Error AADSTS50126 / invalid_grant installing Azure AD Connect

I encountered this error when deploying new Azure AD Connect instances to enable high availability for a customer. In the configuration step of the installation I received the following errors.

AADSTS50126: Invalid username or password.

ErrorCode: invalid_grant
StatusCode: 400

Being aware of the so-so compability with AD Connect and MFA / Conditonal Access I added an exception for my admin account and re-ran the setup. The error message remained.

Reviewing the application event logs I found no warnings or errors that made the issue any clearer. It wasn’t until I reviewed the information logs that I found this, much clearer error message.

Authenticate-ADAL: Interaction Required [interaction_required] – AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access ‘00000002-0000-0000-c000-000000000000’.
Trace ID: 788b41b2-ec8e-40ee-85a8-365db4366300

It turns out that MFA / conditional access was the issue all along. While my admin account didn’t require MFA the newly created “On-Premises Directory Synchronization Service Account” did. It was this account being prompted to perform the initial MFA onboarding that caused the setup to freak out.

After adding an exception for the account and performing a retry the setup completed successfully.

Leave a Reply

Your email address will not be published. Required fields are marked *