AADSTS50126 - Invalid Username or Password

What Does Invalid Username or Password Mean?

AADSTS50126 is a primary credential mismatch. It is the first barrier in the Entra ID authentication flow. If this fails, the system does not continue to MFA, Conditional Access, or disabled-account evaluation. While it often means a user typed a password incorrectly, in production environments it is also a common signature of a stale client such as a device or background process replaying an old password after a recent rotation.

Common Causes

• -Incorrect Credentials: A real typo in the password or use of an old password immediately after a reset.
• -UPN vs Alias Mismatch: Attempting to log in with an email alias when the directory expects the primary User Principal Name.
• -Ghost Client: An old phone, Outlook profile, printer service, or background app is still using a cached password and repeatedly triggering AADSTS50126.
• -ROPC Flow Mismatch: A script using the Resource Owner Password Credentials flow is blocked because the tenant now requires Modern Auth or MFA-capable patterns.
• -Keyboard Layout Issues: Special characters in the password are being entered differently because of a changed keyboard layout or locale.

How to Fix Invalid Username or Password

1. 1Verify The UPN: Confirm the user is entering the full primary User Principal Name, not a secondary email address.
2. 2Clear Cached Credentials: On Windows, clear old Generic Credentials in Credential Manager or update any stored secrets on the affected client.
3. 3Audit Background Devices: Use Entra sign-in logs to identify the user agent or IP that is replaying bad credentials.
4. 4Switch To Managed Identity: If this comes from an Azure-hosted script or automation, stop using passwords and move to Managed Identity or another workload identity.

Step-by-Step Diagnosis for Invalid Username or Password

1. 1Filter Microsoft Entra sign-in logs by the user’s UPN and look for a pattern of AADSTS50126 failures.
2. 2Inspect the Client App, User Agent, and Device Info fields in the logs to pinpoint which app or device is sending bad credentials.
3. 3Verify whether the password was recently changed. If so, the issue is often a stale cache on a secondary device.
4. 4Check whether the failure is happening through legacy protocols such as IMAP, SMTP, or POP3, which frequently handle password changes poorly.

try {
  const result = await msalInstance.loginPopup(loginRequest);
} catch (error) {
  if (error.errorCode === "AADSTS50126") {
    // Standard invalid-credential handling
    alert("Please check your username and password and try again.");
  }
}

# Verify the UPN before attempting another login
az ad user show --id user@example.com --query "userPrincipalName"

How to Verify the Fix

• -Confirm a successful login from a private or incognito browser session to ensure the directory accepts the credentials.
• -Monitor sign-in logs and ensure AADSTS50126 failures stop for the specific user agent or client involved.
• -Verify the user can access integrated apps such as Teams or Outlook without repeated password prompts.

How to Prevent Recurrence

• -Go Passwordless Where Possible: Use Windows Hello for Business or FIDO2 keys to reduce raw password dependency.
• -Modernize Automation: Move CI/CD pipelines and background tasks to workload identity federation, managed identities, or service principals.
• -User Education: Encourage users to update saved passwords on mobile devices and secondary clients immediately after a reset.
• -Pro tip: If AADSTS50126 appears in a loop, stop guessing. Repeated failures quickly lead to AADSTS50053, where even the correct password may stop working temporarily.

Related Errors

Decision Support

Official References

• -Troubleshoot Entra ID Sign-in Issues
• -Resource Owner Password Credentials (ROPC)
• -Microsoft Identity Platform Error Codes - AADSTS50126
• -Azure Official Documentation