You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/power-platform/power-automate/desktop-flows/troubleshoot-ui-flow-invalid-credentials-error-using-aad-account.md
+26-22Lines changed: 26 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Desktop flow invalid credentials error when using a Microsoft Entra account
3
3
description: Resolves the InvalidConnectionCredentials or WindowsIdentityIncorrect error that occurs when you run a desktop flow using a Microsoft Entra account.
@@ -34,18 +34,20 @@ When you run a desktop flow using a Microsoft Entra account, it fails with the `
34
34
}
35
35
```
36
36
37
-
In these error codes, you might also experience an error message containing the phrase `AADSTS50126: Error validating credentials due to invalid username or password`.
37
+
You might also receive the following error message:
38
+
39
+
> AADSTS50126: Error validating credentials due to invalid username or password
38
40
39
41
## Cause
40
42
41
43
You might encounter the error when using a Microsoft Entra account for several reasons:
42
44
43
-
-The account credentials entered into the connection might not match those on the machine.
44
-
- The device might not be[Microsoft Entra joined](/entra/identity/devices/concept-directory-join) or [Microsoft Entra hybrid joined](/entra/identity/devices/concept-hybrid-join) to support [Microsoft Entra authentication](/entra/identity/authentication/overview-authentication).
45
-
- The Microsoft Entra account might not be synchronized to the machine.
46
-
- The user account being attempted to connect is a federated user (ADFS) while the tenant is configured to run on Microsoft Entra ID.
45
+
-You enter account credentials into the connection that don't match the credentials on the machine.
46
+
- The device isn't[Microsoft Entra joined](/entra/identity/devices/concept-directory-join) or [Microsoft Entra hybrid joined](/entra/identity/devices/concept-hybrid-join) to support [Microsoft Entra authentication](/entra/identity/authentication/overview-authentication).
47
+
- The Microsoft Entra account isn't synchronized to the machine.
48
+
- The user account attempting to connect is a [federated user (ADFS)](/windows-server/identity/ad-fs/ad-fs-overview) while the tenant is configured to run on Microsoft Entra ID.
47
49
48
-
## Resolution
50
+
## Solution
49
51
50
52
1. Ensure that the device is Microsoft Entra joined or domain-joined:
51
53
@@ -57,38 +59,40 @@ You might encounter the error when using a Microsoft Entra account for several r
57
59
58
60
Make sure that one of the `DomainJoined` or `AzureAdJoined` values is `YES`.
59
61
60
-
If this isn't the case, a Microsoft Entra account can't be used unless the device is joined. For more information, see [How to join a device](/azure/active-directory/user-help/user-help-join-device-on-network#to-join-an-already-configured-windows-10-device).
62
+
If this condition isn't true, you can't use a Microsoft Entra account unless the device is joined. For more information, see [How to join a device](/azure/active-directory/user-help/user-help-join-device-on-network#to-join-an-already-configured-windows-10-device).
61
63
62
-
2. Identify the Microsoft Entra account to use in the machine configuration:
64
+
1. Identify the Microsoft Entra account to use in the machine configuration:
63
65
64
66
1. Open **Settings** and select **Accounts**.
65
67
66
-
2. Select **Access work or school**.
68
+
1. Select **Access work or school**.
67
69
68
-
3. Make sure you see text like "Connected to <your_organization> Microsoft Entra ID." The account it's connected to can be used in the connection.
70
+
1. Make sure you see text like "Connected to <your_organization> Microsoft Entra ID." The account it's connected to can be used in the connection.
69
71
70
-
3. Synchronize the Microsoft Entra account on the device:
72
+
1. Synchronize the Microsoft Entra account on the device:
71
73
72
74
1. Select the **Info** button when selecting your Microsoft Entra connection on the **Access work or school** page.
73
75
74
-
2. This will open a page that describes your connection information and device synchronization status. Select the **Sync** button at the end of the page, and wait for this process to complete.
76
+
1. This action opens a page that describes your connection information and device synchronization status. Select the **Sync** button at the end of the page, and wait for this process to complete.
77
+
78
+
1. Verify that the configured Microsoft Entra account can sign in to the device:
75
79
76
-
4. Verify that the configured Microsoft Entra account can sign in to the device:
80
+
1. Try to sign in to the machine by using the Microsoft Entra account you identified in step 2.
81
+
1. The device authentication must be successful to use the account in a connection.
77
82
78
-
1. Try to sign in to the machine using the Microsoft Entra account identified in step 2.
79
-
2. The device login must be successful in order to be used in a connection.
83
+
1. Make sure the flow is configured properly with the right username and password. This information must match the account on your computer.
80
84
81
-
5. Make sure the flow is configured properly with the right username and password. This must match the account on your computer.
85
+
### AADSTS50126 error
82
86
83
-
### Specifically for AADSTS50126 case
87
+
The preferred and most secure method to resolve this error is to configure [Certificate-Based Authentication (CBA)](/power-automate/desktop-flows/configure-certificate-based-auth).
84
88
85
-
The preferred and most secure method is to configure [Certificate-Based Authentication](/power-automate/desktop-flows/configure-certificate-based-auth).
89
+
If you can't configure CBA, federated users can use an alternative approach when administrators of the on-premises Identity Provider (IdP) configure Password Hash Sync (PHS) to synchronize password hashes to the cloud. In this scenario, federated users can authenticate directly against Microsoft Entra ID (ESTS) by configuring a Home Realm Discovery (HRD) policy that explicitly allows cloud password validation.
86
90
87
-
Alternatively, in cases where CBA cannot be configured, the alternative is for configurations where administrators of the on-premises IdP have configured Password Hash Sync (PHS) and password hashes are synchronized to the Cloud, federated users can use their password directly against Microsoft Entra ID (ESTS). In order to do that, a Home Realm Discovery (HRD) policy should be configured to explicitly allow this.
91
+
To enable this configuration, set the following HRD policy value:
88
92
89
-
For more information on this case, please follow this article: [Enable direct ROPC authentication of federated users for legacy applications](/entra/identity/enterprise-apps/home-realm-discovery-policy#enable-direct-ropc-authentication-of-federated-users-for-legacy-applications)
93
+
`"AllowCloudPasswordValidation": true`
90
94
91
-
The setting that needs to be used is `"AllowCloudPasswordValidation" : true`
95
+
For detailed instructions, see [Enable direct ROPC authentication of federated users for legacy applications](/entra/identity/enterprise-apps/home-realm-discovery-policy#enable-direct-ropc-authentication-of-federated-users-for-legacy-applications).
0 commit comments