May 15 2024 06:17 AM
Hey,
we have implemented MFA for external Guest Users in Entra ID. It is working fine for every external user so far. However, there are two users from the same external company who cannot get into our environment since the implementation. Both of them receive the following error when trying to login:
AADSTS500082: SAML assertion is not present in the token.
When I check their Sign-In Logs, I see this "error":
User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.
They also told me that they are not prompted with MFA. Their company does not have MFA configured. However, they are using MFA with other external environments just fine.
I tried revoking their MFA settings and their sessions. We also tried different browsers, private browser sessions and deleting cookies. Nothing has worked so far.
Does anyone have any idea what could cause these issues?
May 15 2024 11:53 AM
Hello @Random_User9801,
Thank you for creating this post where you encounter AADSTS500082. I am contributor with knowledge in Entra ID.
The sign-in process with SAML looks something like this:
An employee logs uses a URL leading to Microsoft Sign-in.
UPN and credential is provided so the identity provider verifies the employee’s identity using authentication details (e.g., username, password, PIN, device, or biometric data).
Now comes the MFA, in this case it's stopping the authentication flow, so the error is observed.
Usually, if SAML is mentioned, Single Sign-On (SSO) us also in the mix. I can suggest to check the application using the SSO settings. What you can do is to test the application from Enterprise applications > Find the app > Manage (left panel) > Test this application
Should this work, the application's SSO is working so checking MFA settings and especially Security Defaults, per-user MFA, and the applied Conditional Access Policies which affect the sign-in.
If the issue persists and caused impact on the production, you are always able to open a service request using https://support.microsoft.com/en-us/contactus/
May 15 2024 10:14 PM
May 17 2024 05:04 AM