How to Fix Copilot AADSTS50158 External Security Challenge Error

When you try to sign in to Copilot in Microsoft 365, you may see the error message AADSTS50158 External Security Challenge. This error means that Azure Active Directory could not complete an external authentication challenge that your tenant requires. This is not a Copilot bug. It is a conditional access policy or identity protection rule blocking the sign-in attempt. This article explains why the error occurs and provides the exact steps to resolve it.

Why the AADSTS50158 Error Appears for Copilot

The AADSTS50158 error code means that Azure Active Directory received an external security challenge from a conditional access policy but could not complete it. This typically happens when a conditional access policy requires one of the following:

• Multifactor authentication (MFA) that the user has not completed or is not registered for
• Acceptance of terms of use that the user has not yet accepted
• A device compliance check that the device did not pass
• A risk-based policy that requires a password change or additional verification

Copilot in Microsoft 365 uses Azure AD for authentication. When a conditional access policy triggers an external challenge, Copilot cannot complete the sign-in flow and returns the AADSTS50158 error. The error is not specific to Copilot. It will appear for any application that triggers the same policy.

Common Scenarios That Trigger This Error

The most common scenario is a conditional access policy that requires MFA for all cloud apps but excludes only a few. If Copilot is not excluded, the policy applies. Another common scenario is a terms of use policy that requires the user to accept a document before accessing any Microsoft 365 service. If the user has not accepted the terms, the external challenge fails.

A third scenario involves Identity Protection policies that require MFA registration. If the user has never registered for Azure AD MFA, the policy blocks access to Copilot.

Steps to Resolve the AADSTS50158 Error for Copilot

Follow these steps in the order listed. Each step addresses a different root cause. Test Copilot after each step to see if the error is resolved.

Step 1: Identify the Conditional Access Policy Causing the Error

1. Open the Azure AD sign-in logs
   Go to the Azure portal at portal.azure.com. Select Azure Active Directory. Under Monitoring, select Sign-in logs. Find the failed sign-in attempt for the user who received the AADSTS50158 error. Click the row to open the details.
2. Review the conditional access tab
   In the sign-in details, select the Conditional Access tab. This tab lists all policies that were evaluated for this sign-in. Look for a policy with Status set to Not applied or Failure. The policy that failed is the one triggering the external challenge.
3. Note the policy name and controls
   Write down the policy name and the Grant controls it uses. For example, the policy may require Multifactor authentication or Require terms of use. This tells you what challenge the user must complete.

Step 2: Complete the Required Challenge

1. If the policy requires MFA
   Ask the user to register for Azure AD MFA if they have not done so. Go to Azure AD > Identity Protection > MFA registration policy. Ensure the policy is enabled and the user is included. The user can then register at aka.ms/mfasetup. After registration, sign out of all Microsoft 365 apps and sign back in. Copilot should work.
2. If the policy requires terms of use
   Go to Azure AD > Security > Conditional Access > Policies. Select the policy that requires terms of use. Under Grant, note the terms of use name. Then go to Azure AD > Security > Terms of use. Find the terms document and click Accept. Ask the user to open the terms link and accept it. After acceptance, retry Copilot.
3. If the policy requires device compliance
   Ensure the device is enrolled in Microsoft Intune or another MDM. Check the device compliance status in Intune. If the device is noncompliant, resolve the compliance issues. The user may need to update the device or install required apps.

Step 3: Exclude Copilot from the Problematic Policy

1. Open the conditional access policy
   In Azure AD, go to Security > Conditional Access > Policies. Select the policy that caused the error.
2. Edit the Cloud apps or actions assignment
   Under Assignments, select Cloud apps or actions. Change Include to All cloud apps. Under Exclude, select Microsoft Copilot Service. The exact app name is Microsoft Copilot Service. If you do not see it, click Select and search for Copilot.
3. Save the policy
   Click Save. Wait 5 minutes for the change to propagate. Test Copilot again.

Step 4: Disable Per-User MFA if It Is Enforced

1. Check per-user MFA status
   In Azure AD, go to Users. Select the user. Under Manage, select Per-user MFA. If the status is Enabled or Enforced, this is likely the cause. Conditional access policies cannot override per-user MFA for Copilot.
2. Disable per-user MFA for the user
   Click the user row, then click Disable. Confirm the change. The user will now rely on conditional access policies for MFA instead.
3. Test Copilot
   Sign out and sign back in to Microsoft 365. Open Copilot. The error should be gone.

If Copilot Still Shows the AADSTS50158 Error

Multiple Conditional Access Policies Conflict

If the sign-in logs show multiple policies with different grant controls, the user may need to satisfy all of them. For example, one policy requires MFA and another requires terms of use. The user must complete both challenges. Check the Conditional Access tab in the sign-in logs again. Look for policies with Status set to Success or Not applied. If any policy shows Failure, resolve that policy first.

Identity Protection Risk Policy Blocks Sign-In

If the user has a high sign-in risk, Identity Protection may require a password change or self-remediation. Go to Azure AD > Security > Identity Protection > Risky sign-ins. Find the user. If the risk level is High, click Confirm compromised and then Dismiss risk. Ask the user to change their password. After the password change, the risk resets and Copilot should work.

Browser or App Cache Causes Stale Tokens

If the policy was recently changed, the browser or the Microsoft 365 app may still hold an old token. Clear the browser cache and cookies. In Microsoft Edge, go to Settings > Privacy, search, and services > Clear browsing data. Select Cookies and other site data and Cached images and files. Click Clear now. For the Microsoft 365 desktop apps, sign out and restart the app.

Copilot AADSTS50158 Error vs Other Azure AD Sign-In Errors

Item	AADSTS50158 External Security Challenge	AADSTS50076 MFA Challenge
Error message	External security challenge was not satisfied	Due to a configuration change, you must perform multifactor authentication
Root cause	Conditional access policy requires an external challenge like terms of use or device compliance	Conditional access policy or per-user MFA requires MFA specifically
Typical fix	Complete the terms of use, register device, or exclude Copilot from the policy	Register for Azure AD MFA or complete MFA prompt
User experience	Sign-in fails without a clear prompt to complete the challenge	User sees an MFA prompt and can complete it

The AADSTS50158 error is harder to diagnose because the user does not see a challenge prompt. The error appears as a generic sign-in failure. The AADSTS50076 error is easier because the user gets an MFA prompt. For both errors, the sign-in logs in Azure AD are the primary tool for finding the exact policy.

You can now identify the conditional access policy or per-user MFA setting that causes the AADSTS50158 error in Copilot. Use the Azure AD sign-in logs to find the failing policy. Then complete the required challenge, exclude Copilot from the policy, or disable per-user MFA. For persistent issues, check Identity Protection risk policies and clear browser cache. To prevent this error for new users, set up a conditional access policy that includes Copilot in the Exclude list from the start.