Documentation Index
Fetch the complete documentation index at: https://docs.iru.com/llms.txt
Use this file to discover all available pages before exploring further.
This guide applies to Mac computers
Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)
About this article
Use this article when Passport sign-in fails with Microsoft Entra ID (formerly Azure AD). It covers login checks, diagnostics, network requirements, and common Entra ID error codes. For setup, use Configure Passport with Microsoft Entra ID - Mac Login or Configure Passport with Microsoft Entra ID - Web Login, then Configure the Passport Library Item.Login, diagnostics, and network
Sign in with the full email address
At the Passport login window, always enter the user’s full email address in the username field so the session uses your IdP instead of local authentication. For how the login window and visibility settings interact with Passport, see Passport Compatibility.
Use Passport Diagnostics
If a user cannot sign in, open Iru Endpoint Passport Diagnostics with Command-Shift-K-L on the Mac. The panel shows useful detail, including error messages returned from your IdP.
Confirm network connectivity
Passport must reach Microsoft Entra ID to validate credentials. When you customize the Passport login window, enable the network manager so users can join Wi-Fi if needed. The control respects AirPort security settings in macOS.
Wi-Fi limits and isolation testing
Passport shows a Wi-Fi icon at the upper-right of the login window; users can click it to join a password-protected network. Passport does not support captive portals, click-through acceptance pages, or enterprise 802.1X networks that require a separate username and password in that flow. To isolate network issues, try a mobile hotspot or wired Ethernet while testing at the Passport login window.
Common Microsoft Entra ID errors
To look up Microsoft Entra ID sign-in error codes (often prefixed withAADSTS), use login.microsoftonline.com/error.
AADSTS50076: MFA required
AADSTS50076: MFA required
What you see:Microsoft Entra ID message: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource named in the error.What to do:
- The user needs to complete multi-factor authentication. Multiple policies or settings can require MFA (for example Conditional Access, per-user enforcement, or client-requested MFA).
AADSTS50020: User cannot access the application
AADSTS50020: User cannot access the application
What you see:Microsoft Entra ID message: User account <user principal name> from identity provider <your Microsoft Entra ID Active Directory Tenant ID> does not exist in tenant <your tenant name> and cannot access the application <your Passport Application (client) ID> in that tenant. The account needs to be added as an external user in the tenant first.What to do:
- In the Microsoft Entra admin center, open Users > All users and confirm that the user exists.
AADSTS50034: User not in directory
AADSTS50034: User not in directory
What you see:Microsoft Entra ID message: The user account <user principal name without the @ symbol and domain> does not exist in <your tenant name> directory.What to do:
- For Passport with MFA, each user in Microsoft Entra ID needs an Email value. Without it, the user may complete MFA in the web view but fail at the Enter your Microsoft Entra ID password verification step. In the Microsoft Entra admin center, open Users > All users, select the user, click Edit properties, enter an address in Email, and click Save. The value does not need to be a working mailbox; often it matches User principal name.
AADSTS50126: Invalid username or password
AADSTS50126: Invalid username or password
What you see:Microsoft Entra ID message: InvalidUserNameOrPassword: error validating credentials due to invalid username or password. The user did not enter the right credentials. Some of these errors in logs are expected when users mistype credentials.What to do:
- Confirm the username and password with your IdP.
- Microsoft Entra ID may be federated with AD FS or another identity provider, which can surface this error to Passport. See Authentication Flow in a Federated Environment in Using Passport in a federated Microsoft Entra ID environment.
AADSTS700025: Public client must not send client secret
AADSTS700025: Public client must not send client secret
What you see:Microsoft Entra ID message: Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented.What to do:
- In the Entra admin center, open Applications > App registrations > All applications > [your Passport app] > Authentication > Platform configurations, and align the platform and redirect URI with your Passport Authentication mode and with Configure Passport with Microsoft Entra ID - Mac Login or Configure Passport with Microsoft Entra ID - Web Login:
- Mac Login: Use the Web platform and redirect URI https://localhost.redirect.
- Web Login: Use Public client/native (mobile & desktop) and redirect URI https://localhost.
- Open Certificates & secrets and remove any Client secret on the app if it should be public-client only.
- In Iru Endpoint, confirm the Passport Library Item Client secret (optional) field is empty.
AADSTS7000215: Invalid client secret
AADSTS7000215: Invalid client secret
What you see:Microsoft Entra ID message: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value.What to do:
- In the Entra admin center, open Applications > App registrations > All applications > [your Passport app] > Authentication > Platform configurations, and align the platform and redirect URI with your Passport Authentication mode and with Configure Passport with Microsoft Entra ID - Mac Login or Configure Passport with Microsoft Entra ID - Web Login:
- Mac Login: Use the Web platform and redirect URI https://localhost.redirect.
- Web Login: Use Public client/native (mobile & desktop) and redirect URI https://localhost.
- Open Certificates & secrets and remove the Client secret if the app is configured as a public client for Passport.
- In Iru Endpoint, confirm the Passport Library Item Client secret (optional) field is empty.
AADSTS50079: Enroll in MFA
AADSTS50079: Enroll in MFA
What you see:Microsoft Entra ID message: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the identifier shown in the error.What to do:
- If you use Mac Login, the user may have legacy per-user MFA enabled. A managed user may need to register security info, or a federated user may need the MFA claim from the federated IdP.
- Conditional Access, per-user enforcement, and other policies can also require MFA enrollment.
Ticket decode failed
Ticket decode failed
What you see:
- Ticket decode failed
- Failed to login with possible error: Unknown
- Remove the optional client secret from the Passport Library Item, let the device check in, sign out of the local user, and sign in again with Passport.
- If it persists, rule out network issues (for example try a mobile hotspot).
No key was found matching "givenName"
No key was found matching "givenName"
What you see:An error occurred fetching user info: No key was found matching “givenName”.What to do:
- In the Microsoft Entra admin center, open Identity > Users > All users, open the user who is signing in, and confirm that First name is populated.