1Password Chrome Azure SSO not working because of 2FA
We recently enabled Azure SSO for our users but now they are experiencing an issue when trying to login with their user and receive the following error:
"The identity provider response could not be verified. Contact your account administrator for assistance.
This action is not allowed.
ServerError: 403 (forbidden: invalid_grant: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'XXXXXXXXXXX'. Trace ID: XXXXXXX Correlation ID: XXXXXXXXX Timestamp: 2023-06-01 08:21:24Z )"
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Chrome
Comments
-
We are encountering this exact AADSTS50076 error as well when trying to onboard new staff to Azure SSO :(
We don't have anything in our Azure AD Conditional Access policies that would seem to include (or explicitly exclude…) our 1P app, and while our users are Azure/MS multi-factor-enabled/enforced they never get a prompt to their MS Authenticator app, nor do we see anything in their sign-in and audit logs that would post us in the right direction.
We'll keep digging but so may end up filing a 1P support ticket to see if they've encountered anything like this during beta, etc.…
1 -
Hi @MrCoBalt and @jwilliamstg,
Thank you for contacting 1Password Support, my name is Scott, and I'll gladly assist you today.
We have recently noticed an uptick of issues relating to error 403, which results in failed SSO login attempts due to various conditional access policies within Azure, the most common being MFA related. Due to this, we have worked with several clients who added an exception for the 1Password SSO application. It was enough to allow SSO to bypass the MFA requirement and other conditions.
I'm including a link from Microsoft on cloud application exclusion from MFA as an example, and hopefully, it helps resolve your issue: Create and exclude an application from MFA.
If you're unsure which policy is being enforced, the error message should display a
Correlation ID
, which could link to the policy that blocked the connection in Azure.We also recognize this is not the ideal solution, and we are working with Microsoft to find a better solution going forward.
If you're still experiencing a problem authenticating after adding the conditional access exception, we would happily work with you on resolving it. To better assist you, please email BusinessSupport@1Password.com with a link to this community thread and some extra details that can help us track down the source of your problem, such as:
- Which day and time you attempted your login and received the failure.
- Any screenshots that display the error.
- If using the 1Password 8 application, a copy of the application logs.
- The user's e-mail address experiencing the problem.
To prevent any information from accidentally being shared publicly, and keep each of your cases private and separate. I'll close out this community thread. Please email in to continue the conversation with us.
Thanks again, we apologize for the delay but look forward to helping you resolve everything as soon as possible.
Scott Swezey
Customer Support Specialist @ 1PasswordServer status | Support hub | Release notes | Passkeys
Get a free 1Password Families membership when you use 1Password Business.0