Sign-Ins: Authentication Method Mismatch

Finding authentication method mismatch errors.

This occurs when the authentication method by which the user authenticated with the service doesn’t match the requested authentication method defined by the provider.

Example: AADSTS75011: Authentication method ‘X509, MultiFactor’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport’. Contact the application owner.

Solution: The RequestedAuthnContext is an optional value and can be removed from their configuration. Alternatively set urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified on the SAML SP.

PowerShell

Connect-MgGraph -Scopes @('AuditLog.Read.All', 'Directory.Read.All')

$params = @{
    'All'      = $true;
    'PageSize' = '999';
    'Filter'   = "status/errorCode eq 75011";
}
$results = Get-MgAuditLogSignIn @params
$results | Group-Object AppId | Sort-Object -Descending Count | Select-Object Count,
@{
    Name       = 'AffectedApp'; 
    Expression = { $_.Group.AppDisplayName[0]; }
}

Dependencies

Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force

Connect-MgGraph

Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
}
Connect-MgGraph @params