$_ cmd

← decode · jargon mode

ERROR AADSTS

AADSTS50158

External security challenge not satisfied

in plain english

Entra redirected the user to an external security provider (a federation IdP, a third-party MFA service, or a Conditional Access Terms of Use page) and the challenge wasn't completed. Sign-in is interrupted, not denied — complete the external challenge and retry.

most likely causes

  • Conditional Access Terms of Use is required and the user hasn't accepted it yet
  • Tenant uses a third-party / federated MFA provider and the user didn't satisfy the prompt
  • Federation to an on-prem ADFS / external IdP failed mid-flow
  • User cancelled or timed out on the external provider's screen

fix path

  1. Have the user complete the external challenge (re-accept Terms of Use, complete the third-party MFA prompt) and retry
  2. Entra portal → Protection → Conditional Access → Sign-in logs → find the failure → expand 'Conditional Access' to see the policy that interrupted
  3. If federated: check the federation IdP's logs (ADFS event logs, Okta system log, Ping audit) for the matching failure
  4. For Terms of Use: Entra → Protection → Conditional Access → Terms of use → confirm assignment + the user hasn't been removed from the audience
  5. Note: device-compliance failures usually surface as AADSTS53000, not 50158

seen in

Entra ID interactive sign-in · Federated tenant sign-in · Third-party MFA flows · Conditional Access Terms of Use

microsoft learn docs →

related

verified