Misleading Error Message 53004

Brass Contributor

I wanted to document an issue I have spent a few months on (off and on) in hopes that the error messaging might be improved.  The use case is that I can sign-in to Teams however, when I tried to switch orgs (guest access), I am seeing a "Your sign-in was blocked" error message on the screen with a body of, "We've detected something unusual about this sign-in."...  I received the same experience when using the web app or the Teams client as well as both at work and at home.  When I went into Azure, the failed authentication event said (example pasted at the bottom.)  The actual issue was that there was an old unaddressed risky sign-in event that was never dismissed after it was addressed in August.  Of course there is a business process gap however, if the both the user facing message and the Azure failed sign-in event had pointed me in the risky sign-in direction instead of an incomplete MFA registration I would have spent considerably less time trying to resolve this issue.  I understand if this post needs to be redirected to a different group but I wanted to start by documenting it here to hopefully save someone else from burning their time and MS premier (though I did not actually find the resolution as a result of that ticket) hours on this.

 

 

Date
2/10/2020, 11:34:59 AM
Request ID
e7faa82a-32e7-4d1c-8498-320946ed7500
Correlation ID
d6581197-d1a2-470b-87d9-0c3283e1a1a2
Status
Failure
Sign-in error code
53004
Failure reason
User needs to complete Multi-factor authentication registration process before accessing this content. User should register for multi-factor authentication.
User
REDACTED
Username
REDACTED
User ID
REDACTED
Alternate sign-in name
 
Application
Microsoft Teams
Application ID
1fec8e78-bce4-4aaf-ab1b-5451cc387264
Resource
Microsoft Teams Services
Resource ID
cc15fd57-2c6c-4117-a88c-83b1d56b4bbe
Client app
 
Token issuer type
Azure AD
Token issuer name
 
Latency
391ms
User agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)
9 Replies

@Busted1942 Looking at the correlation id, the guest user was marked as High Risk by his home tenant and the solution is guest users home tenant should deflag that event.

That is what the fix what.  What can I read/learn to be able to decode correlation IDs like a pro as you seem to be able to?@Gousia_Begum 

@Gousia_Begum 

hello,

can you provide repo steps how to do this?

@Tomaszfand @Gousia_Begum,

 

Trigger a risky user sign-in event to show up for a test user in Azure Portal>Azure Active Directory>Security>Risk Detections and then try to change Orgs with that user in MS Teams.

@Busted1942 

 

thanks

 

i got other kind of issue, maybe i can shortly describe it.

external user(customer) cannot log in to our tenant (Teams/AzureDevOps) with his account.

when loggin in hes asked to provide MFA and so on. but he CANT - its not possible because he cannot login to set mfa..so we have a loop.

so i created another user in his tenant, logged into mine - works...so hes using this second account.

 

maybe you can advise me what to do...some users are asked to provide MFA some not.

in conditional access policy i have excluded external users

 

2020-04-16 19_38_32-Window.png2020-04-16 20_20_25-Window.png

 

 

 

Ihre Anmeldung wurde gesperrt
Bei dieser Anmeldung ist uns etwas Ungewöhnliches aufgefallen. Dies kann beispielsweise auf eine Anmeldung über einen neuen Ort, ein neues Gerät oder eine neue App zurückzuführen sein. Bevor Sie fortfahren können, müssen wir Ihre Identität überprüfen. Wenden Sie sich an Ihren Administrator.
Weitere Details
Request Id: bb00bc72-dcc0-4e86-98df-6d1a74333600
Correlation Id: 0cb65c4e-ed1d-400a-b821-05c1f85d43a6
Timestamp: 2020-03-24T09:03:04.003Z
App-Name: Microsoft Teams Web Client
App-ID: 5e3ce6c0-2b1f-4285-8d4b-75ee78787346
IP-Adresse: 77.20.253.212
Gerätebezeichner: Nicht verfügbar
Geräteplattform: Windows 10
Gerätestatus: Unregistered
Erweiterte Diagnose: Aktivieren
Wenn Sie Support zu einem Problem anfordern möchten, aktivieren Sie diese Option, und versuchen Sie, den Fehler zu reproduzieren. Auf diese Weise werden zusätzliche Informationen gesammelt, die zur Problembehandlung beitragen

@Tomaszf,

 

Did you check risky sign-ins for an event with his username?  Resolving the risky user sign-in was the resolution in my case when there was no other clues on where to look.  You can find that under Azure Portal> Azure Active Directory> Security> Risky users...

yes - there is no info

@Tomaszf,

 

You are experiencing the same frustration I did and are being mislead by the same error message in my opinion.  In my case, it was the account in my tenant trying to auth as a federated user into another tenant that triggered that error message, again, in my source tenant.  When you checked for risky sign-ins, did you check in the user's source (Federated or guest) Tenant if they had a risky sign-in event or were you checking in your tenant where you are trying to share the resources from? 

 

If you don't see a risky sign-in event in either tenant, I am not sure what else might be going on and my next step would be to open a support ticket.  Again, where it me, I'd open it as an Azure auth incident be prepared for the likely hood of being bounced around from support group to support group for a month or two as you stay on top of them, not allowing them to close the incident and escalating as needed.  It took me months to resolve this for our Tenant but I eventually got to a person who knew enough to give me a few clues to resolve it for myself.

@Tomaszf,

 

A thought occurred to me this week, could you have "Include Unknown Areas" checked in your named region?  That could cause some traffic to fall into an unexpected conditional access policy.