Most Common Errors Encountered in MigrationWiz while using Modern Authentication for EWS in Exchange Online

The Microsoft Entra error codes listed below are not custom and are returned by Exchange Online for mailbox, archive mailbox, and public folder endpoints in MigrationWiz. These errors should also be present via the sign-in logs for Microsoft Entra in the tenant.

These errors list are some of the more common reasons for authentication failures that occur in MigrationWiz when it has been configured to use Modern Authentication with Exchange Web Services (EWS) in Exchange Online as outlined under Enabling Modern Authentication for EWS between MigrationWiz and your Exchange Online Tenant in the following KB: Authentication Methods for Microsoft 365 (All Products) Migrations.

AADSTS50020

AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/(TenantID GUID)/' does not exist in tenant '(Tenant Name)' and cannot access the application in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Microsoft Entra user account.

  • This error indicates that the administrator account used for the endpoint in the project does not exist in the same tenant where the corresponding EWS Modern Authentication application is registered.
  • Confirm that the Client ID and Tenant ID are correctly entered in the support options for the source and destination tenants they are being used for. For example, make sure the Tenant ID for the source tenant is being used with the support option ModernAuthTenantIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and the Tenant ID for the destination tenant is being used for the support option ModernAuthTenantIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

AADSTS50034

AADSTS50034: The user account {EmailHidden} does not exist in the (TenantID GUID) directory. To sign into this application, the account must be added to the directory.

  • Confirm that the source and destination endpoints are being used for the correct tenant.
  • Ensure that the administrator username used exists in the intended tenant for the project.
  • Verify that the Client ID and Tenant ID are correctly entered in the support options for the source and destination tenants they are being used for. For example, make sure the Tenant ID for the source tenant is being used with the support option ModernAuthTenantIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and the Tenant Id for the destination tenant is being used for the support option ModernAuthTenantIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

AADSTS50055

AADSTS50055: The password is expired.

  • The administrator account password used for the project endpoint is expired. Renew or create a new password.

AADSTS50076 or AADSTS50079

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access.

AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access.

  • This error indicates that the administrator account used for the endpoint in the project is being blocked by 2FA/MFA or Conditional Access Policy. Check to ensure the account is excluded from 2FA/MFA and any Conditional Access policies and the Azure Security Defaults are disabled. 

AADSTS50105

AADSTS50105: Your administrator has configured the application (Application Name) ('ClientID GUID') to block users unless they are specifically granted ('assigned') access to the application. The signed-in user '{EmailHidden}' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application

  • This error occurs if you have set Assignment required? to Yes and have not assigned the administrator account used for the endpoint in the project or the security group the administrator account belongs as an allowed user or group for the application you have created in the tenant.

Modern_Auth_App_Assignment_Error_1.png

  • Enabling user assignments is not required for the application to work with MigrationWiz. Either set Assignment required? to No or add the administrator account/security group the administrator belongs to for the allowed list of user assignments:

    • Set to No:
      Modern_Auth_App_Assignment_Error_3.png
    • Or add the administrator account/security group the administrator belongs to for the allowed list of the user assignment:
      Modern_Auth_App_Assignment_Error_2.png

AADSTS50126

AADSTS50126: Error validating credentials due to invalid username or password.

  • The endpoint in the project has an incorrect administrator account username and password. Please re-enter the correct source or destination credentials endpoint to resolve the error.
  • This error can sometimes be paired with a Federated service error like the following format. If this is included with the above error, in addition to confirming the username and password for the administrator account used for the endpoint, check that the administrator account is excluded from SSO in the tenant. Federated service at https://autologon.microsoftazuread-sso.com/domain/winauth/trust returned error: Authentication Failure 

AADSTS50158

AADSTS50158: External security challenge not satisfied. The user will be redirected to another page or authentication provider to satisfy additional authentication challenges.

  • This error indicates that the administrator account used for the endpoint in the project is being blocked by 2FA/MFA or Conditional Access Policy. Check to ensure the account is excluded from 2FA/MFA and any Conditional Access policies and the Azure Security Defaults are disabled. 

AADSTS53003

AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

  • This error message appears when a conditional access policy blocks MigrationWiz from connecting to the tenant using the registered Modern Authentication application.

AADSTS65001

AADSTS65001: The user or administrator has not consented to use the application with ID (ClientID GUID) named (App Name). Send an interactive authorization request for this user and resource.

  • Check that the API permissions for EWS have been granted with the Grant admin consent button as shown in the below example:

Step_11.png

AADSTS7000222

AADSTS7000222: The provided client secret keys for app 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' are expired.

  • This error indicates that the stored migration admin user credentials or the Client/Tenant ID in the Project endpoint settings have changed or are incorrect.
  • Please edit the Project and try to save endpoint settings. If you cannot save due to validation failure, the Migration Admin user or the Azure tenant Modern Auth application Client/Tenant ID has to be re-checked.

AADSTS7000218

AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

  • Check that Allow public client flows has been set to Yes as shown in step 2 in the example below.
    Step_7.png

AADSTS700016

AADSTS700016: Invalid Application Client ID at Source Settings.

This error indicates that the client ID is incorrect. This may happen when:

  • The application is not installed by the administrator of the tenant or is consented to by any user in the tenant. 
  • You send your authentication request to the wrong tenant.

To solve this issue, check your client ID and verify that the application is properly installed and consented to by the tenant administrator or a user in the tenant.

AADSTS90002

AADSTS90002: Invalid Directory Tenant ID at Source Settings.

  • This error can occur when the tenant ID is incorrect or there are no active subscriptions for the tenant. Solve this issue by checking your tenant ID, connection to the cloud, and subscription administrator.
Was this article helpful?
0 out of 4 found this helpful