Team: Managed Identity Threat Detection and Response (ITDR)
Product: Huntress Managed Identity Threat Detection and Response (ITDR), Microsoft 365
Environment: Microsoft 365 (Entra admin center)
Summary: This article helps you troubleshoot common AADSTS errors that can occur when integrating Huntress Managed Identity Threat Detection and Response (ITDR) with Microsoft 365. Each error includes causes and step-by-step solutions.
Related Articles
In this Article
Overview
AADSTS errors are authentication and authorization errors returned by Microsoft Entra ID (formerly Azure Active Directory) when connecting Huntress Managed Identity Threat Detection and Response (ITDR) to Microsoft 365. This guide explains the most common errors, why they occur, and how to resolve them.
Common AADSTS Errors and Solutions
Below are the most frequently encountered AADSTS errors when setting up or maintaining your Huntress ITDR integration with Microsoft 365. For each error, review the cause and follow the recommended steps to resolve it.
AADSTS530004
Error: AcceptCompliantDevice setting isn't configured for this organization.
Why? Non-Windows devices, such as the Huntress Service Account, are blocked from completing multi-factor authentication (MFA).
Fix:
-
Add a Conditional Access Policy account exclusion for non-compliant, non-managed devices used by the Huntress Service Account.
Important: Ensure the Huntress Service Account is excluded from device compliance requirements in your Conditional Access Policy.
AADSTS50173
Error: FreshTokenNeeded - The provided grant has expired due to it being revoked, and a fresh auth token is needed.
Why? The authorizing user's password was reset, which invalidated the Huntress Microsoft 365 integration.
Fix:
- Delete the existing Huntress Microsoft 365 integration.
- Re-authorize the integration using a dedicated service account that does not require password rotation.
- If password rotation is required, reset the Huntress Microsoft 365 integration each time the password changes.
Important: Using a dedicated service account without password rotation requirements helps prevent this error.
AADSTS500212
Error: NotAllowedByOutboundPolicyTenant - The user's administrator has set an outbound access policy that doesn't allow access to the resource tenant.
Why? An outbound access policy is blocking access to the resource tenant.
Fix:
- Review and update your cross-tenant access settings in Microsoft Entra ID.
- Unblock access as described in the Microsoft documentation for cross-tenant access settings.
Caution: Changes to cross-tenant access policies can affect other integrations. Review your organization's security requirements before making changes.
AADSTS50079
Error: UserStrongAuthEnrollmentRequired - The user is required to use multi-factor authentication due to a configuration change.
Why? The Huntress Service Account is not enrolled in MFA.
Fix:
- Enroll the Huntress Service Account in multi-factor authentication.
Important: MFA enrollment may be required by your organization's Conditional Access policies.
AADSTS530032
Error: BlockedByConditionalAccessOnSecurityPolicy - The tenant admin has configured a security policy that blocks this request.
Why? Identity protection is blocking the dedicated Huntress Service Account.
Fix:
- Access the Risky User Report in Microsoft Entra ID.
- Dismiss the user risk for the Huntress Service Account.
- Wait several minutes for the change to propagate, then retry the integration.
Note: This error may take some time to clear after dismissing the user risk.
What if My Error Is Not Listed?
If you encounter an AADSTS error that is not listed in this article, open a Huntress Support ticket or send an email to support@huntress.com.