Microsoft MFA & Conditional Access Errors
Applies to every Microsoft integration — Outlook, Excel, SharePoint, and OneDrive — because they all use delegated (per-user) OAuth2.
The error
A credential that used to work suddenly fails (in a node run, a Test Node result, or a credential test) with something like:
Token refresh failed: invalid_grant ... AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.
00000003-0000-0000-c000-000000000000 is Microsoft Graph. Falcon Builder now surfaces this as: “Microsoft requires multi-factor authentication (MFA) for this account. Reconnect the credential and complete the MFA prompt during sign-in.”
What it means
This is not a Falcon Builder bug — it's Microsoft Entra (Azure AD) enforcing a Conditional Access policy that requires MFA. The key phrase is “due to a configuration change made by your administrator.” Your stored sign-in (refresh token) was issued before the MFA policy applied, so Microsoft now rejects it — and there is no way to silently refresh it, because MFA, by design, needs a human.
Common triggers:
- An admin turned on (or tightened) an MFA / Conditional Access policy after the credential was connected.
- A Conditional Access “sign-in frequency” window elapsed, forcing re-auth.
- The account's password changed, or the session was revoked.
How to fix it (per user)
- Go to Dashboard → Credentials and open the affected Microsoft credential.
- Click Connect (Connect Microsoft Excel / Outlook / SharePoint / OneDrive) to start sign-in again.
- Complete the MFA challenge when Microsoft prompts you (Authenticator approval, code, etc.). This is the important part — a fresh, MFA-satisfied sign-in issues a new token the policy accepts.
- If Microsoft signs you in automatically without prompting (single sign-on from a session that skipped MFA), reconnect in a private / incognito window, or sign out of Microsoft first, so you're forced to authenticate and complete MFA.
- Re-run your workflow / Test Node. It should now succeed.
Reconnecting from a credential's edit page updates that credential in place — it won't create a duplicate.
Notes for administrators
Delegated OAuth runs as a signed-in user, so it is always subject to that user's Conditional Access policies. For unattended automation:
- Sign-in frequency policies periodically invalidate refresh tokens, which forces users to reconnect on that cadence. For long-running unattended workflows, consider a dedicated automation account excluded from sign-in-frequency (while still meeting your security bar), or schedule periodic reconnects.
- Make sure the Falcon Builder app and the account are allowed by your Conditional Access policies (location, device compliance, etc.). A hard block shows up as
AADSTS53003/AADSTS53000. - For SharePoint and OneDrive, an alternative to delegated OAuth is the App-Only (client credentials) connection type, which authenticates as the application (no user, no MFA) and suits unattended service scenarios. Excel and Outlook are delegated-only today.
- Excluding the app from MFA entirely is possible but not recommended.
Related error codes
| Code | Meaning | Action |
|---|---|---|
AADSTS50076 / AADSTS50079 | MFA required / not yet performed | Reconnect and complete MFA |
interaction_required | Interactive sign-in needed | Reconnect |
AADSTS53003 / AADSTS53000 | Blocked by Conditional Access | Admin must allow the app/account, then reconnect |
invalid_grant / AADSTS70008 | Refresh token expired or revoked | Reconnect |