The Azure Active Directory error codes listed below are not custom and are returned by Exchange Online for mailbox, archive mailbox, and public folder endpoints in MigrationWiz. These errors should also be present via the sign-in logs for Azure Active Directory in the tenant.
These errors list some of the more common reasons for authentication failures that occur in MigrationWiz when it has been configured to use Modern Authentication with Exchange Web Services (EWS) in Exchange Online as outlined under Enabling Modern Authentication for EWS between MigrationWiz and your Exchange Online Tenant in the following KB: Authentication Methods for Microsoft 365 (All Products) Migrations
AADSTS50020
AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/(TenantID GUID)/' does not exist in tenant '(Tenant Name)' and cannot access the application in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
- This error indicates that the administrator account used for the endpoint in the project does not exist in the same tenant where the corresponding EWS Modern Authentication application is registered
- Confirm that the Client Id and Tenant Id are correctly entered in the support options for the source and destination tenants they are being used for. For example, make sure the Tenant Id for the source tenant is being used with the support option ModernAuthTenantIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and the Tenant Id for the destination tenant is being used for the support option ModernAuthTenantIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AADSTS50034
AADSTS50034: The user account {EmailHidden} does not exist in the (TenantID GUID) directory. To sign into this application, the account must be added to the directory.
- Confirm the source and destination endpoints are being used for the correct tenant and that the administrator username used for the endpoint exists in the tenant it is intended for in the project
- Confirm that the Client Id and Tenant Id are correctly entered in the support options for the source and destination tenants they are being used for. For example, make sure the Tenant Id for the source tenant is being used with the support option ModernAuthTenantIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and the Tenant Id for the destination tenant is being used for the support option ModernAuthTenantIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AADSTS50055
AADSTS50055: The password is expired
- The administrator account password used for the project endpoint is expired. Renew or create a new password.
AADSTS50076 or AADSTS50079
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access
- This error indicates that the administrator account used for the endpoint in the project is being blocked by 2FA/MFA or Conditional Access Policy. Check to ensure the account is excluded from 2FA/MFA and any Conditional Access policies and the Azure Security Defaults are disabled.
AADSTS50105
AADSTS50105: Your administrator has configured the application (Application Name) ('ClientID GUID') to block users unless they are specifically granted ('assigned') access to the application. The signed-in user '{EmailHidden}' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application
- This error occurs if you have set Assignment required? to Yes and have not assigned the administrator account used for the endpoint in the project or the security group the administrator account belongs as an allowed user or group for the application you have created in the tenant.
- Enabling user assignment is not required for the application to work with MigrationWiz. Either set Assignment required? to No or add the administrator account/security group the administrator belongs to for the allowed list of the user assignment:
- Set to No:
- Or add the administrator account/security group the administrator belongs to for the allowed list of the user assignment:
- Set to No:
AADSTS50126
AADSTS50126: Error validating credentials due to invalid username or password.
- The administrator account username and/or password used for the endpoint in the project is incorrect. Reenter both username and password for the source or destination endpoint that corresponds with the error
- This error can sometimes be paired with a Federated service error like the following format. If this is included with the above error, in addition to confirming the username and password for the administrator account used for the endpoint, check to ensure the administrator account is excluded from SSO in the tenant. Federated service at https://autologon.microsoftazuread-sso.com/domain/winauth/trust returned error: Authentication Failure
AADSTS50158
AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges
- This error indicates that the administrator account used for the endpoint in the project is being blocked by 2FA/MFA or Conditional Access Policy. Check to ensure the account is excluded from 2FA/MFA and any Conditional Access policies and the Azure Security Defaults are disabled.
AADSTS53003
AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance
- There is a conditional access policy blocking MigrationWiz from connecting to the tenant using the registered Modern Authentication app.
AADSTS65001
AADSTS65001: The user or administrator has not consented to use the application with ID (ClientID GUID) named (App Name). Send an interactive authorization request for this user and resource.
- Check that the API permissions for EWS have been granted with the Grant admin consent button as shown in the below example:
AADSTS7000218
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'
- Check that Allow public client flows has been set to Yes as shown in example (2.) below