AADSTS50158 - External Security Challenge Required
Azure AADSTS50158 is a federated security signal indicating that Microsoft Entra ID requires an additional authentication challenge from an external provider, such as Okta, Duo, Ping, or AD FS, before sign-in can complete.
Last reviewed: April 9, 2026|Editorial standard: source-backed technical guidance
What Does External Security Challenge Required Mean?
AADSTS50158 is a delegated challenge requirement. In a federated setup, Entra ID relies on an external identity provider or MFA service to provide higher-assurance claims. If Entra receives a sign-in request but detects that the external security check has not been satisfied yet, often because the app tried to sign in silently, it returns AADSTS50158. It is essentially a step-up requirement that must be fulfilled by a non-Microsoft system before Entra can finish token issuance.
Common Causes
- -Third-Party MFA Dependencies: The tenant uses an external provider like Duo or Okta for MFA, and the current session lacks a valid claim from that provider.
- -Federated Authentication Step-Up: The user belongs to a federated domain and the target resource requires a claim that only the upstream identity provider can issue.
- -Conditional Access With External Controls: A policy uses custom controls or external authentication methods that are not native to Entra ID.
- -Silent Auth Vs External Logic: The app attempts
prompt=none, but the external provider requires an interactive session to perform the security check. - -Broken Federation Trust: The trust relationship or the MFA claim mapping between Entra ID and the external IdP is misconfigured.
How to Fix External Security Challenge Required
- 1Force Interactive Login: Switch the auth request to an interactive flow such as
acquireTokenRedirectorloginPopupso the browser can reach the external provider. - 2Verify Federation Claims: Ensure the external IdP is correctly sending
amror equivalent MFA-satisfied claims back to Entra. - 3Check Upstream Logs: If Entra is healthy, the real failure is often visible only in the external provider logs.
- 4Bypass For Workloads: If this affects a script or service, move it to a managed identity or service principal because workload identities do not trigger human external challenges.
Step-by-Step Diagnosis for External Security Challenge Required
- 1Identify the domain of the failing user and determine whether it is managed or federated.
- 2Review Entra sign-in logs for the specific Correlation ID and inspect the authentication requirement details.
- 3Examine the Conditional Access tab to see if an external strength or custom control was triggered.
- 4Test the login in a standard browser window to see which third-party page appears during the step-up path.
AADSTS50158 vs AADSTS50076
- -AADSTS50076: Microsoft Entra itself wants the user to complete MFA using Entra-native controls.
- -AADSTS50158: Microsoft Entra is waiting for a third-party or federated system to complete the challenge and return proof.
The Silent Auth Conflict
- -External identity providers usually require their own cookies or a fresh interaction. A silent MSAL request cannot reach through to an external provider to satisfy that challenge.
Implementation Examples
try {
const silentResult = await msalInstance.acquireTokenSilent(request);
} catch (error) {
if (error.errorCode === "AADSTS50158") {
console.warn("External challenge required.");
// Force a redirect to handle the external IdP interaction
msalInstance.acquireTokenRedirect(request);
}
}# Confirm whether the user's domain relies on an external identity provider
Get-MgDomain -DomainId "yourcompany.com" | Select-Object AuthenticationTypeHow to Verify the Fix
- -Confirm the user can complete the third-party challenge and return to the application successfully.
- -Verify the resulting token contains the necessary claims proving the external challenge was met.
- -Check that subsequent silent refreshes work only if the external provider allows the session to persist strongly enough.
How to Prevent Recurrence
- -Standardize Identity Providers: Reduce external challenge complexity by moving toward native Entra MFA where possible.
- -Keep Claim Mapping Consistent: Ensure all federated domains pass MFA or auth-strength claims correctly so Entra does not challenge users unnecessarily.
- -Modernize Embedded Views: Mobile and desktop apps should use browsers or webviews that support multi-domain redirect flows cleanly.
- -Pro tip: If AADSTS50158 appears only for one tenant or one domain, compare federation topology first. The root cause is often outside the app and outside Entra-native MFA.
Decision Support
Compare Guide
401 Unauthorized vs 403 Forbidden: Auth vs Access Denied
Fix 401 Unauthorized vs 403 Forbidden by separating authentication failures from authorization denials, then apply the right login or permission fix fast.
Compare Guide
403 Forbidden vs 404 Not Found: When to Hide Resources
Use 403 for explicit access denial, or 404 to conceal resource existence when security policy requires reducing endpoint and object enumeration risk.
Playbook
Authorization Denial Playbook (403 / AccessDenied / PERMISSION_DENIED)
Use this playbook to triage policy-based access denials after authentication succeeds, isolate the deny layer, and apply least-privilege remediation safely.
Official References
Provider Context
This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.