:
 
@@ -59,7 +59,7 @@ For Saved Query the managed component can be found with a Web API query and then
     "layoutxml": "<grid name=\"resultset\" icon=\"1\" preview=\"1\" select=\"1\" jump=\"css_name\" 
     object=\"10224\"><row id=\"css_testsqparentid\" name=\"result\"><cell name=\"css_name\" width=\"150\" />
     <cell name=\"css_testsqfield\" width=\"100\" /></row></grid>",
-    "savedqueryid": "1d0f4d57-6d49-e911-a98d-00224800ce20",
+    "savedqueryid": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
     "description": "View to trigger 8004F016 named ",
     "createdon": "DateTime",
     "savedqueryidunique": "bdab33b7-18d0-45d6-9db9-6111afc1e444",

support/power-platform/power-apps/connections/troubleshoot-power-query-issues.md

@@ -41,7 +41,7 @@ As an alternative, the tenant administrator can give consent to Power Query with
 1. Install [Azure PowerShell](/powershell/azure/install-az-ps).
 2. Run the following PowerShell commands:
    * `Login-AzureRmAccount` (and sign in as the tenant admin)
-   * `New-AzureRmADServicePrincipal -ApplicationId f3b07414-6bf4-46e6-b63f-56941f3f4128`
+   * `New-AzureRmADServicePrincipal -ApplicationId 00001111-aaaa-2222-bbbb-3333cccc4444`
 
 The advantage of this approach (versus the tenant-wide solution) is that this solution is very targeted. It provisions only the **Power Query** service principal, but no other permission changes are made to the tenant.
 

support/power-platform/power-apps/create-and-use-apps/troubleshoot-model-driven-app-date-time-issues.md

@@ -52,10 +52,10 @@ The table and column names used are [logical names](/power-apps/developer/data-p
 > [!TIP]
 > An easy way to find the ID of a row is to open it in a model-driven app. The ID can be found in the page URL.
 
-The following example gets the `scheduledstart` column of the `appointment` table for the row with ID `d2862246-4763-ee11-8def-000d3a34118b`.
+The following example gets the `scheduledstart` column of the `appointment` table for the row with ID `aaaabbbb-0000-cccc-1111-dddd2222eeee`.
 
 ```http
-https://myorg.crm.dynamics.com/api/data/v9.2/appointments(d2862246-4763-ee11-8def-000d3a34118b)?$select=scheduledstart
+https://myorg.crm.dynamics.com/api/data/v9.2/appointments(aaaabbbb-0000-cccc-1111-dddd2222eeee)?$select=scheduledstart
 ```
 
 Entering this in the browser address bar will show something like the following:
@@ -65,7 +65,7 @@ Entering this in the browser address bar will show something like the following:
     "@odata.context": "https://myorg.crm.dynamics.com/api/data/v9.2/$metadata#appointments(scheduledstart)/$entity",
     "@odata.etag": "W/\"11472725\"",
     "scheduledstart": "2023-10-15T07:30:00Z",
-    "activityid": "d2862246-4763-ee11-8def-000d3a34118b"
+    "activityid": "aaaabbbb-0000-cccc-1111-dddd2222eeee"
 }
 ```
 
@@ -92,7 +92,7 @@ This is likely an issue. Before reporting it, you can isolate whether it's a ser
 For example,
 
 ```http
-GET https://myorg.crm.dynamics.com/api/data/v9.2/appointments(d2862246-4763-ee11-8def-000d3a34118b)?$select=scheduledstart
+GET https://myorg.crm.dynamics.com/api/data/v9.2/appointments(aaaabbbb-0000-cccc-1111-dddd2222eeee)?$select=scheduledstart
 Accept: application/json
 OData-MaxVersion: 4.0
 OData-Version: 4.0

support/power-platform/power-automate/desktop-flows/troubleshoot-ui-flow-invalid-credentials-error-using-aad-account.md

@@ -1,13 +1,15 @@
 ---
 title: Desktop flow invalid credentials error when using a Microsoft Entra account
-description: Resolves the InvalidConnectionCredentials or WindowsIdentityIncorrect error that occurs when you run a desktop flow using a Microsoft Entra account.
-ms.reviewer: guco，aartigoyle
+description: Learn how to resolve InvalidConnectionCredentials, WindowsIdentityIncorrect, and AADSTS50126 errors in Power Automate desktop flows caused by Microsoft Entra account issues.
+ms.reviewer: guco，aartigoyle, v-shaywood
 ms.date: 08/20/2024
 ms.custom: sap:Desktop flows\Cannot create desktop flow connection
 ---
 # Desktop flow invalid credentials error when you use a Microsoft Entra account
 
-This article provides a resolution for the `InvalidConnectionCredentials` or `WindowsIdentityIncorrect` error code that occurs when you run a desktop flow using a [Microsoft Entra account](/entra/fundamentals/whatis#terminology).
+This article provides resolutions for the `InvalidConnectionCredentials` or `WindowsIdentityIncorrect` errors that might occur when you run a desktop flow using a [Microsoft Entra account](/entra/fundamentals/whatis#terminology). These errors typically indicate issues with device join status, account synchronization, or credential mismatches between the desktop flow connection and the target machine. 
+
+This article also covers the `AADSTS50126` error, which occurs when credential validation fails because of an invalid username or password, particularly in scenarios involving federated users.
 
 _Applies to:_   Power Automate  
 _Original KB number:_   4555623
@@ -34,15 +36,20 @@ When you run a desktop flow using a Microsoft Entra account, it fails with the `
 }
 ```
 
+You might also receive the following error message:
+
+> AADSTS50126: Error validating credentials due to invalid username or password
+
 ## Cause
 
 You might encounter the error when using a Microsoft Entra account for several reasons:
 
-- The account credentials entered into the connection might not match those on the machine.
-- The device might not be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join) or [Microsoft Entra hybrid joined](/entra/identity/devices/concept-hybrid-join) to support [Microsoft Entra authentication](/entra/identity/authentication/overview-authentication).
-- The Microsoft Entra account might not be synchronized to the machine.
+- You enter account credentials into the connection that don't match the credentials on the machine.
+- The device isn't [Microsoft Entra joined](/entra/identity/devices/concept-directory-join) or [Microsoft Entra hybrid joined](/entra/identity/devices/concept-hybrid-join) to support [Microsoft Entra authentication](/entra/identity/authentication/overview-authentication).
+- The Microsoft Entra account isn't synchronized to the machine.
+- The user account attempting to connect is a [federated user (ADFS)](/windows-server/identity/ad-fs/ad-fs-overview) while the tenant is configured to run on Microsoft Entra ID.
 
-## Resolution
+## Solution
 
 1. Ensure that the device is Microsoft Entra joined or domain-joined:
 
@@ -54,31 +61,44 @@ You might encounter the error when using a Microsoft Entra account for several r
 
        Make sure that one of the `DomainJoined` or `AzureAdJoined` values is `YES`.
 
-       If this isn't the case, a Microsoft Entra account can't be used unless the device is joined. For more information, see [How to join a device](/azure/active-directory/user-help/user-help-join-device-on-network#to-join-an-already-configured-windows-10-device).
+       If this condition isn't true, you can't use a Microsoft Entra account unless the device is joined. For more information, see [How to join a device](/azure/active-directory/user-help/user-help-join-device-on-network#to-join-an-already-configured-windows-10-device).
 
-2. Identify the Microsoft Entra account to use in the machine configuration:
+1. Identify the Microsoft Entra account to use in the machine configuration:
 
     1. Open **Settings** and select **Accounts**.
 
-    2. Select **Access work or school**.
+    1. Select **Access work or school**.
 
-    3. Make sure you see text like "Connected to <your_organization> Microsoft Entra ID." The account it's connected to can be used in the connection.
+    1. Make sure you see text like "Connected to <your_organization> Microsoft Entra ID." The account it's connected to can be used in the connection.
 
-3. Synchronize the Microsoft Entra account on the device:
+1. Synchronize the Microsoft Entra account on the device:
 
     1. Select the **Info** button when selecting your Microsoft Entra connection on the **Access work or school** page.
 
-    2. This will open a page that describes your connection information and device synchronization status. Select the **Sync** button at the end of the page, and wait for this process to complete.
+    1. This action opens a page that describes your connection information and device synchronization status. Select the **Sync** button at the end of the page, and wait for this process to complete.
+
+1. Verify that the configured Microsoft Entra account can sign in to the device:
+
+    1. Try to sign in to the machine by using the Microsoft Entra account you identified in step 2.
+    1. The device authentication must be successful to use the account in a connection.
+
+1. Make sure the flow is configured properly with the right username and password. This information must match the account on your computer.
+
+### AADSTS50126 error
+
+To resolve an AADSTS50126 error, the preferred and most secure method is to configure [Certificate-Based Authentication (CBA)](/power-automate/desktop-flows/configure-certificate-based-auth).
+
+If you can't configure CBA, federated users can use an alternative approach when administrators of the on-premises Identity Provider (IdP) configure [password hash synchronization](/entra/identity/hybrid/connect/whatis-phs) (PHS) to synchronize password hashes to the cloud. In this scenario, federated users can authenticate directly against Microsoft Entra ID (ESTS) by configuring a [Home Realm Discovery](/entra/identity/enterprise-apps/home-realm-discovery-policy) (HRD) policy that explicitly allows cloud password validation.
 
-4. Verify that the configured Microsoft Entra account can sign in to the device:
+To enable this configuration, set the following HRD policy value:
 
-    1. Try to sign in to the machine using the Microsoft Entra account identified in step 2.
-    2. The device login must be successful in order to be used in a connection.
+`"AllowCloudPasswordValidation": true`
 
-5. Make sure the flow is configured properly with the right username and password. This must match the account on your computer.
+For detailed instructions, see [Enable direct ROPC authentication of federated users for legacy applications](/entra/identity/enterprise-apps/home-realm-discovery-policy#enable-direct-ropc-authentication-of-federated-users-for-legacy-applications).
 
 ## More information
 
 - [Create desktop flow connections](/power-automate/desktop-flows/desktop-flow-connections)
 - [Invalid credentials error when running desktop flows in Power Automate for desktop](invalid-credentials-errors-running-desktop-flows.md)
 - ["Logon type has not been granted" error when running a desktop flow or creating a connection](logon-type-has-not-been-granted.md)
+- [What is federation with Microsoft Entra ID?](/entra/identity/hybrid/connect/whatis-fed)

support/sql/database-engine/connect/ssl-errors-after-tls-1-2.md

@@ -52,7 +52,7 @@ To resolve these errors, follow these steps:
 
    - If no certificate exists, examine the SQL Server error log file to get the hash code. You might see one of the following entries:
 
-     `2023-05-30 14:59:30.89 spid15s The certificate [Cert Hash(sha1) "B3029394BB92AA8EDA0B8E37BAD09345B4992E3D"] was successfully loaded for encryption.`
+     `2023-05-30 14:59:30.89 spid15s The certificate [Cert Hash(sha1) "AA11BB22CC33DD44EE55FF66AA77BB88CC99DD00"] was successfully loaded for encryption.`
       or
      `2023-05-19 04:58:56.42 spid11s A self-generated certificate was successfully loaded for encryption.`
       If the certificate is self-generated, skip to step 2.

support/sql/database-engine/connect/tls-exist-connection-closed.md

@@ -91,7 +91,7 @@ To resolve the issue, follow these steps:
 1. Select the **Certificate** tab and follow the relevant step:
     - If a certificate is displayed, select **View** to examine the Thumbprint algorithm to confirm whether it's using a weak-hash algorithm. Then, select **Clear** and go to step 4.
     - If a certificate isn't displayed, review the SQL Server error log for an entry that resembles the following and note down the hash or thumbprint value:  
-    `2017-05-30 14:59:30.89 spid15s The certificate [Cert Hash(sha1) "B3029394BB92AA8EDA0B8E37BAD09345B4992E3D"] was successfully loaded for encryption`
+    `2017-05-30 14:59:30.89 spid15s The certificate [Cert Hash(sha1) "AA11BB22CC33DD44EE55FF66AA77BB88CC99DD00"] was successfully loaded for encryption`
 1. Use the following steps to remove server authentication:
     1. Select **Start** > **Run**, and type *MMC*. (MMC also known as the Microsoft Management Console.)
     1. In MMC, open the certificates and select **Computer Account** in the **Certificates** snap-in screen.

support/system-center/dpm/remove-dpmdb-vmware-protection.md

@@ -12,9 +12,9 @@ ms.reviewer: Mjacquet, v-jysur; jarrettr; sudesai, v-six
 ```sql
 SET XACT_ABORT ON
 BEGIN TRANSACTION
-IF EXISTS( SELECT Ds.DataSourceID FROM tbl_IM_DataSource Ds JOIN tbl_PRM_LogicalReplica Lr ON Ds.DataSourceId = Lr.DataSourceId WHERE Ds.AppId = '18BEE66C-826F-4499-A663-9805C8688AD3') 
+IF EXISTS( SELECT Ds.DataSourceID FROM tbl_IM_DataSource Ds JOIN tbl_PRM_LogicalReplica Lr ON Ds.DataSourceId = Lr.DataSourceId WHERE Ds.AppId = '00001111-aaaa-2222-bbbb-3333cccc4444') 
 PRINT 'VMware DataSource in Active/Inactive protected state'
-ELSE IF EXISTS ( SELECT DataSourceID FROM tbl_IM_DataSource WHERE CloudProtectionStatus!=0 AND AppId='18BEE66C-826F-4499-A663-9805C8688AD3')
+ELSE IF EXISTS ( SELECT DataSourceID FROM tbl_IM_DataSource WHERE CloudProtectionStatus!=0 AND AppId='00001111-aaaa-2222-bbbb-3333cccc4444')
 PRINT 'VMware DataSource in Cloud are Active/Inactive protected state'
 ELSE
                 PRINT 'All VMware datasource protections are removed'
@@ -102,7 +102,7 @@ ELSE
         END
         DROP TABLE #serverIdTable3
 
-        SELECT DatasourceID INTO #datasourceIdTable2 FROM dbo.tbl_IM_DataSource WHERE AppId='18BEE66C-826F-4499-A663-9805C8688AD3'
+        SELECT DatasourceID INTO #datasourceIdTable2 FROM dbo.tbl_IM_DataSource WHERE AppId='00001111-aaaa-2222-bbbb-3333cccc4444'
         DECLARE @datasourceId2 nvarchar(100)
         WHILE exists ( SELECT * FROM #datasourceIdTable2 )
         BEGIN
@@ -114,7 +114,7 @@ ELSE
         END
         DROP TABLE #datasourceIdTable2
 
-        Delete from tbl_IM_DataSource where AppId='18BEE66C-826F-4499-A663-9805C8688AD3'   
+        Delete from tbl_IM_DataSource where AppId='00001111-aaaa-2222-bbbb-3333cccc4444'   
 
 COMMIT;
 ```

support/system-center/scom/regular-expression-support.md

@@ -129,7 +129,7 @@ You can use comparison operators when you construct a criteria expression. The v
 |MATCHES|Evaluates to **true** if the left operand matches the regular expression defined by the right operand.| `Name MATCHES 'SQL*05'`<br/> Evaluates to **true** if the `Name` value is **SQL2005**. |
 |IS NULL|Evaluates to **true** if the value of the left operand is null.| `ConnectorId IS NULL`<br/> Evaluates to **true** if the `ConnectorId` property doesn't contain a value. |
 |IS NOT NULL|Evaluates to **true** if the value of the left operand isn't null.| `ConnectorId IS NOT NULL`<br/> Evaluates to **true** if the `ConnectorId` property contains a value. |
-|IN|Evaluates to **true** if the value of the left operand is in the list of values defined by the right operand.<br/><br/>**Note** The **IN** operator is valid for use only with properties of type [Guid](/dotnet/api/system.guid).|`Id IN ('080F192C-52D2-423D-8953-B3EC8C3CD001', '080F192C-53B2-403D-8753-B3EC8C3CD002')`<br/>Evaluates to **true** if the value of the `Id` property is one of the two globally unique identifiers provided in the expression. |
+|IN|Evaluates to **true** if the value of the left operand is in the list of values defined by the right operand.<br/><br/>**Note** The **IN** operator is valid for use only with properties of type [Guid](/dotnet/api/system.guid).|`Id IN ('aaaabbbb-0000-cccc-1111-dddd2222eeee', 'bbbbcccc-1111-dddd-2222-eeee3333ffff')`<br/>Evaluates to **true** if the value of the `Id` property is one of the two globally unique identifiers provided in the expression. |
 |AND|Evaluates to **true** if the left and right operands are both true.|`Name = 'SQL%' AND Description LIKE 'MyData%'` |
 |OR|Evaluates to **true** if either the left or right operand is true.|`Name = 'SQL%' OR Description LIKE 'MyData%'` |
 |NOT|Evaluates to **true** if the right operand isn't true.|`NOT (Name = 'IIS' OR Name = 'SQL')` |

support/system-center/vmm/delete-wap-users-subscriptions-errors.md

@@ -43,9 +43,9 @@ In the following screenshot, two bindings exist. The second entry for HTTPS 8090
 
 Debug logging may show errors that resemble the following:
 
-> 2 [0]0D2C.0754::‎2015‎-‎03‎-‎27 15:09:21.042 [ActivityEventSource]Started activity [HttpRequestActivity, id {8ab952bd-c43f-4ded-b173-50d4055f9341}] parent activity [WebAuthentication Call, id {4659b10b-cf3a-4bcc-9769-f6e1b8663fe5}] Elapsed: 0ms Context: {c477a2fb-8864-4d89-96c7-24bdccee5b94} Properties: RequestUrl=[https://wapserver.contoso.local:8090/provider/subscriptions] & x-ms-client-request-id=[e8dbc04c-5381-40ba-8909-69b83a4f3f13] & x-ms-client-session-id=[99459df3-bb71-4f30-9315-1b0c6c916a58]
+> 2 [0]0D2C.0754::‎2015‎-‎03‎-‎27 15:09:21.042 [ActivityEventSource]Started activity [HttpRequestActivity, id {8ab952bd-c43f-4ded-b173-50d4055f9341}] parent activity [WebAuthentication Call, id {4659b10b-cf3a-4bcc-9769-f6e1b8663fe5}] Elapsed: 0ms Context: {c477a2fb-8864-4d89-96c7-24bdccee5b94} Properties: RequestUrl=[https://wapserver.contoso.local:8090/provider/subscriptions] & x-ms-client-request-id=[aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e] & x-ms-client-session-id=[bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f]
 
-> 3 [0]0D2C.0754::‎2015‎-‎03‎-‎27 15:09:21.058 [ActivityEventSource]Successfully completed activity [HttpRequestActivity, id {8ab952bd-c43f-4ded-b173-50d4055f9341}] parent activity [WebAuthentication Call, id {4659b10b-cf3a-4bcc-9769-f6e1b8663fe5}] Elapsed: 0ms Context: {c477a2fb-8864-4d89-96c7-24bdccee5b94} Duration: 124ms Properties: OriginalPath=[/provider/subscriptions] & RequestUrl=[https://wapserver.contoso.local:8090/provider/subscriptions] & SubscriptionId=[] & x-ms-client-request-id=[e8dbc04c-5381-40ba-8909-69b83a4f3f13] & x-ms-client-session-id=[99459df3-bb71-4f30-9315-1b0c6c916a58]
+> 3 [0]0D2C.0754::‎2015‎-‎03‎-‎27 15:09:21.058 [ActivityEventSource]Successfully completed activity [HttpRequestActivity, id {8ab952bd-c43f-4ded-b173-50d4055f9341}] parent activity [WebAuthentication Call, id {4659b10b-cf3a-4bcc-9769-f6e1b8663fe5}] Elapsed: 0ms Context: {c477a2fb-8864-4d89-96c7-24bdccee5b94} Duration: 124ms Properties: OriginalPath=[/provider/subscriptions] & RequestUrl=[https://wapserver.contoso.local:8090/provider/subscriptions] & SubscriptionId=[] & x-ms-client-request-id=[aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e] & x-ms-client-session-id=[bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f]
 
 > 4 [1]0D2C.0754::‎2015‎-‎03‎-‎27 15:09:24.406 [Microsoft-ServiceProviderFoundation]Component: Provider Activity [WebAuthentication Call, id {4659b10b-cf3a-4bcc-9769-f6e1b8663fe5}] Parent activity [none, id {00000000-0000-0000-0000-000000000000}] Elapsed: 0ms Context: {c477a2fb-8864-4d89-96c7-24bdccee5b94} Creating Tenant and linking to stamp TenantName: [email protected]_a7c63b17-c0fb-48bf-bdc4-5f7db1c2610b