IT Error Decoder
Entra ID

How to Fix AADSTS50079: Due to a configuration change, the user is required to use multi-factor authentication

Error message

AADSTS50079: Due to a configuration change made by your administrator … the user is required to use multi-factor authentication.

If you're seeing "AADSTS50079: Due to a configuration change, the user is required to use multi-factor authentication", you're not alone. Here's what it means, why it happens, and the steps to resolve it.

What this error means

Sign-in succeeded but Entra ID requires the user to register a strong-authentication method (MFA) before access is granted, and they haven't yet.

Why this happens

A Conditional Access policy or Security Defaults requires MFA, but the user hasn't completed proof-up. This is most common right after enabling MFA, onboarding a new user, or migrating a service account.

Step-by-step fix

  1. Have the user complete MFA registration at the Microsoft sign-in MFA setup URL.

    command
    https://aka.ms/mfasetup

  2. If the user can't reach the registration page (e.g. blocked by another CA policy), use a temporary access pass.

    command
    New-MgUserAuthenticationTemporaryAccessPassMethod -UserId <upn>

  3. If this is a service principal / non-interactive identity, switch to a managed identity or app-only auth instead of a user account.

Affected products

Entra ID

Still broken? Try these

  • Confirm the user is in scope of the relevant CA policy and not excluded.
  • Check Sign-in logs in Entra → Monitoring → Sign-ins for the exact policy that triggered.
  • Verify the registration campaign hasn't been disabled in tenant authentication methods policy.

Related errors

Frequently asked questions

What does "AADSTS50079: Due to a configuration change, the user is required to use multi-factor authentication" mean?

Sign-in succeeded but Entra ID requires the user to register a strong-authentication method (MFA) before access is granted, and they haven't yet.

What causes "AADSTS50079: Due to a configuration change, the user is required to use multi-factor authentication"?

A Conditional Access policy or Security Defaults requires MFA, but the user hasn't completed proof-up. This is most common right after enabling MFA, onboarding a new user, or migrating a service account.

How do I fix "AADSTS50079: Due to a configuration change, the user is required to use multi-factor authentication"?

1. Have the user complete MFA registration at the Microsoft sign-in MFA setup URL. 2. If the user can't reach the registration page (e.g. blocked by another CA policy), use a temporary access pass. 3. If this is a service principal / non-interactive identity, switch to a managed identity or app-only auth instead of a user account. Always test changes in a non-production environment first.

Browse more errors in Entra ID: Fix Microsoft Entra ID (Azure AD) errors. AADSTS error codes, admin consent, app role assignment, Conditional Access, and user lookup problems. Or paste your own error into the error decoder tool to find a match. You can also go back to the homepage to browse common errors by topic.