What causes AADSTS50072?

Conditional Access policy requires MFA but the user has never registered a second factor (Authenticator app, phone, FIDO2 key). Security Defaults are enabled on the Microsoft Entra ID (Azure AD) tenant, forcing MFA enrollment for all users. Combined Security Information Registration policy requires the user to register before first interactive sign-in. Service account or shared identity is hitting an interactive MFA prompt it cannot satisfy (non-interactive flow). User's previously registered MFA method was deleted or reset by an admin and re-registration hasn't happened

How do I fix AADSTS50072?

Have the user sign in interactively at https://aka.ms/mfasetup (or https://mysignins.microsoft.com/security-info) and register an MFA method — Authenticator app is recommended. In the Microsoft Entra admin center, check Protection > Conditional Access and Properties > Security Defaults to confirm which policy is forcing MFA on this user. If this is a service account or unattended Power BI / ADF / Fabric workload, switch to a service principal or managed identity instead of a user account — interactive MFA cannot be satisfied by automated flows. If MFA registration is blocked by network policy, ensure the user is on a trusted network or temporarily exclude them from the Conditional Access policy long enough to register. As a last resort, an admin can reset the user's authentication methods under Users > [user] > Authentication methods and ask the user to re-register

Low severityauthentication

Power BI Error:
AADSTS50072

What does this error mean?

User must complete multi-factor authentication (MFA) enrollment before they can sign in to the application.

Common causes

1Conditional Access policy requires MFA but the user has never registered a second factor (Authenticator app, phone, FIDO2 key)
2Security Defaults are enabled on the Microsoft Entra ID (Azure AD) tenant, forcing MFA enrollment for all users
3Combined Security Information Registration policy requires the user to register before first interactive sign-in
4Service account or shared identity is hitting an interactive MFA prompt it cannot satisfy (non-interactive flow)
5User's previously registered MFA method was deleted or reset by an admin and re-registration hasn't happened

How to fix it

1Have the user sign in interactively at https://aka.ms/mfasetup (or https://mysignins.microsoft.com/security-info) and register an MFA method — Authenticator app is recommended
2In the Microsoft Entra admin center, check Protection > Conditional Access and Properties > Security Defaults to confirm which policy is forcing MFA on this user
3If this is a service account or unattended Power BI / ADF / Fabric workload, switch to a service principal or managed identity instead of a user account — interactive MFA cannot be satisfied by automated flows
4If MFA registration is blocked by network policy, ensure the user is on a trusted network or temporarily exclude them from the Conditional Access policy long enough to register
5As a last resort, an admin can reset the user's authentication methods under Users > [user] > Authentication methods and ask the user to re-register

Frequently asked questions

What does AADSTS50072 mean?

UserStrongAuthEnrollmentReq

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes