AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication
Error: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access
This can typically be caused by a conditional access policy in your customer tenant.
Cause: When a conditional access policy is blocking your partner tenant access.
How to Identify the Policy
- Login to the customer's Azure portal
- Open Microsoft Entra ID (Azure AD)
- Go to Users → Sign-in logs
- Select User sign-ins (non-interactive)
- Filter by application name "Sync 365 License"
- Click into the failed sign-in
- Click Conditional Access policy to see any applied.
- Look for one with a Blocked Result to find the one that is blocking it.
Resolution
Customer Tenants
Exclude service provider users from ALL conditional access policies
- Log into conditional access policies in the customer tenant
- For each policy add an exclusion to "Users and Groups"
- In the Users section, click Exclude → select "Service provider users"
- All: excludes all service providers with tenant relationships
- Select: allows you to specify specific tenant IDs — be sure to enter your tenant ID
If there are no identified policies, follow the below steps:
Re-consent the delegated admin account so a fresh token is issued:
- Login to Sync 365
- Go to Company → Delegated admin tab
- Take note of the currently active account (do not delete it)
- Click Add → Grant partner center consent
- Log in with the delegated admin account
- Ensure that you are prompted for MFA — this is required for Partner Center token refresh
Once consent completes, the error should clear automatically.
Related Articles
AADSTS50076 – MFA Required Due to Location or Policy Change
Error: AADSTS50076 – Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access This error is raised when Microsoft detects a change in MFA posture — such as an ...AADSTS700082 – Refresh Token Expired Due to Inactivity
Error: AADSTS700082 – The refresh token has expired due to inactivity This typically occurs when the customer tenant has an MFA setting that allows "remember MFA for X days", which breaks token refresh after extended inactivity. Cause: The “remember ...Master Index Page for Troubleshooting Microsoft 365 Errors
Troubleshooting Microsoft 365 Errors If you've received an error in Sync 365 related to authentication, consent, token refresh, or license sync, use the links below to find the exact resolution. Authentication& MFA Errors AADSTS50078 – MFA expired ...AADSTS50078 – MFA Expired Due to Admin Policy
Error: AADSTS50078 – Presented MFA has expired due to policies configured by your administrator This error usually appears when a delegated admin account’s MFA configuration has changed — for example, when MFA was turned off, reset, or conditional ...AADSTS53000: Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune
Error: AADSTS53000: Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune If you’ve ...