ERROR AADSTS
AADSTS50158
External security challenge not satisfied
in plain english
Entra redirected the user to an external security provider (a federation IdP, a third-party MFA service, or a Conditional Access Terms of Use page) and the challenge wasn't completed. Sign-in is interrupted, not denied — complete the external challenge and retry.
most likely causes
- Conditional Access Terms of Use is required and the user hasn't accepted it yet
- Tenant uses a third-party / federated MFA provider and the user didn't satisfy the prompt
- Federation to an on-prem ADFS / external IdP failed mid-flow
- User cancelled or timed out on the external provider's screen
fix path
- Have the user complete the external challenge (re-accept Terms of Use, complete the third-party MFA prompt) and retry
- Entra portal → Protection → Conditional Access → Sign-in logs → find the failure → expand 'Conditional Access' to see the policy that interrupted
- If federated: check the federation IdP's logs (ADFS event logs, Okta system log, Ping audit) for the matching failure
- For Terms of Use: Entra → Protection → Conditional Access → Terms of use → confirm assignment + the user hasn't been removed from the audience
- Note: device-compliance failures usually surface as AADSTS53000, not 50158
seen in
Entra ID interactive sign-in · Federated tenant sign-in · Third-party MFA flows · Conditional Access Terms of Use
related
verified