Fix Outlook AADSTS50076 MFA Required Error

Outlook or Teams shows error AADSTS50076 with message "Due to a configuration change made by your administrator, you must use multi-factor authentication." An MFA policy (Security Defaults, per-user MFA, or Conditional Access) requires MFA, but the authentication flow does not support it or was not completed.

The Fix

For End Users:

1. Sign out of all Office apps

2. Open Outlook and sign in again

3. Complete the MFA challenge when prompted (Authenticator app, SMS, or phone call)

4. If using a browser, disable ad-blockers and allow pop-ups

If you have not set up MFA yet:

Go to: https://aka.ms/mfasetup
Register your authentication methods

For Admins - User Cannot Complete MFA:

Check if user has registered MFA methods:

Entra ID > Users > [User] > Authentication methods

If no methods registered, send them the setup link or register a temporary phone number for them.

For Service Accounts/Automation:

Service accounts hitting AADSTS50076 need special handling. Options:

1. Exclude from MFA via Conditional Access:

Azure Portal > Microsoft Entra ID > Protection > Conditional Access
Modify the MFA policy > Users > Exclude > Add the service account

2. Use Service Principal with Certificate Auth:

Create an app registration with certificate credentials instead of username/password - service principals do not require interactive MFA.

3. Switch Authentication Flow:

If using Resource Owner Password Credentials (ROPC) flow, switch to authorization code flow which supports interactive MFA.

If Using Legacy Per-User MFA:

Microsoft recommends Conditional Access over per-user MFA. To disable per-user MFA:

Azure Portal > Azure Active Directory > Users > Per-user MFA
Select user > Disable

If Using Security Defaults:

Security Defaults enforce MFA for all users. To disable (only if you have proper CA policies):

Azure Active Directory > Properties > Manage Security Defaults > Set to "No"

Verify

User can sign in after completing MFA. If MFA prompts appear every sign-in (not remembered), check Conditional Access policy settings for "Remember MFA on trusted devices."