I was working on an issue which seemed to be a conditional access policy issue in Azure AD today. Whilst the issue was related to a conditional access policy in the sign in logs, it actually turned out to be a user requiring SSPR security information verification. During research, I found that new Azure AD tenants from August 15th 2020, start utilising the combined experience for both MFA and SSPR. This is documented here.

Here’s a view of what was occurring, which may help someone else in the future.

Problem/Scenario

A cloud application was excluded from MFA, the user also has a password policy applied to the Azure AD account not requiring password resets (something which was required for the scenario). When the user signed into the cloud application, the user received a prompt for more security information, seeming as though from the sign in logs this was point to a conditional access policy blocking the request.

Actual Issue

The actual issue was the user needed to review their verification methods to keep the account secure, for SSPR. This is controlled through the password reset options. Upon review of the sign in logs, an AADSTS50125 was present confirming the issue.

AADSTS Error Code Reference

The actual AAD Security Token Service error message are well documented on this Microsoft docs page. You can also submit the code to the web page below:

https://login.microsoftonline.com/error

Light Bulb Moment {}

Since the above form accepts an error action with a code, as per the HTML markup:

I decided to create my own Blazor application to submit my own AADSTS error codes for troubleshooting. I used the HtmlAgilityPack to pull out the response in the Blazor component to display the details of error codes. This makes it easier to parse the response html and embed the response into a razor page with a reference to ((MarkupString)[HTMLValue])

I have deployed the Blazor AADErrorChecker SPA here, using Azure App service.