The AADSTS50076 error appears when you try to sign in to Copilot and your Microsoft 365 tenant requires multi-factor authentication MFA but the request lacks the proper claim. You see a message similar to “AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access”. This happens because Azure AD Conditional Access policy enforces MFA for cloud apps including Copilot but the authentication token does not include the MFA claim. This article explains the root cause and provides step-by-step fixes to resolve the error.
Key Takeaways: Fixing AADSTS50076 for Copilot
- Azure AD admin center > Conditional Access > Policies: Check if a policy requires MFA for Copilot and verify the “Grant” block includes “Require multi-factor authentication”.
- Azure AD admin center > User settings > MFA service settings: Confirm per-user MFA is enabled for the affected account if Conditional Access is not used.
- Azure AD admin center > Enterprise applications > Copilot > Properties: Ensure the app is not assigned to a user group that triggers a conflicting Conditional Access policy.
Why the AADSTS50076 Error Occurs in Copilot
The error code AADSTS50076 is an Azure Active Directory token issuance failure. It occurs when the authentication request does not satisfy the MFA requirement set by a Conditional Access policy or per-user MFA setting. Copilot, as a Microsoft 365 service, requires a valid token with the amr claim indicating MFA was performed. If the token lacks that claim, Azure AD rejects the request and returns error 50076.
There are three common triggers:
Conditional Access Policy Enforces MFA for All Cloud Apps
An administrator may have created a Conditional Access policy that requires MFA for all cloud applications including Copilot. If the policy is enabled and the user’s session does not have an MFA claim, the login fails.
Per-User MFA Is Enabled
The user account may have per-user MFA turned on in the Microsoft 365 admin center or Azure AD. This setting forces MFA at every sign-in, and if the authentication flow does not prompt for MFA, Azure AD returns error 50076.
Trusted Location or Device Compliance Conflict
A Conditional Access policy may include location or device compliance conditions. If the user is signing in from an untrusted IP or a non-compliant device, the policy requires MFA. The error appears when the token request does not meet those conditions.
Steps to Resolve the AADSTS50076 Error for Copilot
Follow these steps in order. Each step targets one possible cause. Test Copilot sign-in after each step.
- Clear browser cache and sign out of all sessions
Open your browser settings and clear cached data including cookies and site data. Sign out of all Microsoft accounts. Restart the browser. This removes stale tokens that may be missing the MFA claim. - Sign in to Copilot in a private or incognito window
Open a private browsing session. Navigate to copilot.microsoft.com. Sign in with your work or school account. If MFA is prompted, complete it. If the error does not appear, the issue was a cached token. Continue using the normal browser after clearing cache again. - Check Conditional Access policies in Azure AD
Go to the Azure AD admin center at entra.microsoft.com. Select Protection > Conditional Access > Policies. Look for any policy that applies to “All cloud apps” or specifically to “Microsoft Copilot” or “Microsoft 365”. Click the policy and review the Grant section. If it says “Require multi-factor authentication”, the policy is the cause. To test, set the policy to Report-only mode temporarily. If the error stops, you have identified the policy. Work with your admin to adjust the policy to exclude Copilot or to include a session control that allows MFA claim reuse. - Verify per-user MFA status for the affected account
In the Azure AD admin center, go to Users > All users. Select the user experiencing the error. Click Authentication methods and check the MFA status. If it shows “Enabled” or “Enforced”, per-user MFA is active. To resolve, either complete MFA at sign-in or have an admin disable per-user MFA if Conditional Access policies already enforce MFA. Disable per-user MFA by going to Protection > Multi-factor authentication > Per-user MFA. Select the user and choose Disable. - Check the Copilot enterprise application properties
In Azure AD, go to Enterprise applications. Search for “Copilot” or “Microsoft Copilot”. Open the application and select Properties. Ensure the Assignment required? setting is set to No if you want all users to access Copilot without explicit assignment. If it is set to Yes, make sure the user is assigned to the app. Go to Users and groups and confirm the user is listed. Reassign if needed. - Review sign-in logs for detailed error information
In Azure AD, go to Monitoring > Sign-in logs. Filter by the affected user and look for failed sign-ins with error code 50076. Click the event and examine the Conditional Access tab. This shows which policy applied and what grant controls were missing. Use this information to adjust the policy or user settings.
If Copilot Still Shows AADSTS50076 After the Main Fix
Copilot sign-in fails on mobile device but works on desktop
Mobile devices may use a different authentication broker or app. Ensure the Microsoft Authenticator app is installed and configured. In Conditional Access, check if the policy targets “All devices” or “Browser” only. If the policy excludes mobile device management, adjust the policy to include “Require approved client app” for mobile flows.
Copilot sign-in fails after a recent tenant migration
If your tenant recently moved from one Azure AD region to another, authentication endpoints may have changed. Clear all cached tokens and re-register the device in Azure AD. Go to Settings > Accounts > Access work or school and disconnect and reconnect the account.
Copilot sign-in fails for guest users
Guest users from another tenant may not have MFA registered in your tenant. In Azure AD, go to External Identities > Cross-tenant access settings. Ensure that MFA trust from the home tenant is enabled. Alternatively, require the guest to register MFA in your tenant by sending an MFA enrollment prompt.
Conditional Access Policy vs Per-User MFA for Copilot Access
| Item | Conditional Access Policy | Per-User MFA |
|---|---|---|
| Description | Central policy that enforces MFA based on conditions like location, device, or app | Individual user setting that forces MFA at every sign-in regardless of app or location |
| Configuration location | Azure AD > Protection > Conditional Access > Policies | Azure AD > Protection > Multi-factor authentication > Per-user MFA |
| Scope | Can target specific apps like Copilot or all cloud apps | Applies to all apps the user signs into |
| Token claim handling | Can include session control to reuse MFA claim for 1-7 days | No session control; MFA required at every authentication |
| Best practice | Use Conditional Access for granular control and token reuse | Use only when Conditional Access is not available; avoid in modern tenants |
The AADSTS50076 error in Copilot is almost always caused by an MFA requirement that the authentication token does not satisfy. By following the steps above, you can identify whether the issue is a Conditional Access policy, per-user MFA, or a token caching problem. After resolving the root cause, test Copilot sign-in again. For ongoing management, use Conditional Access policies with session controls to reduce MFA prompts while maintaining security.