AZURE

AADSTS50126 - Invalid Username or Password

Azure AADSTS50126 indicates a primary authentication failure where Microsoft Entra ID cannot validate the provided username and password combination. This occurs before MFA challenges or account-state checks.

Last reviewed: April 6, 2026|Source-backed guidance under our editorial policy

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

This page is part of the Error Reference library. Learn more about the project or report a correction.

What Does Invalid Username or Password Mean?

AADSTS50126 is a primary credential mismatch. It is the first barrier in the Entra ID authentication flow. If this fails, the system does not continue to MFA, Conditional Access, or disabled-account evaluation. While it often means a user typed a password incorrectly, in production environments it is also a common signature of a stale client such as a device or background process replaying an old password after a recent rotation.

Common Causes

-Incorrect Credentials: A real typo in the password or use of an old password immediately after a reset.
-UPN vs Alias Mismatch: Attempting to log in with an email alias when the directory expects the primary User Principal Name.
-Ghost Client: An old phone, Outlook profile, printer service, or background app is still using a cached password and repeatedly triggering AADSTS50126.
-ROPC Flow Mismatch: A script using the Resource Owner Password Credentials flow is blocked because the tenant now requires Modern Auth or MFA-capable patterns.
-Keyboard Layout Issues: Special characters in the password are being entered differently because of a changed keyboard layout or locale.

How to Fix Invalid Username or Password

1Verify The UPN: Confirm the user is entering the full primary User Principal Name, not a secondary email address.
2Clear Cached Credentials: On Windows, clear old Generic Credentials in Credential Manager or update any stored secrets on the affected client.
3Audit Background Devices: Use Entra sign-in logs to identify the user agent or IP that is replaying bad credentials.
4Switch To Managed Identity: If this comes from an Azure-hosted script or automation, stop using passwords and move to Managed Identity or another workload identity.

Step-by-Step Diagnosis for Invalid Username or Password

1Filter Microsoft Entra sign-in logs by the user’s UPN and look for a pattern of AADSTS50126 failures.
2Inspect the Client App, User Agent, and Device Info fields in the logs to pinpoint which app or device is sending bad credentials.
3Verify whether the password was recently changed. If so, the issue is often a stale cache on a secondary device.
4Check whether the failure is happening through legacy protocols such as IMAP, SMTP, or POP3, which frequently handle password changes poorly.

Credential Error Comparison

-AADSTS50126: Wrong username or password at primary authentication.
-AADSTS50055: Password is correct, but it is expired.
-AADSTS50053: Too many AADSTS50126 attempts have triggered Smart Lockout.

The ROPC Trap

-If you are using grant_type=password in a script and seeing AADSTS50126 despite a seemingly correct password, the tenant may have Security Defaults or modern authentication requirements that make the flow inappropriate.

Implementation Examples

Handling Invalid Credentials in MSAL.jsjavascript

try {
  const result = await msalInstance.loginPopup(loginRequest);
} catch (error) {
  if (error.errorCode === "AADSTS50126") {
    // Standard invalid-credential handling
    alert("Please check your username and password and try again.");
  }
}

Validate The User Principal Namebash

# Verify the UPN before attempting another login
az ad user show --id user@example.com --query "userPrincipalName"

Seen in Production

Forgotten iPad causes repeated credential failures

Frequency: high

Example: A user changes their password on a PC, but an iPad at home keeps trying to sync mail with the old password. The user then starts seeing repeated auth issues and risks account lockout.

Fix: Use sign-in logs to identify the stale device, then update or remove the old password on that client.

Debugging Tools

-Entra ID Sign-in Logs: Primary tool for tracing the source of bad credentials and repeated failures.
-Microsoft Graph Explorer: Useful for checking adjacent account state and identity details during troubleshooting.
-Azure AD Connect Health: Helpful when password hash sync or hybrid identity behavior is part of the investigation.

How to Verify the Fix

-Confirm a successful login from a private or incognito browser session to ensure the directory accepts the credentials.
-Monitor sign-in logs and ensure AADSTS50126 failures stop for the specific user agent or client involved.
-Verify the user can access integrated apps such as Teams or Outlook without repeated password prompts.

How to Prevent Recurrence

-Go Passwordless Where Possible: Use Windows Hello for Business or FIDO2 keys to reduce raw password dependency.
-Modernize Automation: Move CI/CD pipelines and background tasks to workload identity federation, managed identities, or service principals.
-User Education: Encourage users to update saved passwords on mobile devices and secondary clients immediately after a reset.
-Pro tip: If AADSTS50126 appears in a loop, stop guessing. Repeated failures quickly lead to AADSTS50053, where even the correct password may stop working temporarily.

Official References

Provider Context

This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.

AZURE

AADSTS50126 - Invalid Username or Password

Last reviewed: April 6, 2026|Source-backed guidance under our editorial policy

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

This page is part of the Error Reference library. Learn more about the project or report a correction.

What Does Invalid Username or Password Mean?

Common Causes

-Incorrect Credentials: A real typo in the password or use of an old password immediately after a reset.
-UPN vs Alias Mismatch: Attempting to log in with an email alias when the directory expects the primary User Principal Name.
-Ghost Client: An old phone, Outlook profile, printer service, or background app is still using a cached password and repeatedly triggering AADSTS50126.
-ROPC Flow Mismatch: A script using the Resource Owner Password Credentials flow is blocked because the tenant now requires Modern Auth or MFA-capable patterns.
-Keyboard Layout Issues: Special characters in the password are being entered differently because of a changed keyboard layout or locale.

How to Fix Invalid Username or Password

1Verify The UPN: Confirm the user is entering the full primary User Principal Name, not a secondary email address.
2Clear Cached Credentials: On Windows, clear old Generic Credentials in Credential Manager or update any stored secrets on the affected client.
3Audit Background Devices: Use Entra sign-in logs to identify the user agent or IP that is replaying bad credentials.
4Switch To Managed Identity: If this comes from an Azure-hosted script or automation, stop using passwords and move to Managed Identity or another workload identity.

Step-by-Step Diagnosis for Invalid Username or Password

1Filter Microsoft Entra sign-in logs by the user’s UPN and look for a pattern of AADSTS50126 failures.
2Inspect the Client App, User Agent, and Device Info fields in the logs to pinpoint which app or device is sending bad credentials.
3Verify whether the password was recently changed. If so, the issue is often a stale cache on a secondary device.
4Check whether the failure is happening through legacy protocols such as IMAP, SMTP, or POP3, which frequently handle password changes poorly.

Credential Error Comparison

-AADSTS50126: Wrong username or password at primary authentication.
-AADSTS50055: Password is correct, but it is expired.
-AADSTS50053: Too many AADSTS50126 attempts have triggered Smart Lockout.

The ROPC Trap

-If you are using grant_type=password in a script and seeing AADSTS50126 despite a seemingly correct password, the tenant may have Security Defaults or modern authentication requirements that make the flow inappropriate.

Implementation Examples

Handling Invalid Credentials in MSAL.jsjavascript

try {
  const result = await msalInstance.loginPopup(loginRequest);
} catch (error) {
  if (error.errorCode === "AADSTS50126") {
    // Standard invalid-credential handling
    alert("Please check your username and password and try again.");
  }
}

Validate The User Principal Namebash

# Verify the UPN before attempting another login
az ad user show --id user@example.com --query "userPrincipalName"

Seen in Production

Forgotten iPad causes repeated credential failures

Frequency: high

Example: A user changes their password on a PC, but an iPad at home keeps trying to sync mail with the old password. The user then starts seeing repeated auth issues and risks account lockout.

Fix: Use sign-in logs to identify the stale device, then update or remove the old password on that client.

Debugging Tools

-Entra ID Sign-in Logs: Primary tool for tracing the source of bad credentials and repeated failures.
-Microsoft Graph Explorer: Useful for checking adjacent account state and identity details during troubleshooting.
-Azure AD Connect Health: Helpful when password hash sync or hybrid identity behavior is part of the investigation.

How to Verify the Fix

-Confirm a successful login from a private or incognito browser session to ensure the directory accepts the credentials.
-Monitor sign-in logs and ensure AADSTS50126 failures stop for the specific user agent or client involved.
-Verify the user can access integrated apps such as Teams or Outlook without repeated password prompts.

How to Prevent Recurrence

-Go Passwordless Where Possible: Use Windows Hello for Business or FIDO2 keys to reduce raw password dependency.
-Modernize Automation: Move CI/CD pipelines and background tasks to workload identity federation, managed identities, or service principals.
-User Education: Encourage users to update saved passwords on mobile devices and secondary clients immediately after a reset.
-Pro tip: If AADSTS50126 appears in a loop, stop guessing. Repeated failures quickly lead to AADSTS50053, where even the correct password may stop working temporarily.

Official References

Provider Context

This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.

Start Here

What Does Invalid Username or Password Mean?

Common Causes

How to Fix Invalid Username or Password

Step-by-Step Diagnosis for Invalid Username or Password

Credential Error Comparison

The ROPC Trap

Implementation Examples

Seen in Production

Forgotten iPad causes repeated credential failures

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Related Errors

Official References

Provider Context

Start Here

What Does Invalid Username or Password Mean?

Common Causes

How to Fix Invalid Username or Password

Step-by-Step Diagnosis for Invalid Username or Password

Credential Error Comparison

The ROPC Trap

Implementation Examples

Seen in Production

Forgotten iPad causes repeated credential failures

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Related Errors

Official References

Provider Context