In some situations, as you could find in this URL Additional Endpoints Required for AAD Authentication and CRL Checks for Azure SQL DB - Microsoft Com... we faced connectivity problems reaching the different endpoints of AAD or opening the outbound ports 443.
I would like to share my lessons learned based on error code and messages about this issue:
Also, in some cases, we could
- If the domain of the user, for example, firstname.lastname@example.org is not found or invalid.
- Error code 0xCAA90018; state 10 - Could not discover a user realm..
- If the domain doesn't exist.
- Error code 0xCAA9003B; state 10 - ADAL received an empty response from the server during a WIA flow and could not continue..
- If the user doesn't exist in the domain specified,
- Error code 0xCAA20003; state 10 - ID3242: The security token could not be authenticated or authorized..
- If your Azure Active Directory administrator only allows a MFA connection.
- Error code 0xCAA2000C; state 10 - AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '022907d3-0f1b-48f7-badc-1ba6abab6d66'.