Skip to content

Commit 678ebd3

Browse files
committed
move mitigation to different article
1 parent ad05715 commit 678ebd3

2 files changed

Lines changed: 13 additions & 12 deletions

File tree

support/power-platform/power-automate/desktop-flows/troubleshoot-ui-flow-invalid-credentials-error-using-aad-account.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,13 +34,16 @@ When you run a desktop flow using a Microsoft Entra account, it fails with the `
3434
}
3535
```
3636

37+
In these error codes, you might also experience an error message containing the phrase `AADSTS50126: Error validating credentials due to invalid username or password`.
38+
3739
## Cause
3840

3941
You might encounter the error when using a Microsoft Entra account for several reasons:
4042

4143
- The account credentials entered into the connection might not match those on the machine.
4244
- The device might not be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join) or [Microsoft Entra hybrid joined](/entra/identity/devices/concept-hybrid-join) to support [Microsoft Entra authentication](/entra/identity/authentication/overview-authentication).
4345
- The Microsoft Entra account might not be synchronized to the machine.
46+
- The user account being attempted to connect is a federated user (ADFS) while the tenant is configured to run on Microsoft Entra ID.
4447

4548
## Resolution
4649

@@ -77,6 +80,16 @@ You might encounter the error when using a Microsoft Entra account for several r
7780

7881
5. Make sure the flow is configured properly with the right username and password. This must match the account on your computer.
7982

83+
### Specifically for AADSTS50126 case
84+
85+
The preferred and most secure method is to configure [Certificate-Based Authentication](/power-automate/desktop-flows/configure-certificate-based-auth).
86+
87+
Alternatively, in cases where CBA cannot be configured, the alternative is for configurations where administrators of the on-premises IdP have configured Password Hash Sync (PHS) and password hashes are synchronized to the Cloud, federated users can use their password directly against Microsoft Entra ID (ESTS). In order to do that, a Home Realm Discovery (HRD) policy should be configured to explicitly allow this.
88+
89+
For more information on this case, please follow this article: [Enable direct ROPC authentication of federated users for legacy applications](/entra/identity/enterprise-apps/home-realm-discovery-policy#enable-direct-ropc-authentication-of-federated-users-for-legacy-applications)
90+
91+
The setting that needs to be used is `"AllowCloudPasswordValidation" : true`
92+
8093
## More information
8194

8295
- [Create desktop flow connections](/power-automate/desktop-flows/desktop-flow-connections)

support/power-platform/power-automate/desktop-flows/ui-flows-run-failed-with-aadlogonfailure-error.md

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -22,18 +22,6 @@ Your unattended desktop flows run failed with the error code **MSEntraLogonFailu
2222

2323
Desktop flows failed to validate your Microsoft Entra credentials on the machine.
2424

25-
## Mitigation for errors similar to AADSTS50126: Error validating credentials due to invalid username or password
26-
27-
There are cases where specific tenant & user configurations might result to this error. Some examples are Microsoft Entra ID (Cloud) tenants with Federated users (ADFS). With this configuration, the validation of the credentials is happening on the user's on-premises Identity Provider.
28-
29-
The preferred and most secure method is to configure [Certificate-Based Authentication](/power-automate/desktop-flows/configure-certificate-based-auth).
30-
31-
Alternatively, in cases where CBA cannot be configured, the alternative is for configurations where administrators of the on-premises IdP have configured Password Hash Sync (PHS) and password hashes are synchronized to the Cloud, federated users can use their password directly against Microsoft Entra ID (ESTS). In order to do that, a Home Realm Discovery (HRD) policy should be configured to explicitly allow this.
32-
33-
For more information on this case, please follow this article: [Enable direct ROPC authentication of federated users for legacy applications](/entra/identity/enterprise-apps/home-realm-discovery-policy#enable-direct-ropc-authentication-of-federated-users-for-legacy-applications)
34-
35-
The setting that needs to be used is `"AllowCloudPasswordValidation" : true`
36-
3725
## Resolution for Power Automate for desktop version 2.49 or later
3826

3927
You need to [configure Microsoft Entra authentication for Remote Desktop](/power-automate/desktop-flows/run-unattended-desktop-flows#admin-consent-for-unattended-runs-using-cba-or-sign-in-credentials-with-nla-preview).

0 commit comments

Comments
 (0)