<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Okta EAM Authentication Fails With Azure Error AADSTS50012620

Okta Identity Engine
API Access Management

Overview

When attempting to authenticate using External Authentication Methods (EAM) configured across both Microsoft Azure and Okta, users may encounter an HTTP 403 error or fail to log in entirely.

 

This issue typically occurs because the web browser mishandles the Multi-Factor Authentication (MFA) setup routine, preventing Okta from successfully fulfilling the access policy requirements. To resolve this problem, the user's profile must be cleared and recreated in Okta, followed by a clean MFA enrollment using Okta Verify on the latest version of Google Chrome. Using Okta Verify ensures that the access policy requirements are consistently satisfied.

 

During this failure, the following error message is displayed by Azure Active Directory (AAD):

 

AADSTS50012620: Cannot complete external authentication: provider returned 'access_denied' error.

 

Applies To

  • Okta Identity Engine (OIE)
  • External Authentication Methods (EAM)
  • Microsoft Azure Active Directory (AAD) / Entra ID
  • Multi-Factor Authentication (MFA)
  • Okta Verify

Cause

The root cause is a browser-level mishandling of the MFA setup interaction during the external authentication flow, which yields a 403 error. Because the authentication transaction fails to satisfy the designated access policy, Azure rejects the token request and throws the access_denied error code. Enrolling and authenticating via Okta Verify bypasses this browser limitation and successfully satisfies the access policy.

Solution

How is the Azure EAM authentication error resolved?

Resolve this issue and establish a working EAM pattern for the user by deleting and recreating the user profile in Okta, then enrolling MFA using Okta Verify.

  1. Log in to the Okta Admin Console.
  2. Go to Directory > People.
  3. Search for the affected user and select their profile.
  4. Delete the user profile from Okta.
  5. Wait 5 minutes to ensure backend syncs and deletions are fully processed.
  6. Recreate the user profile in Okta, ensuring it matches the corresponding Azure configuration.
  7. Instruct the user to log in and enroll their MFA using Okta Verify while using the latest version of the Google Chrome browser.
Loading
Okta Support - Okta EAM Authentication Fails With Azure Error AADSTS50012620