AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication

AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication

Error: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access

This can typically be caused by a conditional access policy in your customer tenant.


Cause: When a conditional access policy is blocking your partner tenant access.

How to Identify the Policy

  • Login to the customer's Azure portal
  • Open Microsoft Entra ID (Azure AD)
  • Go to Users → Sign-in logs
  • Select User sign-ins (non-interactive)
  • Filter by application name "Sync 365 License" 
  • Click into the failed sign-in
  • Click Conditional Access policy to see any applied.
  • Look for one with a Blocked Result to find the one that is blocking it.

Resolution

Customer Tenants

Exclude service provider users from ALL conditional access policies

  • Log into conditional access policies in the customer tenant
  • For each policy add an exclusion to "Users and Groups"
  • In the Users  section, click Exclude → select "Service provider users"
    • All:  excludes all service providers with tenant relationships
    • Select:  allows you to specify specific tenant IDs — be sure to enter your tenant ID
If there are no identified policies, follow the below steps:

Re-consent the delegated admin account so a fresh token is issued:

  1. Login to Sync 365
  2. Go to Company → Delegated admin  tab
  3. Take note of the currently active account (do not delete it)
  4. Click Add → Grant partner center consent
  5. Log in with the delegated admin account
  6. Ensure that you are prompted for MFA — this is required for Partner Center token refresh

Once consent completes, the error should clear automatically.