Class MsalError
Error code returned as a property in MsalException
public static class MsalError- Inheritance
-
MsalError
- Inherited Members
Fields
AccessDenied
Access denied.
public const string AccessDenied = "access_denied"Field Value
AccessTokenTypeMissing
What happens?
The response from the token endpoint does not contain the token_type parameter.Mitigation
This happens if the identity provider (AAD, B2C, ADFS, etc.) did not include the access token type in the token response. Verify the configuration of the identity provider.public const string AccessTokenTypeMissing = "token_type_missing"Field Value
AccessingWsMetadataExchangeFailed
Accessing WS Metadata Exchange Failed.
What happens?
You tried to use AcquireTokenByUsernamePassword(IEnumerable<string>, string, string) and the account is a federated account.Mitigation
None. The WS metadata was not found or does not correspond to what was expected.public const string AccessingWsMetadataExchangeFailed = "accessing_ws_metadata_exchange_failed"Field Value
ActivityRequired
On Android, you need to call AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object) passing
the activity. See https://aka.ms/msal-interactive-android
public const string ActivityRequired = "activity_required"Field Value
AdfsNotSupportedWithBroker
What happens?
Broker is configured with an ADFS authority, however, it does not support ADFS environments.Mitigation
Broker does not support ADFS environments.public const string AdfsNotSupportedWithBroker = "adfs_not_supported_with_broker"Field Value
AndroidBrokerOperationFailed
Failed To Complete Android Broker Operation
public const string AndroidBrokerOperationFailed = "android_broker_operation_failed"Field Value
AndroidBrokerSignatureVerificationFailed
Failed to validate android broker signature
public const string AndroidBrokerSignatureVerificationFailed = "broker_signature_verification_failed"Field Value
AuthenticationCanceledError
Authentication canceled.
What happens?
The user had canceled the authentication, for instance by closing the authentication dialogMitigation
None, you cannot get a token to call the protected API. You might want to inform the userpublic const string AuthenticationCanceledError = "authentication_canceled"Field Value
AuthenticationFailed
Authentication failed.
What happens?
The authentication failed. For instance the user did not enter the right passwordMitigation
Inform the user to retry.public const string AuthenticationFailed = "authentication_failed"Field Value
AuthenticationUiFailed
The request could not be preformed because of an unknown failure in the UI flow.*
Mitigation
Inform the user.public const string AuthenticationUiFailed = "authentication_ui_failed"Field Value
AuthenticationUiFailedError
The request could not be performed because of a failure in the UI flow.
What happens?
The library failed to invoke the Web View required to perform interactive authentication. The exception might include the reasonMitigation
If the exception includes the reason, you could inform the user. This might be, for instance, a browser implementing chrome tabs is missing on the Android phone (that's only an example: this exception can apply to other platforms as well)public const string AuthenticationUiFailedError = "authentication_ui_failed"Field Value
AuthorityHostMismatch
The cloud (authority URL host) defined at the application level cannot be different than the cloud at the request level.
What happens?
You did not define an authority at the application level, so it defaults to the public cloud (login.microsoft.com), but the authority at the request level is for a different cloud. Only the tenant can be changed at the request level.Mitigation
Add .WithAuthority("https://login.windows-ppe.net/common) at the application level and specify the tenant at the request level: .WithAuthority("https://login.windows-ppe.net/1234-567-890-12345678).public const string AuthorityHostMismatch = "authority_host_mismatch"Field Value
AuthorityTenantSpecifiedTwice
What happens?
You specified a tenant twice - once in WithAuthority() and once using WithTenant()Mitigation
Specify the tenant once.public const string AuthorityTenantSpecifiedTwice = "authority_tenant_specified_twice"Field Value
AuthorityTypeMismatch
What happens?
The authority configured at the application level is different than the authority configured at the request levelMitigation
Ensure the same authority type is usedpublic const string AuthorityTypeMismatch = "authority_type_mismatch"Field Value
AuthorityValidationFailed
Authority validation failed.
What happens?
The validation of the authority failed. This might be because the authority is not compliant with the OIDC standard, or there might be a security issueMitigation
Use a different authority. If you are absolutely sure that you can trust the authority you can use the WithAuthority(AadAuthorityAudience, bool) passing thevalidateAuthority parameter to false (not recommended)
public const string AuthorityValidationFailed = "authority_validation_failed"Field Value
B2CAuthorityHostMismatch
The B2C authority host is not the same as the one used when creating the client application.
public const string B2CAuthorityHostMismatch = "B2C_authority_host_mismatch"Field Value
BrokerApplicationRequired
What happens?
A broker application is required, but one could not be found or communicated with.Mitigation
Install a broker application, such as Authenticator, from the application storepublic const string BrokerApplicationRequired = "broker_application_required"Field Value
BrokerDoesNotSupportPop
What happens?
The request has broker enabled and Proof-of-Possession configured but the broker does not support Proof-of-PossessionMitigation
only configure Proof-of-Possession for public clients on windows.public const string BrokerDoesNotSupportPop = "broker_does_not_support_pop"Field Value
BrokerNonceMismatch
Broker response nonce does not match the request nonce sent by MSAL.NET for iOS broker >= v6.3.19
public const string BrokerNonceMismatch = "broker_nonce_mismatch"Field Value
BrokerRequiredForPop
What happens?
The request has Proof-of-Possession configured but does not have broker enabled. Broker is required to use Proof-of-Possession on public clientsMitigation
Enable the broker when Proof-of-Possession is configured.public const string BrokerRequiredForPop = "broker_required_for_pop"Field Value
BrokerResponseHashMismatch
Broker response hash did not match
public const string BrokerResponseHashMismatch = "broker_response_hash_mismatch"Field Value
BrokerResponseReturnedError
Broker response returned an error
public const string BrokerResponseReturnedError = "broker_response_returned_error"Field Value
CannotAccessUserInformationOrUserNotDomainJoined
Cannot Access User Information or the user is not a user domain.
What happens?
You tried to use AcquireTokenByIntegratedWindowsAuth(IEnumerable<string>) but the user is not a domain user (the machine is not domain or AAD joined)public const string CannotAccessUserInformationOrUserNotDomainJoined = "user_information_access_failed"Field Value
CannotInvokeBroker
MSAL is not able to invoke the broker. Possible reasons are the broker is not installed on the user's device, or there were issues with the UiParent or CallerViewController being null. See https://aka.ms/msal-brokers
public const string CannotInvokeBroker = "cannot_invoke_broker"Field Value
CertWithoutPrivateKey
What happens?
The certificate provided does not have a private key.Mitigation
Ensure the certificate has a private key.public const string CertWithoutPrivateKey = "cert_without_private_key"Field Value
CertificateNotRsa
What happens?
The certificate provided is not of type RSA.Mitigation
Please use an RSA certificate.public const string CertificateNotRsa = "certificate_not_rsa"Field Value
ClientCredentialAuthenticationTypeMustBeDefined
What happens?
You configured MSAL confidential client authentication without an authentication type (Certificate, Secret, Client Assertion)Mitigation
Either call ConfidentialClientApplicationBuilder.WithClientSecret, ConfidentialClientApplicationBuilder.WithCertificate, ConfidentialClientApplicationBuilder.WithClientAssertionpublic const string ClientCredentialAuthenticationTypeMustBeDefined = "Client_Credentials_Required_In_Confidential_Client_Application"Field Value
ClientCredentialAuthenticationTypesAreMutuallyExclusive
What happens?
You configured MSAL confidential client authentication with more than one authentication type (Certificate, Secret, Client Assertion)public const string ClientCredentialAuthenticationTypesAreMutuallyExclusive = "Client_Credential_Authentication_Types_Are_Mutually_Exclusive"Field Value
CodeExpired
What happens?
In the context of Device code flow (See https://aka.ms/msal-net-device-code-flow), this error happens when the device code expired before the user signed-in on another device (this is usually after 15 mins).Mitigation
None. Inform the user that they took too long to sign-in at the provided URL and enter the provided code.public const string CodeExpired = "code_expired"Field Value
CombinedUserAppCacheNotSupported
Using combined flat storage, like a file, to store both app and user tokens is not supported. Use a partitioned token cache (for ex. distributed cache like Redis) or separate files for app and user token caches. See https://aka.ms/msal-net-token-cache-serialization .
public const string CombinedUserAppCacheNotSupported = "combined_user_app_cache_not_supported"Field Value
CryptographicError
A cryptographic exception occurred when trying to use the provided certificate
public const string CryptographicError = "cryptographic_error"Field Value
CurrentBrokerAccount
This error code comes back from AcquireTokenSilent(IEnumerable<string>, IAccount) calls when the
OperatingSystemAccount user is passed as the account parameter. Only some brokers (WAM) can login the current user.
Mitigation
On Windows, use the broker via .WithBroker(true), use a different account, or otherwise call AcquireTokenInteractive(IEnumerable<string>)public const string CurrentBrokerAccount = "current_broker_account"Field Value
CustomMetadataInstanceOrUri
What happens?
You have configured your own instance metadata using both an Uri and a string. Only one is supported.Mitigation
Call WithInstanceDiscoveryMetadata only once. See https://aka.ms/msal-net-custom-instance-metadata for more details.public const string CustomMetadataInstanceOrUri = "custom_metadata_instance_or_uri"Field Value
CustomWebUiRedirectUriMismatch
Error code used when the CustomWebUI has returned a URI, but it does not match the Authority and AbsolutePath of the configured redirect URI.
public const string CustomWebUiRedirectUriMismatch = "custom_webui_invalid_mismatch"Field Value
CustomWebUiReturnedInvalidUri
Error code used when the ICustomWebUi has returned a URI, but it is invalid - it is either null or has no code. Consider throwing an exception if you are unable to intercept the URI containing the code.
public const string CustomWebUiReturnedInvalidUri = "custom_webui_returned_invalid_uri"Field Value
DefaultRedirectUriIsInvalid
RedirectUri validation failed.
public const string DefaultRedirectUriIsInvalid = "redirect_uri_validation_failed"Field Value
DeviceCertificateNotFound
Device certificate not found.
public const string DeviceCertificateNotFound = "device_certificate_not_found"Field Value
DuplicateQueryParameterError
Duplicate query parameter was found in extraQueryParameters.
What happens?
You have usedextraQueryParameter of overrides
of token acquisition operations in public client and confidential client application and are passing a parameter which is already present in the
URL (either because you had it in another way, or the library added it).
Mitigation [App Development]
RemoveAccount the duplicate parameter from the token acquisition override.public const string DuplicateQueryParameterError = "duplicate_query_parameter"Field Value
EncodedTokenTooLong
Encoded token too long.
What happens
In a confidential client application call, the client assertion built by MSAL is longer than the max possible length for a JWT token.public const string EncodedTokenTooLong = "encoded_token_too_long"Field Value
ExactlyOneScopeExpected
Exactly one scope is expected.
public const string ExactlyOneScopeExpected = "exactly_one_scope_expected"Field Value
ExperimentalFeature
What happens?
You are trying to use a feature which was marked as experimentalMitigation
When creating the PublicClientApplication or ConfidentialClientApplication, use .WithExperimentalFeatures() option. See https://aka.ms/msal-net-experimental-features for details.public const string ExperimentalFeature = "experimental_feature"Field Value
FailedToAcquireTokenSilentlyFromBroker
Failed to acquire token silently. Used in broker scenarios.
What happens
you called AcquireTokenSilent(IEnumerable<string>, IAccount) or AcquireTokenSilent(IEnumerable<string>, string) and your mobile (Xamarin) application leverages the broker (Microsoft Authenticator or Microsoft Company Portal), but the broker was not able to acquire the token silently.Mitigation
Call AcquireTokenInteractive(IEnumerable<string>)public const string FailedToAcquireTokenSilentlyFromBroker = "failed_to_acquire_token_silently_from_broker"Field Value
FailedToGetBrokerResponse
What happens?
You are trying to authenticate with the broker but MSAL is unable to read the response from the broker.Mitigation
The currently installed broker may not support MSAL.Xamarin, you need to ensure that you have installed either Intune Company Portal (5.0.4689.0 or greater) or Microsoft Authenticator (6.2001.0140 or greater). see https://aka.ms/Brokered-Authentication-for-Android"public const string FailedToGetBrokerResponse = "failed_to_get_broker_response"Field Value
FailedToRefreshToken
Failed to refresh token.
What happens?
The token could not be refreshed. This can be because the user has not used the application for a long time. and therefore the refresh token maintained in the token cache has expiredMitigation
If you are in a public client application, that supports interactivity, send an interactive request AcquireTokenInteractive(IEnumerable<string>). Otherwise, use a different method to acquire tokens.public const string FailedToRefreshToken = "failed_to_refresh_token"Field Value
FederatedServiceReturnedError
Federated service returned error.
Mitigation
None. The federated service returned an error. You can try to look at the Body of the exception for a better understanding of the error and choose the mitigationpublic const string FederatedServiceReturnedError = "federated_service_returned_error"Field Value
GetUserNameFailed
Failed to get user name.
public const string GetUserNameFailed = "get_user_name_failed"Field Value
HttpListenerError
An HttpListenerException occurred while listening for the system browser to complete the login.
public const string HttpListenerError = "http_listener_error"Field Value
HttpStatusCodeNotOk
ErrorCode used when the HTTP response returns something different from 200 (OK)
public const string HttpStatusCodeNotOk = "http_status_not_200"Field Value
Remarks
HttpStatusCode.NotFound have a specific error code. HttpStatusNotFound
HttpStatusNotFound
Error code used when the HTTP response returns HttpStatusCode.NotFound
public const string HttpStatusNotFound = "not_found"Field Value
InitializeProcessSecurityError
What happens?
Failure setting process security to enable WAM Account Picker in an elevated process.Mitigation
For troubleshooting details, see https://aka.ms/msal-net-wam .public const string InitializeProcessSecurityError = "initialize_process_security_error"Field Value
IntegratedWindowsAuthNotSupportedForManagedUser
Integrated Windows Auth is only supported for "federated" users
public const string IntegratedWindowsAuthNotSupportedForManagedUser = "integrated_windows_auth_not_supported_managed_user"Field Value
IntegratedWindowsAuthenticationFailed
This can occur if there is an configuration issue in the ADFS environment where this is authenticating. See https://aka.ms/msal-net-iwa-troubleshooting for more details
public const string IntegratedWindowsAuthenticationFailed = "integrated_windows_authentication_failed"Field Value
InteractionRequired
Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user so the user can do an interactive log-in to get a token with updated claims.
Mitigation:
If your application is a IPublicClientApplication callAcquireTokenInteractive
perform an interactive authentication. If your application is a ConfidentialClientApplication chances are that the Claims member
of the exception is not empty. See Claims for the right mitigation
public const string InteractionRequired = "interaction_required"Field Value
InternalError
Internal error
public const string InternalError = "internal_error"Field Value
InvalidAdalCacheMultipleRTs
What happens?
The ADAL cache is invalid as it contains multiple refresh token entries for one user.Mitigation
Delete the ADAL cache. If you do not maintain an ADAL cache, this may be a bug in MSAL.public const string InvalidAdalCacheMultipleRTs = "invalid_adal_cache"Field Value
InvalidAuthority
Invalid authority
What happens
When the library attempts to discover the authority and get the endpoints it needs to acquire a token, it got an un-authorize HTTP code or an unexpected responseremediation
Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correctpublic const string InvalidAuthority = "invalid_authority"Field Value
InvalidAuthorityType
Invalid authority type. MSAL.NET does not know how to interact with the authority specified when the application was built.
Mitigation
Use a different authoritypublic const string InvalidAuthorityType = "invalid_authority_type"Field Value
InvalidAuthorizationUri
An authorization Uri has been intercepted, but it cannot be parsed. See the log for more details.
public const string InvalidAuthorizationUri = "invalid_authorization_uri"Field Value
InvalidClient
Azure AD service error indicating a configuration issue.
Mitigation
See error message for details, then take corrective action in the app registration portal See https://aka.ms/msal-net-invalid-client for details.public const string InvalidClient = "invalid_client"Field Value
InvalidGrantError
Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user so that the user does an interactive action in order to get a new token.
Mitigation:
If your application is a IPublicClientApplication callAcquireTokenInteractive
perform an interactive authentication. If your application is a ConfidentialClientApplication chances are that the Claims member
of the exception is not empty. See MsalServiceException.Claims for the right mitigation
public const string InvalidGrantError = "invalid_grant"Field Value
InvalidInstance
AAD service error indicating that the configured authority does not exist
public const string InvalidInstance = "invalid_instance"Field Value
InvalidJsonClaimsFormat
What happens?
You have configured a claims request, but the claims string is not in JSON formatMitigation
Ensure that the claims parameter is valid JSON. Inspect the inner exception for details about JSON parsing.public const string InvalidJsonClaimsFormat = "invalid_json_claims_format"Field Value
InvalidJwtError
JWT was invalid.
What happens?
The library expected a JWT (for instance a token from the cache, or received from the STS), but the format is invalidMitigation
Make sure that the token cache was not tamperedpublic const string InvalidJwtError = "invalid_jwt"Field Value
InvalidManagedIdentityEndpoint
Invalid managed identity endpoint.
public const string InvalidManagedIdentityEndpoint = "invalid_managed_identity_endpoint"Field Value
InvalidManagedIdentityResponse
A required value is missing from the managed identity response.
public const string InvalidManagedIdentityResponse = "invalid_managed_identity_response"Field Value
InvalidOwnerWindowType
Invalid owner window type.
What happens?
You used"AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object)
but the parameter you passed is invalid.
Remediation
On .NET Standard, the expected object is anActivity on Android, a UIViewController on iOS,
a NSWindow on MAC, and a IWin32Window or IntPr on Windows.
If you are in a WPF application, you can use WindowInteropHelper(wpfControl).Handle to get the window
handle associated with a WPF control
public const string InvalidOwnerWindowType = "invalid_owner_window_type"Field Value
InvalidRequest
Request is invalid.
What happens?
This can happen because you are using a token acquisition method which is not compatible with the authority. For instance: you called AcquireTokenByUsernamePassword(IEnumerable<string>, string, string) but you used an authority ending with '/common' or '/consumers' as this requires a tenanted authority or '/organizations'.Mitigation
Adjust the authority to the AcquireTokenXX method you use (don't use 'common' or 'consumers' with AcquireTokenByUsernamePassword(IEnumerable<string>, string, string)AcquireTokenByIntegratedWindowsAuth(IEnumerable<string>)public const string InvalidRequest = "invalid_request"Field Value
InvalidTokenProviderResponseValue
A required value is missing from the token provider response
public const string InvalidTokenProviderResponseValue = "invalid_token_provider_response_value"Field Value
InvalidUserInstanceMetadata
What happens?
You have configured your own instance metadata, but the json provided seems to be invalid.Mitigation
See https://aka.ms/msal-net-custom-instance-metadata for an example of a valid json that can be used.public const string InvalidUserInstanceMetadata = "invalid-custom-instance-metadata"Field Value
JsonParseError
JSON parsing failed.
What happens?
A JSON blob read from the token cache or received from the STS was not parseable. This can happen when reading the token cache, or receiving an IDToken from the STS.Mitigation
Make sure that the token cache was not tamperedpublic const string JsonParseError = "json_parse_failed"Field Value
LinuxXdgOpen
What happens?
MSAL tried to open the browser on Linux using the xdg-open, gnome-open, or kfmclient tools, but failed.Mitigation
Make sure you can open a page using xdg-open tool. See https://aka.ms/msal-net-os-browser for details.public const string LinuxXdgOpen = "linux_xdg_open_failed"Field Value
LoopbackRedirectUri
What happens?
The current redirect URL is not a loopback URL.Mitigation
To use the OS browser, a loopback URL, with or without a port, must be configured both during app registration and when initializing the IPublicClientApplication object. See https://aka.ms/msal-net-os-browser for details.public const string LoopbackRedirectUri = "loopback_redirect_uri"Field Value
LoopbackResponseUriMismatch
What happens?
MSAL has intercepted a Uri possibly containing an authorization code, but it does not match the configured redirect URL.Mitigation
If you are using an ICustomWebUi implementation, make sure the redirect URL matches the URL containing the auth code. If you are not using an ICustomWebUI, this could be a man-in-the middle attack.public const string LoopbackResponseUriMismatch = "loopback_response_uri_mismatch"Field Value
ManagedIdentityRequestFailed
Managed Identity error response was received.
public const string ManagedIdentityRequestFailed = "managed_identity_request_failed"Field Value
ManagedIdentityUnreachableNetwork
Managed Identity endpoint is not reachable.
public const string ManagedIdentityUnreachableNetwork = "managed_identity_unreachable_network"Field Value
MissingFederationMetadataUrl
Federation Metadata URL is missing for federated user.
public const string MissingFederationMetadataUrl = "missing_federation_metadata_url"Field Value
MissingPassiveAuthEndpoint
No passive auth endpoint was found in the OIDC configuration of the authority
What happens?
When the libraries go to the authority and get its open id connect configuration it expects to find a Passive Auth Endpoint entry, and could not find it.remediation
Check that the authority configured for the application, or passed on some overrides of token acquisition tokens supporting authority override is correctpublic const string MissingPassiveAuthEndpoint = "missing_passive_auth_endpoint"Field Value
MultipleAccountsForLoginHint
This error code denotes that multiple accounts were found having the same login hint and MSAL cannot choose one. Please use WithAccount(IAccount) to specify the account
public const string MultipleAccountsForLoginHint = "multiple_accounts_for_login_hint"Field Value
MultipleTokensMatchedError
Multiple Tokens were matched.
What happens?
This exception happens in the case of applications managing several identities, when calling AcquireTokenSilent(IEnumerable<string>, IAccount) or one of its overrides and the user token cache contains multiple tokens for this client application and the specified Account, but from different authorities.Mitigation [App Development]
specify the authority to use in the acquire token operationpublic const string MultipleTokensMatchedError = "multiple_matching_tokens_detected"Field Value
NoAccountForLoginHint
This error code denotes that no account was found having the given login hint.
What happens?
AcquireTokenSilent(IEnumerable<string>, string) or WithLoginHint(string) was called with aloginHint parameter which does not match any account in GetAccountsAsync()Mitigation
If you are certain about the loginHint, call AcquireTokenInteractive(IEnumerable<string>)public const string NoAccountForLoginHint = "no_account_for_login_hint"Field Value
NoAndroidBrokerAccountFound
MSAL is not able to find a suitable account to use with broker
public const string NoAndroidBrokerAccountFound = "no_broker_account_found"Field Value
NoAndroidBrokerInstalledOnDevice
MSAL cannot find the broker application to authenticate accounts.
public const string NoAndroidBrokerInstalledOnDevice = "No_Broker_Installed_On_Device"Field Value
NoClientId
What happens?
You haven't set a client ID.Mitigation
Use the application ID (a GUID) from the application portal as client ID in this SDKpublic const string NoClientId = "no_client_id"Field Value
NoPromptFailedError
One of two conditions was encountered:
- The
Prompt.NoPromptwas passed in an interactive token call, but the constraint could not be honored because user interaction is required, for instance because the user needs to re-sign-in, give consent for more scopes, or perform multiple factor authentication. - An error occurred during a silent web authentication that prevented the authentication flow from completing in a short enough time frame.
Remediation:
callAcquireTokenInteractive so that the user of your application signs-in and accepts consent.
public const string NoPromptFailedError = "no_prompt_failed"Field Value
NoRedirectUri
No Redirect URI.
What happens?
You need to provide a Reply URI / Redirect URI, but have not called WithRedirectUri(string)public const string NoRedirectUri = "no_redirect_uri"Field Value
NoTokensFoundError
No token was found in the token cache.
Mitigation:
If your application is a IPublicClientApplication callAcquireTokenInteractive so
that the user of your application signs-in and accepts consent.
- If it's a web app you should have previously called IConfidentialClientApplication.AcquireTokenByAuthorizationCode as described in https://aka.ms/msal-net-authorization-code. You need to make sure that you have requested the right scopes. For details See https://github.com/Azure-Samples/ms-identity-aspnetcore-webapp-tutorial
- This error should not happen in web APIs
public const string NoTokensFoundError = "no_tokens_found"Field Value
NoUsernameOrAccountIDProvidedForSilentAndroidBrokerAuthentication
Unable to query the Android account manager because no username or home account ID is provided in the silent authentication request.
public const string NoUsernameOrAccountIDProvidedForSilentAndroidBrokerAuthentication = "no_username_or_accountid_provided_for_silent_android_broker_authentication"Field Value
NonHttpsRedirectNotSupported
Non HTTPS redirects are not supported
What happens?
This error happens when the authorization flow, which collects user credentials, gets redirected to an page that is not supported, for example if the redirect occurs over http. This error does not trigger for the final redirect, which can be http://localhost, but for intermediary redirects.Mitigation
This usually happens when using a federated directory which is not setup correctly.public const string NonHttpsRedirectNotSupported = "non_https_redirect_failed"Field Value
NonParsableOAuthError
An error response was returned by the OAuth2 server and it could not be parsed
public const string NonParsableOAuthError = "non_parsable_oauth_error"Field Value
NonceRequiredForPopOnPCA
What happens?
The request has Proof-of-Possession configured but does not have a nonce configured. A nonce is required for Proof-of-Possession on public clientsMitigation
Provide a nonce when Proof-of-Possession is configured for public clients.public const string NonceRequiredForPopOnPCA = "nonce_required_for_pop_on_pca"Field Value
NullIntentReturnedFromAndroidBroker
Null intent was returned so broker activity cannot be launched
public const string NullIntentReturnedFromAndroidBroker = "null_intent_returned_from_broker"Field Value
OboCacheKeyNotInCacheError
What happens?
The token cache does not contain a token with an OBO cache key that matches thelongRunningProcessSessionKey passed into AcquireTokenInLongRunningProcess(IEnumerable<string>, string).
Mitigation
Call InitiateLongRunningProcessInWebApi(IEnumerable<string>, string, ref string) with thislongRunningProcessSessionKey
first or call AcquireTokenInLongRunningProcess(IEnumerable<string>, string) with an already used longRunningProcessSessionKey.
public const string OboCacheKeyNotInCacheError = "obo_cache_key_not_in_cache_error"Field Value
ParsingWsMetadataExchangeFailed
Parsing WS Metadata Exchange Failed.
public const string ParsingWsMetadataExchangeFailed = "parsing_ws_metadata_exchange_failed"Field Value
ParsingWsTrustResponseFailed
You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<string>, string, string) In the case of a Federated user (that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant) ID3242: The security token could not be authenticated or authorized. The user does not exist or has entered the wrong password
public const string ParsingWsTrustResponseFailed = "parsing_wstrust_response_failed"Field Value
PasswordRequiredForManagedUserError
Password is required for managed user.
What happens?
If can got this error when using AcquireTokenByUsernamePassword(IEnumerable<string>, string, string) and you (or the user) did not provide a password.public const string PasswordRequiredForManagedUserError = "password_required_for_managed_user"Field Value
PlatformNotSupported
The library is loaded on a platform which is not supported.
public const string PlatformNotSupported = "platform_not_supported"Field Value
RedirectUriValidationFailed
RedirectUri validation failed.
What happens?
The redirect URI / reply URI is invalidHow to fix
Pass a valid redirect URI.public const string RedirectUriValidationFailed = "redirect_uri_validation_failed"Field Value
RegionDiscoveryFailed
Region discovery failed.
public const string RegionDiscoveryFailed = "region_discovery_failed"Field Value
RegionDiscoveryNotEnabled
What happens?
WithAzureRegion is set to trueMitigation
Region discovery cannot be performed for ADFS authority.public const string RegionDiscoveryNotEnabled = "region_discovery_unavailable"Field Value
RegionDiscoveryWithCustomInstanceMetadata
What happens?
You have configured both Region Discovery and Custom Instance Metadata. Custom metadata supersedes region discovery.Mitigation
Configure either Region Discovery or Custom Instance Discovery Metadata.public const string RegionDiscoveryWithCustomInstanceMetadata = "region_discovery_with_custom_instance_metadata"Field Value
RegionalAndAuthorityOverride
What happens?
You configured WithAuthority at the request level, and also WithAzureRegion. This is not supported when the environment changes from application to request.Mitigation
Use WithTenantId at the request level instead.public const string RegionalAndAuthorityOverride = "authority_override_regional"Field Value
RegionalAuthorityValidation
What happens?
You configured both Regional Authority and Authority Validation. Authority validation is not currently supported for regional authorities.Mitigation
Set the validateAuthority flag to false to use Azure Regional authority. Do not disable authority validation if you read the authority from an untrusted source, for example from the WWWAuthenticate header of an HTTP request that resulted in a 401 response.public const string RegionalAuthorityValidation = "regional_authority_validation"Field Value
RequestThrottled
Service returned HTTP error code 429 which indicates the request has been throttled. For more details see https://aka.ms/msal-net-throttling
public const string RequestThrottled = "request_throttled"Field Value
RequestTimeout
The HTTP Request to the STS timed out.
Mitigation
you can retry after a delay.public const string RequestTimeout = "request_timeout"Field Value
RopcDoesNotSupportMsaAccounts
Resource Owner Password Credential (ROPC) grant attempted with an MSA (Microsoft personal) account. ROPC does not support MSA accounts. See https://aka.ms/msal-net-ropc for details.
public const string RopcDoesNotSupportMsaAccounts = "ropc_not_supported_for_msa"Field Value
SSHCertUsedAsHttpHeader
What happens?
You have configured MSAL to request SSH certificates from AAD, and you are trying to format an HTTP authentication header.Mitigation
SSH certificates should not used as Bearer tokens. Developers are responsible for sending the certificates to the target machines.public const string SSHCertUsedAsHttpHeader = "ssh_cert_used_as_http_header"Field Value
ScopesRequired
What happens?
No scopes have been requestedMitigation
At least one scope must be specified for this authentication flowpublic const string ScopesRequired = "scopes_required_client_credentials"Field Value
ServiceNotAvailable
Service is unavailable and returned HTTP error code within the range of 500-599
Mitigation
you can retry after a delay.public const string ServiceNotAvailable = "service_not_available"Field Value
SetCiamAuthorityAtRequestLevelNotSupported
Setting the CIAM authority (ex. "{tenantName}.ciamlogin.com") at the request level is not supported. The CIAM authority must be set during application creation.
public const string SetCiamAuthorityAtRequestLevelNotSupported = "set_ciam_authority_at_request_level_not_supported"Field Value
StateMismatchError
State returned from the STS was different from the one sent by the library
What happens?
The library sends to the STS a state associated to a request, and expects the reply to be consistent. This errors indicates that the reply is not associated with the request. This could indicate an attempt to replay a responseMitigation
Nonepublic const string StateMismatchError = "state_mismatch"Field Value
StaticCacheWithExternalSerialization
What happens?
You configured MSAL cache serialization at the same time with a static internal cache via WithCacheOptions(CacheOptions) These are mutually exclusive.Mitigation
Use only one option. Web site and web API scenarios should rely on external cache serialization, as internal cache serialization cannot scale. See https://aka.ms/msal-net-cca-token-cache-serializationpublic const string StaticCacheWithExternalSerialization = "static_cache_with_external_serialization"Field Value
SystemWebviewOptionsNotApplicable
What happens?
You configured MSAL interactive authentication to use an embedded WebView and you also configured SystemWebViewOptions. These are mutually exclusive.Mitigation
Either set WithUseEmbeddedWebView(bool) to true or do not use WithSystemWebViewOptions(SystemWebViewOptions)public const string SystemWebviewOptionsNotApplicable = "embedded_webview_not_compatible_default_browser"Field Value
TelemetryConfigOrTelemetryCallback
What happens?
You have configured both a telemetry callback and a telemetry config.Mitigation
Only one telemetry mechanism can be configured.public const string TelemetryConfigOrTelemetryCallback = "telemetry_config_or_telemetry_callback"Field Value
TenantDiscoveryFailedError
Tenant discovery failed.
What happens?
While reading the OpenId configuration associated with the authority, the Authorize endpoint, or Token endpoint, or the Issuer was not foundMitigation
This indicates and authority which is not Open ID Connect compliant. Specify a different authority in the constructor of the application, or the token acquisition override ///public const string TenantDiscoveryFailedError = "tenant_discovery_failed"Field Value
TenantOverrideNonAad
What happens?
You configured WithTenant at the request level, but the application is using a non-AAD authority These are mutually exclusive.Mitigation
WithTenantId can only be used in conjunction with AAD authorities.public const string TenantOverrideNonAad = "tenant_override_non_aad"Field Value
TokenTypeMismatch
What happens?
You asked for one type of token, but did not receive it.Mitigation
This happens if the Identity Provider (AAD, B2C, ADFS etc.) does not support / implement the requested token type. In case of ADFS, consider upgrading to the latest version.public const string TokenTypeMismatch = "token_type_mismatch"Field Value
UapCannotFindDomainUser
Cannot access the user from the OS (UWP)
What happens
You called AcquireTokenByIntegratedWindowsAuth(IEnumerable<string>), but the domain user name could not be found.Mitigation
This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwppublic const string UapCannotFindDomainUser = "user_information_access_failed"Field Value
UapCannotFindUpn
Cannot get the user from the OS (UWP)
What happens
You called AcquireTokenByIntegratedWindowsAuth(IEnumerable<string>), but the domain user name could not be found.Mitigation
This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest. See https://aka.ms/msal-net-uwppublic const string UapCannotFindUpn = "uap_cannot_find_upn"Field Value
UnableToParseAuthenticationHeader
MSAL is unable to parse the authentication header returned from the endpoint. This can be a result of a malformed header returned in either the WWW-Authenticate or the Authentication-Info collections.
public const string UnableToParseAuthenticationHeader = "unable_to_parse_authentication_header"Field Value
UnauthorizedClient
The client is unauthorized to access resource.
This commonly happens when Mobile App Management (MAM) policies are enabled. MSAL will throw an exception in that case with protection_policy_required sub-error.
Mitigation
Catch the exception and use the properties in it to obtain the right parameters from Intune SDK. IntuneAppProtectionPolicyRequiredExceptionpublic const string UnauthorizedClient = "unauthorized_client"Field Value
UnknownBrokerError
Unknown broker error occurred.
Mitigation
None. You might want to inform the end user.public const string UnknownBrokerError = "unknown_broker_error"Field Value
UnknownError
Unknown Error occurred.
Mitigation
None. You might want to inform the end user.public const string UnknownError = "unknown_error"Field Value
UnknownManagedIdentityError
Unknown error response received.
public const string UnknownManagedIdentityError = "unknown_managed_identity_error"Field Value
UnknownUser
What happens
You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<string>, string, string) The user is not known by the IdPMitigation
Inform the user. The login that the user provided might be incorrect (for instance empty)public const string UnknownUser = "unknown_user"Field Value
UnknownUserType
What happens
You can get this error when using AcquireTokenByUsernamePassword(IEnumerable<string>, string, string) The user is not recognized as a managed user, or a federated user. Azure AD was not able to identify the IdP that needs to process the userMitigation
Inform the user. the login that the user provided might be incorrect.public const string UnknownUserType = "unknown_user_type"Field Value
UpnRequired
loginHint should be a UPN
What happens?
An override of a token acquisition operation was called in IPublicClientApplication which takes aloginHint as a parameters, but this login hint was not using the UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
expected by the service
Remediation
Make sure in your code that you enforceloginHint to be a UPN
public const string UpnRequired = "upn_required"Field Value
UserAssertionNullError
This error code comes back from AcquireTokenOnBehalfOf(IEnumerable<string>, UserAssertion)
calls when a null user assertion is passed as the UserAssertion parameter.
Mitigation
Pass a valid value for user assertionpublic const string UserAssertionNullError = "user_assertion_null"Field Value
UserAssignedManagedIdentityNotConfigurableAtRuntime
User assigned managed identity is not configurable at runtime for service fabric.
public const string UserAssignedManagedIdentityNotConfigurableAtRuntime = "user_assigned_managed_identity_not_configurable_at_runtime"Field Value
UserAssignedManagedIdentityNotSupported
User assigned managed identity is not supported for this source.
public const string UserAssignedManagedIdentityNotSupported = "user_assigned_managed_identity_not_supported"Field Value
UserMismatch
User Mismatch.
public const string UserMismatch = "user_mismatch"Field Value
UserNullError
This error code comes back from AcquireTokenSilent(IEnumerable<string>, IAccount) calls when a null user is
passed as the account parameter. This can be because you have called AcquireTokenSilent with an account parameter
set to accounts.FirstOrDefault() but accounts is empty.
Mitigation
Pass a different account, or otherwise call AcquireTokenInteractive(IEnumerable<string>)public const string UserNullError = "user_null"Field Value
UserRealmDiscoveryFailed
User Realm Discovery Failed.
public const string UserRealmDiscoveryFailed = "user_realm_discovery_failed"Field Value
ValidateAuthorityOrCustomMetadata
What happens?
You have configured your own instance metadata, and have also set validate authority to true. These are mutually exclusive.Mitigation
Set the validate authority flag to false. See https://aka.ms/msal-net-custom-instance-metadata for more details.public const string ValidateAuthorityOrCustomMetadata = "validate_authority_or_custom_instance_metadata"Field Value
WABError
What happens?
Windows Authentication Broker, which handles the interaction between the user and AAD, has failed.Mitigation
See the error message for more details.public const string WABError = "wab_error"Field Value
WamFailedToSignout
WAM Signout failed.
public const string WamFailedToSignout = "wam_failed_to_signout"Field Value
WamInteractiveError
WAM service exception that can occur when calling AcquireTokenInteractive
public const string WamInteractiveError = "wam_interactive_error"Field Value
WamNoB2C
The Windows broker (WAM) is only supported in conjunction with "work and school" accounts and with Microsoft accounts.
public const string WamNoB2C = "wam_no_b2c"Field Value
WamPickerError
WAM service exception that can occur when calling AcquireTokenInteractive and the account picker pops up
public const string WamPickerError = "wam_interactive_picker_error"Field Value
WamScopesRequired
What happens?
No scopes have been requestedMitigation
At least one scope must be specified for MSAL Runtime WAMpublic const string WamScopesRequired = "scopes_required_wam"Field Value
WamUiThread
When calling AcquireTokenInteractive with the WAM broker, the call must be made from the UI thread.
public const string WamUiThread = "wam_ui_thread_only"Field Value
WebView2LoaderNotFound
What happens?
The embedded WebView2 browser cannot be started because a runtime component cannot be loaded.Mitigation
For troubleshooting details, see https://aka.ms/msal-net-webview2 .public const string WebView2LoaderNotFound = "webview2loader_not_found"Field Value
WebView2NotInstalled
What happens?
The embedded browser cannot be started because a runtime component is missing.Mitigation
The embedded browser needs WebView2 runtime to be installed. An end user of the app can download and install the WebView2 runtime from https://go.microsoft.com/fwlink/p/?LinkId=2124703 and restart the app. The app developer can get the distributable version of the WebView2 runtime.public const string WebView2NotInstalled = "webview2_runtime_not_installed"Field Value
WebviewUnavailable
The selected WebView is not available on this platform. You can switch to a different WebView using WithUseEmbeddedWebView(bool). See https://aka.ms/msal-net-os-browser for details
public const string WebviewUnavailable = "no_system_webview"Field Value
WsTrustEndpointNotFoundInMetadataDocument
WS-Trust Endpoint Not Found in Metadata Document.
public const string WsTrustEndpointNotFoundInMetadataDocument = "wstrust_endpoint_not_found"