azure_codes.json

[
    {
        "ErrorCode": "0",
        "Message": "No specific error message for this error code"
    },
    {
        "ErrorCode": "16000",
        "Message": "Either multiple user identities are available for the current request or selected account is not supported for the scenario.",
        "Remediation": "This is not an error scenario, but is handled like one by Azure AD to handle certain authentication flows.  This is not an indication that anything went wrong."
    },
    {
        "ErrorCode": "16001",
        "Message": "Active accounts must be logged out first."
    },
    {
        "ErrorCode": "16002",
        "Message": "Application requested to sign out of a user session which does not exist."
    },
    {
        "ErrorCode": "16003",
        "Message": "The user account does not exist in the directory or the user hasn't been explicitly added to the tenant. To sign into this application, the account must be added to the directory.",
        "Remediation": "Invite the user to the tenant, or ignore this error if the user isn't supposed to be a member of the tenant. This can be the case when someone is sent to a login URL for your tenant without being a member, or picks the wrong user account."
    },
    {
        "ErrorCode": "17001",
        "Message": "Protected credential key can not be decoded."
    },
    {
        "ErrorCode": "17002",
        "Message": "Credential key can not be protected."
    },
    {
        "ErrorCode": "17003",
        "Message": "User key ({keyType}) could not be provisioned."
    },
    {
        "ErrorCode": "17004",
        "Message": "Protected credential key can not be decoded."
    },
    {
        "ErrorCode": "18000",
        "Message": "Cannot decrypt auth ticket with key version '{version}'."
    },
    {
        "ErrorCode": "18001",
        "Message": "Cannot decrypt buffer because of a HMAC mismatch."
    },
    {
        "ErrorCode": "20001",
        "Message": "The sign-in response message does not contain an issued token.",
        "Remediation": "There's an issue with your federated identity provider. The WS-Federation response acquired from a federated identity provider has been successfully parsed, but it did not contain SAML 1.1 assertion issued for the user. Please contact your identity provider to resolve this issue."
    },
    {
        "ErrorCode": "20002",
        "Message": "An error occurred while attempting to export Federation Metadata."
    },
    {
        "ErrorCode": "20012",
        "Message": "An error occurred when we tried to process a WS-Federation message. The message was invalid.",
        "Remediation": "There is an issue with your federated identity provider. Contact your identity provider to resolve this issue."
    },
    {
        "ErrorCode": "20024",
        "Message": "Federation metadata retrieval failed after multiple retries."
    },
    {
        "ErrorCode": "20033",
        "Message": "The actual message content is runtime specific. Please see returned exception message for details.",
        "Remediation": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "20034",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "25008",
        "Message": "Unable to parse assertion."
    },
    {
        "ErrorCode": "26000",
        "Message": "The provided access grant requires interaction."
    },
    {
        "ErrorCode": "27000",
        "Message": "Error when processing DeviceAuthRedirect request."
    },
    {
        "ErrorCode": "28000",
        "Message": "Provided value for the input parameter scope is not valid because it contains more than one resource. Scope {scope} is not valid."
    },
    {
        "ErrorCode": "28001",
        "Message": "Provided request must include a 'scope' input parameter."
    },
    {
        "ErrorCode": "28002",
        "Message": "Provided value for the input parameter scope '{scope}' is not valid when requesting an access token. Please specify a valid scope."
    },
    {
        "ErrorCode": "28003",
        "Message": "Provided value for the input parameter scope cannot be empty when requesting an access token using the provided authorization code. Please specify a valid scope."
    },
    {
        "ErrorCode": "28004",
        "Message": "The provided value for the input parameter 'scope' exceeded the number of scopes allowed. The scope {scope} is not valid."
    },
    {
        "ErrorCode": "28005",
        "Message": "The provided value for the input parameter 'actionid' was invalid."
    },
    {
        "ErrorCode": "28006",
        "Message": "The provided value for the input parameter 'pageid' was invalid."
    },
    {
        "ErrorCode": "28007",
        "Message": "The parameters provided in the request are incorrect or missing."
    },
    {
        "ErrorCode": "29000",
        "Message": "Invalid signing key for SSH certificate"
    },
    {
        "ErrorCode": "29001",
        "Message": "User is missing UPN or email"
    },
    {
        "ErrorCode": "29002",
        "Message": "Missing Proof of Possession key"
    },
    {
        "ErrorCode": "29003",
        "Message": "Proof of Possession key is invalid"
    },
    {
        "ErrorCode": "29004",
        "Message": "Proof of Possession key type is not supported"
    },
    {
        "ErrorCode": "29005",
        "Message": "The token scenario {tokenScenario} is invalid."
    },
    {
        "ErrorCode": "29006",
        "Message": "Client is missing application principal ID (Client ID) in tenant {tenantId}"
    },
    {
        "ErrorCode": "29007",
        "Message": "The permission (scope) list {scopeListString} is missing user_impersonation"
    },
    {
        "ErrorCode": "29008",
        "Message": "The resource 'Microsoft Azure Linux Virtual Machine Sign-In' ({resourceUrl}) is required for SSH certificate token request"
    },
    {
        "ErrorCode": "29100",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "29200",
        "Message": "QR Code requested. Generate QR code and display on UX page for interactive sign-ins."
    },
    {
        "ErrorCode": "29201",
        "Message": "Invalid QR Code request. Client Id ({clientId}) or target client Id ({targetClientId}) is invalid."
    },
    {
        "ErrorCode": "29202",
        "Message": "Invalid scope and response_type request parameters. scope=qrcode can only be used with response_type=none."
    },
    {
        "ErrorCode": "29203",
        "Message": "Invalid target_client_id '{targetClientId}' argument value."
    },
    {
        "ErrorCode": "29204",
        "Message": "Failed to write QR Code token to Store."
    },
    {
        "ErrorCode": "29205",
        "Message": "Generated QR Code string has exceeded maximum supported length."
    },
    {
        "ErrorCode": "29206",
        "Message": "Invalid QR Code redemption request. Client Id ({clientId}) is invalid."
    },
    {
        "ErrorCode": "29207",
        "Message": "Error processing session data. QR Code is either invalid or expired."
    },
    {
        "ErrorCode": "29208",
        "Message": "Error processing session data. QR Code was already redeemed."
    },
    {
        "ErrorCode": "29210",
        "Message": "QR Code sign-in is disabled via user credential policy."
    },
    {
        "ErrorCode": "29211",
        "Message": "QR Code sign-in is not supported for passthrough users."
    },
    {
        "ErrorCode": "29212",
        "Message": "QR Code sign-in is not supported for consumer user scenarios."
    },
    {
        "ErrorCode": "40002",
        "Message": "The identity provider returned an error. The status returned was '{status}' and the message was '{message}'."
    },
    {
        "ErrorCode": "40003",
        "Message": "A required token was not emitted by an external Identity Provider."
    },
    {
        "ErrorCode": "40004",
        "Message": "A required token was not emitted by an external Identity Provider."
    },
    {
        "ErrorCode": "40005",
        "Message": "Invalid token received from external Identity Provider. Current time: {curTime}, expiry time of assertion {expTime}."
    },
    {
        "ErrorCode": "40008",
        "Message": "There was an unexpected error from the external identity provider.",
        "Remediation": "There is an issue with your federated identity provider. Contact your identity provider to resolve this issue."
    },
    {
        "ErrorCode": "40009",
        "Message": "The identity provider returned an error.",
        "Remediation": "There is an issue with your federated identity provider. Contact your identity provider to resolve this issue."
    },
    {
        "ErrorCode": "40010",
        "Message": "The identity provider has failed with a transient error.",
        "Remediation": "The application should retry the request. If there is still an issue, contact your identity provider."
    },
    {
        "ErrorCode": "40013",
        "Message": "Social IDP MicroService Federation disabled."
    },
    {
        "ErrorCode": "40014",
        "Message": "Federated Identity Provider is unavailable.",
        "Remediation": "There is an issue with your federated identity provider. Contact your identity provider to resolve this issue."
    },
    {
        "ErrorCode": "40015",
        "Message": "The identity provider returned an error.",
        "Remediation": "There is an issue with your federated identity provider. Contact your identity provider to resolve this issue."
    },
    {
        "ErrorCode": "40016",
        "Message": "The Identity Provider returned an error.",
        "Remediation": "There is an issue with your federated identity provider. Contact your identity provider to resolve this issue."
    },
    {
        "ErrorCode": "50000",
        "Message": "There was an error issuing a token or an issue with our sign-in service.",
        "Remediation": "If this persists, open a support ticket to resolve this issue: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto"
    },
    {
        "ErrorCode": "50001",
        "Message": "The resource is disabled or the resource named could not be found. This can happen if the application has not been installed by the administrator of the tenant, or if the resource principal was not found in the directory or is invalid due to a typo.",
        "Remediation": "Check your app's code to ensure that you have specified the exact and correct resource URL for the resource you are trying to access. Please see the returned exception message for details."
    },
    {
        "ErrorCode": "50002",
        "Message": "This tenant isn't supported for this authentication method yet."
    },
    {
        "ErrorCode": "50003",
        "Message": "Certificate roll is in progress. Please retry the operation later.",
        "Remediation": "Check the resolutions outlined at https://docs.microsoft.com/azure/active-directory/application-sign-in-problem-federated-sso-gallery#certificate-or-key-not-configured. If you still see issues, contact the app owner or an app admin."
    },
    {
        "ErrorCode": "50004",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "50005",
        "Message": "User tried to log in to a device from a platform ({platform}) that's currently not supported through Conditional Access policy. Supported device platforms are: iOS, Android, Mac, and Windows flavors."
    },
    {
        "ErrorCode": "50006",
        "Message": "Signature verification failed because of an invalid signature.",
        "Remediation": "Check out the resolution outlined at https://docs.microsoft.com/azure/active-directory/application-sign-in-problem-federated-sso-gallery. If the issue persists, contact the application owner or application administrator."
    },
    {
        "ErrorCode": "50007",
        "Message": "Encryption certificate was not found in the directory."
    },
    {
        "ErrorCode": "50008",
        "Message": "The SAML token is invalid.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "50010",
        "Message": "Audience URI validation failed since no token audiences were configured.",
        "Remediation": "Contact the application owner for resolution."
    },
    {
        "ErrorCode": "50011",
        "Message": "The reply URL specified in the request does not match the reply URLs configured for the application: '{identifier}'. {detail}",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "50012",
        "Message": "Authentication failed.",
        "Remediation": "Ensure that the request is sent with the correct credentials and claims."
    },
    {
        "ErrorCode": "50013",
        "Message": "Assertion failed signature validation. Possibly because the token issuer doesn't match the API version within its valid time range, it's expired or malformed, or the refresh token in the assertion is not a primary refresh token.",
        "Remediation": "Application error. Contact the app developer and ask them to debug this issue."
    },
    {
        "ErrorCode": "50014",
        "Message": "The user's redemption is in a pending state. The guest user account is not fully created yet."
    },
    {
        "ErrorCode": "50015",
        "Message": "The user requires legal age group consent.",
        "Remediation": "This user was asked to provide their age due to legal requirements."
    },
    {
        "ErrorCode": "50016",
        "Message": "Invalid Argument Redirect ErrorCode value."
    },
    {
        "ErrorCode": "50017",
        "Message": "Validation of given certificate for certificate based authentication failed.",
        "Remediation": "Contact the tenant admin. Possible reasons for this error include: cannot find issuing certificate in trusted certificates list, unable to find expected CrlSegment, cannot find issuing certificate in trusted certificates list, delta CRL distribution point is configured without a corresponding CRL distribution point, unable to retrieve valid CRL segments because of a timeout issue, or unable to download CRL."
    },
    {
        "ErrorCode": "50020",
        "Message": "User account '{email}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{appId}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.",
        "Remediation": "A user was sent to a tenanted endpoint, and signed into an AAD account that doesn't exist in your tenant. If this user should be a member of the tenant, they should be invited via the B2B system. See here for details: https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator"
    },
    {
        "ErrorCode": "50023",
        "Message": "ClaimType '{claimType}' is reserved for system use."
    },
    {
        "ErrorCode": "50024",
        "Message": "Unable to decrypt client state."
    },
    {
        "ErrorCode": "50025",
        "Message": "The issuer name must be specified."
    },
    {
        "ErrorCode": "50027",
        "Message": "JWT token is invalid or malformed.",
        "Remediation": "Contact the application owner to fix the JWT their app is creating for authentication. This can occur for a variety of reasons: doesn't contain nonce claim or sub claim, subject identifier mismatch, duplicate claim in idToken claims, unexpected issuer, unexpected audience, not within its valid time range, or a token format issue."
    },
    {
        "ErrorCode": "50029",
        "Message": "The reply URI specified in the request contains invalid characters. Domain names of this form are not supported.",
        "Remediation": "Contact the developer to update their app and app registration to use a different URI."
    },
    {
        "ErrorCode": "50030",
        "Message": "One of forwardableOnBehalfOfOriginsAcceptedAudiencesList or ForwardableOnBehalfOfOriginsAcceptedPrecedingAppsList is not set. Both fields need to be filled for PFT OBO to be successful. These must be filled for multi-hop PFT OBO to be succesful.",
        "Remediation": "The application owner must update the app registration and provide both the app that sent the PFT and the original resource."
    },
    {
        "ErrorCode": "50032",
        "Message": "RSA key size {actualSize} is less than the minimum required {minSize} bits."
    },
    {
        "ErrorCode": "50033",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "50034",
        "Message": "The user account {identifier} does not exist in the {tenant} directory. To sign into this application, the account must be added to the directory.",
        "Remediation": "The user that attempted to sign in doesn't exist in this tenant. This can occur because the user mis-typed their username, or isn't in the tenant. An application may have chosen the wrong tenant to sign into, and the currently logged in user was prevented from doing so since they did not exist in your tenant. If this user should be able to log in, add them as a guest. See docs here: https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator"
    },
    {
        "ErrorCode": "50038",
        "Message": "The API version isn't supported."
    },
    {
        "ErrorCode": "50042",
        "Message": "The salt required to generate a pairwise identifier is missing in the principal.",
        "Remediation": "If this application has been recently registered, please wait for some time for the configuration to take effect, and then try again."
    },
    {
        "ErrorCode": "50043",
        "Message": "Unable to generate a pairwise identifier with more than one salt in principal."
    },
    {
        "ErrorCode": "50045",
        "Message": "The salt required to generate a pairwise identifier is malformed in principal."
    },
    {
        "ErrorCode": "50048",
        "Message": "Subject must match the issuer claim in the client assertion.",
        "Remediation": "Contact the developer to ensure that the JWT they generated for authentication has correct sub and iss claims. https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials"
    },
    {
        "ErrorCode": "50049",
        "Message": "Unknown or invalid instance.",
        "Remediation": "Application error - the login request was malformed and could not be matched with an existing authentication endpoint or instance."
    },
    {
        "ErrorCode": "50050",
        "Message": "The request is malformed: invalid format for '{name}' value.",
        "Remediation": "Contact the application owner."
    },
    {
        "ErrorCode": "50052",
        "Message": "The password entered exceeds the maximum length. Please reach out to your admin to reset the password.",
        "Remediation": "The user is unable to login because their password exceeds the permitted maximum length. They should contact their admin to reset the password. If SSPR is enabled for their tenant, they can reset their password by following the Forgot your password link."
    },
    {
        "ErrorCode": "50053",
        "Message": "The account is locked, you've tried to sign in too many times with an incorrect user ID or password.",
        "Remediation": "This error can be returned for two reasons - the sign in could have come from a malicious IP address, or the account was locked due to repeated sign-in attempts. Only one error code is used to prevent an attacker from distinguishing between the states. In your Azure AD tenant, you can distinguish between these states by looking at the specific sign-in log entry for this request. For accounts locked for too many attempts, see https://docs.microsoft.com/azure/active-directory/identity-protection/howto-unblock-user"
    },
    {
        "ErrorCode": "50054",
        "Message": "Looks like you entered your old password. Try again with your new one.",
        "Remediation": "The user needs to enter a new password, not one they previously used."
    },
    {
        "ErrorCode": "50055",
        "Message": "The password is expired.",
        "Remediation": "The user's password is expired, and therefore their login or session was ended. They will be offered the opportunity to reset it, or may ask an admin to reset it via https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal"
    },
    {
        "ErrorCode": "50056",
        "Message": "Invalid or missing password: password does not exist in the directory for this user.",
        "Remediation": "The user should be asked to enter their password again."
    },
    {
        "ErrorCode": "50057",
        "Message": "The user account is disabled.",
        "Remediation": "The user object in Active Directory backing this account has been disabled. An admin can re-enable this account through Powershell: https://docs.microsoft.com/powershell/module/addsadministration/enable-adaccount?view=win10-ps"
    },
    {
        "ErrorCode": "50058",
        "Message": "Session information is not sufficient for single-sign-on.",
        "Remediation": "This means that a user is not signed in. This is a common error that's expected when a user is unauthenticated and has not yet signed in. If this error is encountered in an SSO context where the user has previously signed in, this means that the SSO session was either not found or invalid. This error may be returned to the application if prompt=none is specified."
    },
    {
        "ErrorCode": "50059",
        "Message": "No tenant-identifying information found in either the request or implied by any provided credentials."
    },
    {
        "ErrorCode": "50060",
        "Message": "Unable to sign out."
    },
    {
        "ErrorCode": "50061",
        "Message": "Unable to complete signout. The request was invalid."
    },
    {
        "ErrorCode": "50062",
        "Message": "Signout request is unauthorized."
    },
    {
        "ErrorCode": "50068",
        "Message": "Signout failed. The initiating application is not a participant in the current session."
    },
    {
        "ErrorCode": "50069",
        "Message": "Signout failed. The request specified a name identifier of '{identifier}' which did not match the existing session(s)."
    },
    {
        "ErrorCode": "50070",
        "Message": "Signout failed. The request specified session indexes '{identifier}' which did not match the existing session(s)."
    },
    {
        "ErrorCode": "50071",
        "Message": "Signout request has expired."
    },
    {
        "ErrorCode": "50072",
        "Message": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '{identifier}'.",
        "Remediation": "The user was presented options to provide contact options so that they can do MFA."
    },
    {
        "ErrorCode": "50074",
        "Message": "Strong Authentication is required.",
        "Remediation": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."
    },
    {
        "ErrorCode": "50076",
        "Message": "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '{resource}'.",
        "Remediation": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."
    },
    {
        "ErrorCode": "50077",
        "Message": "The administrator created a conditional access policy that requires the authenticator to be used to provide GPS location."
    },
    {
        "ErrorCode": "50078",
        "Message": "Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '{resource}'."
    },
    {
        "ErrorCode": "50079",
        "Message": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '{identifier}'.",
        "Remediation": "Either a managed user needs to register security info to complete multi-factor authentication, or a federated user needs to get the multi-factor claim from the federated identity provider. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."
    },
    {
        "ErrorCode": "50080",
        "Message": "Bad request received."
    },
    {
        "ErrorCode": "50081",
        "Message": "The administrator created a conditional access policy that requires GPS location."
    },
    {
        "ErrorCode": "50085",
        "Message": "Refresh token needs a social identity provider login.",
        "Remediation": "The user is being redirected to another IDP for reauthentication."
    },
    {
        "ErrorCode": "50087",
        "Message": "A transient error has occurred during strong authentication. Please try again."
    },
    {
        "ErrorCode": "50088",
        "Message": "Limit on telecom MFA calls reached. Please try again in a few minutes."
    },
    {
        "ErrorCode": "50089",
        "Message": "Authentication failed due to flow token expired.",
        "Remediation": "Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. The app will request a new login from the user."
    },
    {
        "ErrorCode": "50091",
        "Message": "Passed query string length exceeds supported limit."
    },
    {
        "ErrorCode": "50093",
        "Message": "Missing value for the SAML NameID."
    },
    {
        "ErrorCode": "50094",
        "Message": "Unknown source configured on the audience for the SAML NameID."
    },
    {
        "ErrorCode": "50095",
        "Message": "Unknown source configured on the audience for the SAML email claim."
    },
    {
        "ErrorCode": "50096",
        "Message": "Source configured on the audience for the SAML NameID is not compatible with the requested format."
    },
    {
        "ErrorCode": "50097",
        "Message": "Device authentication is required.",
        "Remediation": "This is not an error - this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed."
    },
    {
        "ErrorCode": "50098",
        "Message": "JWT body must contain '{field}'."
    },
    {
        "ErrorCode": "50099",
        "Message": "Invalid nonce."
    },
    {
        "ErrorCode": "50100",
        "Message": "There was an error transforming the claims for the token."
    },
    {
        "ErrorCode": "50101",
        "Message": "Unknown claims transformer '{name}' was specified for principal '{principalId}'."
    },
    {
        "ErrorCode": "50102",
        "Message": "Unable to load CustomClaimsTransformer '{type}' was specified for principal '{principalId}'."
    },
    {
        "ErrorCode": "50103",
        "Message": "There was an error transforming the claims for the token: {errorMessage}"
    },
    {
        "ErrorCode": "50105",
        "Message": "Your administrator has configured the application {appName} ('{appId}') to block users unless they are specifically granted ('assigned') access to the application.  The signed in user '{user}' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.",
        "Remediation": "Assign the user to the app. See https://docs.microsoft.com/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups and https://docs.microsoft.com/azure/active-directory/manage-apps/application-sign-in-problem-federated-sso-gallery#user-not-assigned-a-role"
    },
    {
        "ErrorCode": "50107",
        "Message": "The requested federation realm object '{name}' does not exist.",
        "Remediation": "Application error - the login request was malformed and could not be matched with an existing authentication endpoint or instance."
    },
    {
        "ErrorCode": "50108",
        "Message": "Claims transformation configuration could not be retrieved."
    },
    {
        "ErrorCode": "50109",
        "Message": "Claim transformation is unknown from configuration."
    },
    {
        "ErrorCode": "50111",
        "Message": "Unknown claim transformation was asked to be applied."
    },
    {
        "ErrorCode": "50117",
        "Message": "Failed to deserialize policy specified in the request's claim parameter."
    },
    {
        "ErrorCode": "50120",
        "Message": "Unknown credential type, issue with the JWT header."
    },
    {
        "ErrorCode": "50123",
        "Message": "Unknown claims transformation method '{method}' was specified for principal '{principalId}'."
    },
    {
        "ErrorCode": "50124",
        "Message": "Invalid regular expression configured for claims transformation for this application.",
        "Remediation": "Contact your tenant admin to fix the claims mapping configuration. See https://docs.microsoft.com/azure/active-directory/develop/active-directory-saml-claims-customization"
    },
    {
        "ErrorCode": "50125",
        "Message": "Sign-in was interrupted due to a password reset or password registration entry.",
        "Remediation": "User authentication was blocked because they need to provide password reset information. Their next interactive sign in will ask them for this, which the app should trigger next."
    },
    {
        "ErrorCode": "50126",
        "Message": "Error validating credentials due to invalid username or password.",
        "Remediation": "The user didn't enter the right credentials.  It's expected to see some number of these errors in your logs due to users making mistakes."
    },
    {
        "ErrorCode": "50127",
        "Message": "Client app is a MAM app and device is not registered.",
        "Remediation": "The user needs to install the broker app and work place join using the broker app in order to register the device."
    },
    {
        "ErrorCode": "50128",
        "Message": "No tenant-identifying information found in either the request or implied by any provided credentials."
    },
    {
        "ErrorCode": "50129",
        "Message": "The device is not workplace joined. Workplace join is required to register the device."
    },
    {
        "ErrorCode": "50130",
        "Message": "The claim value(s) '{value}' cannot be interpreted as known auth method(s)."
    },
    {
        "ErrorCode": "50131",
        "Message": "Device is not in required device state: {state}. Or, the request was blocked due to suspicious activity, access policy, or security policy decisions."
    },
    {
        "ErrorCode": "50132",
        "Message": "The session is not valid due the following reasons: password expiration or recent password change, SSO Artifact is invalid or expired, session is not fresh enough for application, or a silent sign-in request was sent but the user's session with Azure AD is invalid or has expired.",
        "Remediation": "Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. The app will request a new login from the user."
    },
    {
        "ErrorCode": "50133",
        "Message": "The session is not valid due to password expiration or recent password change.",
        "Remediation": "Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. The app will request a new login from the user."
    },
    {
        "ErrorCode": "50134",
        "Message": "Wrong data center. To authorize a request that was initiated by an app in the OAuth 2.0 device flow, the authorizing party must be in the same data center where the original request resides."
    },
    {
        "ErrorCode": "50135",
        "Message": "Password change is required due to account risk."
    },
    {
        "ErrorCode": "50136",
        "Message": "Single MSA session detected when requesting an MSA ticket."
    },
    {
        "ErrorCode": "50137",
        "Message": "Password needs to be changed due to security policy rule."
    },
    {
        "ErrorCode": "50138",
        "Message": "Invalid encryption key environment."
    },
    {
        "ErrorCode": "50139",
        "Message": "Session is invalid due to missing an external refresh token."
    },
    {
        "ErrorCode": "50140",
        "Message": "This occurred due to 'Keep me signed in' interrupt when the user was signing in.",
        "Remediation": "This is an expected part of the login flow, where a user is asked if they want to remain signed into this browser to make further logins easier. For more details, see https://techcommunity.microsoft.com/t5/Azure-Active-Directory/The-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences/td-p/128267"
    },
    {
        "ErrorCode": "50141",
        "Message": "Protected key is not intended for the authenticated user."
    },
    {
        "ErrorCode": "50142",
        "Message": "Password change is required due to a conditional access policy."
    },
    {
        "ErrorCode": "50143",
        "Message": "Session mismatch. The session is invalid because user tenant does not match the domain hint.",
        "Remediation": "The app attempted to sign in a user to the wrong tenant. They need to correctly track the tenant that they have signed the user into."
    },
    {
        "ErrorCode": "50144",
        "Message": "The user's Active Directory password has expired.",
        "Remediation": "Generate a new password for the user or have the user use the self-service reset tool to reset their password."
    },
    {
        "ErrorCode": "50146",
        "Message": "This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.",
        "Remediation": "Please contact the owner of the application."
    },
    {
        "ErrorCode": "50147",
        "Message": "Invalid size of the code challenge parameter.",
        "Remediation": "Contact the application owner to correct their use of the PKCE parameters."
    },
    {
        "ErrorCode": "50148",
        "Message": "The code_verifier does not match the code_challenge supplied in the authorization request for PKCE.",
        "Remediation": "Contact the application owner to correct their use of the PKCE parameters."
    },
    {
        "ErrorCode": "50149",
        "Message": "Invalid Code_Challenge_method parameter."
    },
    {
        "ErrorCode": "50150",
        "Message": "The provided credentials does not have a valid user consent approval information."
    },
    {
        "ErrorCode": "50155",
        "Message": "Device authentication failed."
    },
    {
        "ErrorCode": "50156",
        "Message": "Device tokens are not supported for V2 resource."
    },
    {
        "ErrorCode": "50157",
        "Message": "User redirection required for routing."
    },
    {
        "ErrorCode": "50158",
        "Message": "External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.",
        "Remediation": "The user is required to satisfy additional requirements before finishing authentication, and was redirected to another page (such as terms of use or a third party MFA provider). This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that this challenge was succesfully passed or failed."
    },
    {
        "ErrorCode": "50159",
        "Message": "Claims sent by external provider are not enough."
    },
    {
        "ErrorCode": "50161",
        "Message": "Failed to validate authorization url of external claims provider."
    },
    {
        "ErrorCode": "50162",
        "Message": "Claims transformation has timed out. This indicates too many or too complex transformations may have been configured for this application. A retry of the request may succeed. Otherwise, please contact your admin to fix the configuration."
    },
    {
        "ErrorCode": "50163",
        "Message": "Regular expression replacement for claims transformation has resulted in a claim which exceeds the size limit. Please contact your admin to fix the configuration."
    },
    {
        "ErrorCode": "50164",
        "Message": "The supplied access token was not issued for the purpose for which it is being used. Expected a token with purpose '{name}'."
    },
    {
        "ErrorCode": "50165",
        "Message": "The token encrypting algorithm '{algorithm}' requested by the application is not supported for this type of token. This indicates the application is misconfigured."
    },
    {
        "ErrorCode": "50166",
        "Message": "Request to External OIDC endpoint failed."
    },
    {
        "ErrorCode": "50167",
        "Message": "Invalid pop_jwk key."
    },
    {
        "ErrorCode": "50168",
        "Message": "The client is capable of utilizing the Windows 10 Accounts extension to perform SSO but no SSO token was found in the request or the token was expired. Request has been interrupted to attempt to pull an SSO token."
    },
    {
        "ErrorCode": "50169",
        "Message": "The realm '{realm}' is not a configured realm of the current service namespace."
    },
    {
        "ErrorCode": "50170",
        "Message": "The external controls mapping is missing."
    },
    {
        "ErrorCode": "50172",
        "Message": "External claims provider {provider} is not approved."
    },
    {
        "ErrorCode": "50173",
        "Message": "The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '{authTime}' and the TokensValidFrom date (before which tokens are not valid) for this user is '{validDate}'.",
        "Remediation": "Expected part of the token lifecycle - either an admin or a user revoked the tokens for this user, causing subsequent token refreshes to fail and require re-authentication. Have the user sign-in again."
    },
    {
        "ErrorCode": "50176",
        "Message": "Missing definition of external control: {controlId}."
    },
    {
        "ErrorCode": "50177",
        "Message": "User account '{user}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{appId}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.",
        "Remediation": "The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
    },
    {
        "ErrorCode": "50178",
        "Message": "User account '{user}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{appId}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.",
        "Remediation": "The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
    },
    {
        "ErrorCode": "50179",
        "Message": "Client_info is not supported for this user."
    },
    {
        "ErrorCode": "50180",
        "Message": "Integrated Windows Authentication is needed. Enable the tenant '{name}' for Seamless SSO."
    },
    {
        "ErrorCode": "50181",
        "Message": "Unable to validate the otp."
    },
    {
        "ErrorCode": "50182",
        "Message": "OTP is already expired."
    },
    {
        "ErrorCode": "50183",
        "Message": "Cannot lookup otp due to cache error."
    },
    {
        "ErrorCode": "50184",
        "Message": "No cache entry exist for the tenant/user."
    },
    {
        "ErrorCode": "50185",
        "Message": "Email OTP notification delivery failed."
    },
    {
        "ErrorCode": "50186",
        "Message": "Unpermitted realm."
    },
    {
        "ErrorCode": "50187",
        "Message": "Failed to perform device authentication."
    },
    {
        "ErrorCode": "50189",
        "Message": "The device code is not correctly formatted."
    },
    {
        "ErrorCode": "50190",
        "Message": "Region prefix to connection string mapping returned from settings is null."
    },
    {
        "ErrorCode": "50192",
        "Message": "Invalid request."
    },
    {
        "ErrorCode": "50193",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "50194",
        "Message": "Application '{appId}'({appName}) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '{time}'. Use a tenant-specific endpoint or configure the application to be multi-tenant."
    },
    {
        "ErrorCode": "50196",
        "Message": "The server terminated an operation because it encountered a client request loop. Please contact your app vendor.",
        "Remediation": "Application error - the app is requesting too many tokens, indicating that it is not correctly coded. Ensure that the app is correctly caching refresh and access tokens to preserve bandwidth and reduce latency."
    },
    {
        "ErrorCode": "50197",
        "Message": "Sorry, we could not find the user, please sign-in again."
    },
    {
        "ErrorCode": "50199",
        "Message": "For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction."
    },
    {
        "ErrorCode": "50200",
        "Message": "Unpermitted external trusted realm."
    },
    {
        "ErrorCode": "50201",
        "Message": "This message prompt interrupt will be shown to the user during login when additional information should be provided to user."
    },
    {
        "ErrorCode": "50202",
        "Message": "User is not registered in the organization and must explicitly consent to the sign-in."
    },
    {
        "ErrorCode": "50203",
        "Message": "User has not registered the authenticator app and must register or snooze this notification."
    },
    {
        "ErrorCode": "50204",
        "Message": "External user has not consented to the privacy statement."
    },
    {
        "ErrorCode": "50205",
        "Message": "External user has consented to the privacy statement."
    },
    {
        "ErrorCode": "50206",
        "Message": "The user or administrator has not consented connecting to the target-device: '{identifier}'. Send an interactive authorization request for this user and target-machine."
    },
    {
        "ErrorCode": "51000",
        "Message": "{feature} is/are disabled."
    },
    {
        "ErrorCode": "51001",
        "Message": "Domain Hint must be present with On-Premises Security Identifier/ On-Premises UPN."
    },
    {
        "ErrorCode": "51002",
        "Message": "Access denied due to it's in deny user access block list."
    },
    {
        "ErrorCode": "51004",
        "Message": "The user account {identifier} does not exist in the {tenant} directory. To sign into this application, the account must be added to the directory.",
        "Remediation": "An application likely chose the wrong tenant to sign into, and the currently logged in user was prevented from doing so since they did not exist in your tenant. If this user should be able to log in, add them as a guest. See docs here: https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator"
    },
    {
        "ErrorCode": "51005",
        "Message": "Initiate gateway redirect.",
        "Remediation": "This is not an error scenario, but is handled like one by Azure AD to handle certain authentication flows.  This is not an indication that anything went wrong."
    },
    {
        "ErrorCode": "51006",
        "Message": "Integrated Windows Authentication is needed. The user signed in using session token that is missing wia claim. Prompt the user to sign in again."
    },
    {
        "ErrorCode": "51007",
        "Message": "The user account {identifier} does not exist in the {tenant} directory. The user will be added to the directory to sign into this application."
    },
    {
        "ErrorCode": "51008",
        "Message": "JIT user creation of {userType} is disabled."
    },
    {
        "ErrorCode": "52001",
        "Message": "LinkedIn AppFamily Service Principal is disabled."
    },
    {
        "ErrorCode": "52002",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "52003",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "52004",
        "Message": "The user or administrator has not consented to use the application with ID '{identifier}'{namePhrase}. Send an interactive authorization request for this user and resource."
    },
    {
        "ErrorCode": "52050",
        "Message": "Multiple users with same email have been found."
    },
    {
        "ErrorCode": "52051",
        "Message": "Timed-out while parsing extension property name."
    },
    {
        "ErrorCode": "53000",
        "Message": "Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.",
        "Remediation": "Your administrator might have configured a conditional access policy that allows access to your organization's resources only from compliant devices. To be compliant, your device must be either joined to your on-premises Active Directory or joined to your Azure Active Directory.            More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation"
    },
    {
        "ErrorCode": "53001",
        "Message": "Device is not in required device state: {state}. Conditional Access policy requires a domain joined device, and the device is not domain joined.",
        "Remediation": "Have the user use a domain joined device."
    },
    {
        "ErrorCode": "53002",
        "Message": "Device is not in required device state: {state}. The app used is not an approved app for Conditional Access.",
        "Remediation": "User needs to use one of the apps from the list of approved apps to use in order to get access."
    },
    {
        "ErrorCode": "53003",
        "Message": "Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.",
        "Remediation": "If this is unexpected, see the conditional access policy that applied to this request in the Azure Portal."
    },
    {
        "ErrorCode": "53004",
        "Message": "Cannot configure multi-factor authentication methods due to suspicious activity."
    },
    {
        "ErrorCode": "53005",
        "Message": "Application needs to enforce Intune protection policies."
    },
    {
        "ErrorCode": "53006",
        "Message": "Authentication required from federated idP."
    },
    {
        "ErrorCode": "53007",
        "Message": "Authentication required from federated IDP.",
        "Remediation": "User was blocked from authentication because they need to be sent to the federated identity provider (ADFS, for example) to perform multi-factor authentication. On interactive sign-in requests, they will be sent to the federation provider to perform MFA."
    },
    {
        "ErrorCode": "53008",
        "Message": "Browser not supported."
    },
    {
        "ErrorCode": "53009",
        "Message": "Application needs to enforce Intune protection policies."
    },
    {
        "ErrorCode": "53010",
        "Message": "Cannot configure multi-factor authentication methods because the organization requires this information to be set from specific locations or devices."
    },
    {
        "ErrorCode": "53011",
        "Message": "User blocked due to risk on home tenant."
    },
    {
        "ErrorCode": "54000",
        "Message": "User is not allowed to access application {appName} due to Legal Age Group Requirement of application {audience}."
    },
    {
        "ErrorCode": "54005",
        "Message": "OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token."
    },
    {
        "ErrorCode": "54006",
        "Message": "Unencrypted v2 access tokens are not supported for first party applications that support consumer accounts. The resource must add a certificate to the onboarding portal to encrypt tokens."
    },
    {
        "ErrorCode": "54007",
        "Message": "Method not supported for IDP OAuth2 Federation."
    },
    {
        "ErrorCode": "54008",
        "Message": "Multi-Factor authentication is required and the credential used ({credentialName}) is not supported as a First Factor. Contact your administrator for more information."
    },
    {
        "ErrorCode": "60007",
        "Message": "X509Certificate does not expose a private key or isn't an RSA private key."
    },
    {
        "ErrorCode": "65001",
        "Message": "The user or administrator has not consented to use the application with ID '{identifier}'{namePhrase}. Send an interactive authorization request for this user and resource."
    },
    {
        "ErrorCode": "65002",
        "Message": "Consent between first party application '{applicationId}' and first party resource '{resourceId}' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.",
        "Remediation": "A developer in your tenant may be attempting to reuse an App ID owned by Microsoft. This error prevents them from impersonating a Microsoft application to call other APIs. They must move to another app ID they register in portal.azure.com."
    },
    {
        "ErrorCode": "65003",
        "Message": "Consent for first party token-to-self must be configured via preauthorization. If preauthorization has already been configured, update the request to use a URI identifier for the resource instead of '{resourceId}' to work around this error.",
        "Remediation": "The application developer needs to modify how the resource is specified in the authentication request to work around an implementation limitation."
    },
    {
        "ErrorCode": "65004",
        "Message": "User declined to consent to access the app.",
        "Remediation": "Have the user retry the sign-in and consent to the app."
    },
    {
        "ErrorCode": "65005",
        "Message": "The application '{name}' asked for scope '{scope}' that doesn't exist."
    },
    {
        "ErrorCode": "65006",
        "Message": "Resource '{resourceId}' had no entitlements matching required permissions configured on the required resource access for client '{clientId}'. Requested permission IDs: '{permissionId}'. This is a problem with one or more invalid permission ids on the client RRA configuration or the resource entitlement configuration."
    },
    {
        "ErrorCode": "65007",
        "Message": "Client '{clientId}' required resource access configuration has changed and therefore the request could not be completed. Please try again."
    },
    {
        "ErrorCode": "67001",
        "Message": "The resource '{resourceId}' is not a valid protected resource."
    },
    {
        "ErrorCode": "67002",
        "Message": "User consent is required to create a new delegation or extend an expired delegation. NameId: {claimId} IdentityProvider: {idp} Actor: {resourceId} RequestorPrincipal: {appId}({appName})."
    },
    {
        "ErrorCode": "67003",
        "Message": "The client '{appId}'({appName}) is not a valid service identity."
    },
    {
        "ErrorCode": "67006",
        "Message": "The service identity '{appId}'({appName}) is not trusted for delegation."
    },
    {
        "ErrorCode": "67007",
        "Message": "Unknown consent value '{value}'. Valid values are 'AdministratorConsentProvided', 'UseExistingUserConsent', and 'UserConsentProvided'."
    },
    {
        "ErrorCode": "69998",
        "Message": "OfficeS2S delegation redemption scenarios are not supported for resource '{resourceId}'."
    },
    {
        "ErrorCode": "70000",
        "Message": "Provided grant is invalid or malformed.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "70001",
        "Message": "Application identifier is not provided."
    },
    {
        "ErrorCode": "70002",
        "Message": "Client application name '{appName}' is not valid or the credentials used to authenticate the client could not be understood by the server.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "70003",
        "Message": "The app requested an unsupported grant type '{type}'."
    },
    {
        "ErrorCode": "70004",
        "Message": "The app requested an invalid redirect URI '{uri}'. The redirect address specified by the client does not match any configured addresses."
    },
    {
        "ErrorCode": "70005",
        "Message": "'The application requested an unsupported response type '{type}' when requesting a token.",
        "Remediation": "Contact the application owner."
    },
    {
        "ErrorCode": "70006",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "70007",
        "Message": "The application requested an unsupported mode '{mode}' when requesting a token.",
        "Remediation": "Contact the application owner."
    },
    {
        "ErrorCode": "70008",
        "Message": "The provided authorization code or refresh token has expired due to inactivity. Send a new interactive authorization request for this user and resource.",
        "Remediation": "Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. The app will request a new login from the user."
    },
    {
        "ErrorCode": "70009",
        "Message": "Unable to complete OAuth2 IdP's sign in. The 'state' parameter could not be validated."
    },
    {
        "ErrorCode": "70010",
        "Message": "Unable to complete OAuth2 IdP's sign in. The 'state' parameter does not match the expected value."
    },
    {
        "ErrorCode": "70011",
        "Message": "The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope {scope} is not valid.{detailsPhrase}"
    },
    {
        "ErrorCode": "70012",
        "Message": "A server error occurred while authenticating an MSA (consumer) user.",
        "Remediation": "Try again. If it continues to fail, open a support ticket: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto"
    },
    {
        "ErrorCode": "70013",
        "Message": "The '{paramName}' request parameter is not supported."
    },
    {
        "ErrorCode": "70014",
        "Message": "The '{paramName}' request parameter is not supported."
    },
    {
        "ErrorCode": "70015",
        "Message": "The '{paramName}' request parameter is not supported."
    },
    {
        "ErrorCode": "70016",
        "Message": "OAuth 2.0 device flow error. Authorization is pending. Continue polling.",
        "Remediation": "This is not an error scenario, but is handled like one by Azure AD to handle certain authentication flows.  This is not an indication that anything went wrong."
    },
    {
        "ErrorCode": "70017",
        "Message": "Authorization declined."
    },
    {
        "ErrorCode": "70018",
        "Message": "Invalid verification code."
    },
    {
        "ErrorCode": "70019",
        "Message": "Verification code expired.",
        "Remediation": "Verification code expired. Have the user retry the sign-in"
    },
    {
        "ErrorCode": "70020",
        "Message": "The provided value for the input parameter 'device_code' is not valid. This device code has expired.",
        "Remediation": "Please make a new Device Authorization Request."
    },
    {
        "ErrorCode": "70021",
        "Message": "No matching federated identity record found for presented assertion. Assertion Issuer: '{issuer}'. Assertion Subject: '{subject}'. Assertion Audience: '{audience}'. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation",
        "Remediation": "Application configuration issue. Ensure that the federated credential policy on the application registration is correct, and ensure that the developer is correctly submitting a token that complies with the policy requirements. See documentation at https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation."
    },
    {
        "ErrorCode": "70022",
        "Message": "Federated Identity Credential issuer must use HTTPS scheme, must not be loopback address, and may not include a query-string or fragment. Token issuer: {issuer}.",
        "Remediation": "Ensure that the OpenID Connect metadata for this federated credential is hosted on an HTTPS endpoint, does not point to loopback (127.0.0.1, localhost, etc.), and does not include a query-string or fragment."
    },
    {
        "ErrorCode": "70023",
        "Message": "External OIDC Provider token must have a lifetime of less than or equal to {maxTime}. Token issued at {issuedAt}. Token expires on {expires}.",
        "Remediation": "Supply tokens that have lifetime of less than or equal to the maximum allowed time."
    },
    {
        "ErrorCode": "70024",
        "Message": "OIDC Provider Metadata missing required field '{fieldName}'.",
        "Remediation": "Ensure that the OpenID Connect metadata sets all required fields."
    },
    {
        "ErrorCode": "70030",
        "Message": "Remote authentication failed to read session from storage."
    },
    {
        "ErrorCode": "70031",
        "Message": "Remote authentication session is in a bad state."
    },
    {
        "ErrorCode": "70033",
        "Message": "The remote auth session with this device code has already been approved."
    },
    {
        "ErrorCode": "70034",
        "Message": "The remote auth session with this device code has already been denied."
    },
    {
        "ErrorCode": "70035",
        "Message": "Remote auth session with this device code doesn't exist."
    },
    {
        "ErrorCode": "70036",
        "Message": "Unsupported remote auth session state."
    },
    {
        "ErrorCode": "70037",
        "Message": "Incorrect challenge response provided. Remote auth session denied.",
        "Remediation": "Incorrect challenge response provided. Remote auth session denied"
    },
    {
        "ErrorCode": "70039",
        "Message": "The remote auth session with this device code has expired."
    },
    {
        "ErrorCode": "70041",
        "Message": "Unable to complete OAuth2 IdP's sign in. The 'nonce' claim does not match the expected value."
    },
    {
        "ErrorCode": "70043",
        "Message": "The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}."
    },
    {
        "ErrorCode": "70044",
        "Message": "The session has expired or is invalid due to sign-in frequency checks by conditional access."
    },
    {
        "ErrorCode": "70045",
        "Message": "The refresh token is invalid due to sign-in frequency checks by conditional access. Additionally, since the sign-in frequency policy applies to all applications, the token will never be usable, and should be deleted. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}."
    },
    {
        "ErrorCode": "70046",
        "Message": "The session has expired or is invalid due to re-authentication checks by conditional access."
    },
    {
        "ErrorCode": "70071",
        "Message": "Invalid requested token type: {type}."
    },
    {
        "ErrorCode": "70101",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "75001",
        "Message": "An exception occurred while parsing a SAML binding message."
    },
    {
        "ErrorCode": "75005",
        "Message": "The request is not a valid SAML 2.0 protocol message."
    },
    {
        "ErrorCode": "75008",
        "Message": "Received SAML request with an unexpected destination '{actualDest}'. Expected one of '{validDests}'.",
        "Remediation": "The request from the application was denied since the SAML request had an unexpected destination. Contact the application owner"
    },
    {
        "ErrorCode": "75011",
        "Message": "Authentication method '{usedMethod}' by which the user authenticated with the service doesn't match requested authentication method '{requestedMethod}'. Contact the {appName} application owner.",
        "Remediation": "Authentication method by which the user authenticated with the service doesn't match requested authentication method. Contact the application owner"
    },
    {
        "ErrorCode": "75016",
        "Message": "The SP name qualifier '{name}' is not valid."
    },
    {
        "ErrorCode": "75019",
        "Message": "A domain hint can be specified either in the AuthnRequest or as a query string parameter, but not both.",
        "Remediation": "Contact the application owner."
    },
    {
        "ErrorCode": "75020",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "76020",
        "Message": "Application configured to use only protocols with signed requests"
    },
    {
        "ErrorCode": "76021",
        "Message": "The request sent by client is not signed while the application requires signed requests"
    },
    {
        "ErrorCode": "76022",
        "Message": "Cannot verify the signature of received authentication request since there is no certificate for verification configured in the application."
    },
    {
        "ErrorCode": "76023",
        "Message": "The signature of the received authentication request is invalid, please contact the administrator to resolve the issue."
    },
    {
        "ErrorCode": "76024",
        "Message": "The request has no information about the public certificate for signature validation, while the {certsLimit} most recent certificates did not verify the signature."
    },
    {
        "ErrorCode": "76025",
        "Message": "The request has no information about the signature algorithm used for signing."
    },
    {
        "ErrorCode": "76026",
        "Message": "The request has expired. Try to submit new request."
    },
    {
        "ErrorCode": "76027",
        "Message": "No certificate matching provided KeyInfo. Check that app is configured correctly."
    },
    {
        "ErrorCode": "76028",
        "Message": "Signature algorithm used to sign data is not supported."
    },
    {
        "ErrorCode": "76029",
        "Message": "The request signature could not be validated while it's required by application settings"
    },
    {
        "ErrorCode": "76030",
        "Message": "The request signature has incorrect format"
    },
    {
        "ErrorCode": "76031",
        "Message": "This endpoint does not support SAML request signing."
    },
    {
        "ErrorCode": "76032",
        "Message": "This service principal ID is not a GUID."
    },
    {
        "ErrorCode": "80001",
        "Message": "No Microsoft Azure AD Connect Authentication Agent was found. Make sure that your environment is configured correctly. If your directory is set for pass-through authentication, make sure that your Microsoft Azure AD Connect Authentication Agent is online.",
        "Remediation": "Authentication Agent unable to connect to Active Directory. Make sure the authentication agent is installed on a domain-joined machine that has line of sight to a data center that can serve the user's login request"
    },
    {
        "ErrorCode": "80002",
        "Message": "Internal error. Password validation request timed out. We were unable to either send the authentication request to the internal Hybrid Identity Service.",
        "Remediation": "Make sure that your on-premises Active Directory instance is available and responding to requests from the agents."
    },
    {
        "ErrorCode": "80003",
        "Message": "Unknown status returned from on-prem password validator.",
        "Remediation": "Invalid response received by Authentication Agent. An unknown error occurred while attempting to authentication against Active Directory on-premises."
    },
    {
        "ErrorCode": "80005",
        "Message": "An unknown error occurred while processing the response from the Authentication Agent.",
        "Remediation": "Retry the request and ensure that your on-premises AD instance is operating correctly. If it continues to fail, open a support ticket to get more details on the error: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto"
    },
    {
        "ErrorCode": "80006",
        "Message": "Invalid on-prem password validation configuration: request URL must be secure over https."
    },
    {
        "ErrorCode": "80007",
        "Message": "The Authentication Agent is unable to validate user's password. Check the agent logs for more info and verify that Active Directory is operating as expected.",
        "Remediation": "Contact your administrator for more information."
    },
    {
        "ErrorCode": "80010",
        "Message": "Cannot encrypt with key identifier '{key}'. The Authentication Agent is unable to decrypt password."
    },
    {
        "ErrorCode": "80011",
        "Message": "Unexpected error retrieving password encryption keys."
    },
    {
        "ErrorCode": "80012",
        "Message": "Your account has time restrictions that keep you from signing in right now.",
        "Remediation": "The users attempted to log on outside of the allowed hours (this is specified in AD)"
    },
    {
        "ErrorCode": "80013",
        "Message": "The authentication attempt could not be completed due to time skew (time/date difference) between the machine running the authentication agent and AD.",
        "Remediation": "Fix time sync issues"
    },
    {
        "ErrorCode": "80014",
        "Message": "Validation request responded after maximum elapsed time exceeded.",
        "Remediation": "Authentication agent timed out. Open a support ticket with the error code, correlation ID, and timestamp to get more details on this error"
    },
    {
        "ErrorCode": "80015",
        "Message": "Validation request budget exceeded."
    },
    {
        "ErrorCode": "80016",
        "Message": "Validation request failed - unable to signal Authentication Agent."
    },
    {
        "ErrorCode": "80017",
        "Message": "An error occurred while decrypting user credentials. Check your Microsoft Azure AD Connect Authentication Agent logs for more information."
    },
    {
        "ErrorCode": "80018",
        "Message": "Unauthorized or forbidden access of encryption keys."
    },
    {
        "ErrorCode": "81001",
        "Message": "Service ticket size exceeded the maximum allowed.",
        "Remediation": "User's Kerberos ticket is too large. This can happen if the user is in too many groups and thus the Kerberos ticket contains too many group memberships. Reduce the user's group memberships and try again"
    },
    {
        "ErrorCode": "81004",
        "Message": "Kerberos authentication failed."
    },
    {
        "ErrorCode": "81005",
        "Message": "Authentication package is not supported."
    },
    {
        "ErrorCode": "81006",
        "Message": "No authorization header was found, returning 401 WWW-Authenticate."
    },
    {
        "ErrorCode": "81007",
        "Message": "Tenant is not enabled for DesktopSSO."
    },
    {
        "ErrorCode": "81008",
        "Message": "Failed to validate Kerberos ticket."
    },
    {
        "ErrorCode": "81009",
        "Message": "Unable to validate the user's Kerberos ticket, the authorization header value is not formatted correctly."
    },
    {
        "ErrorCode": "81010",
        "Message": "Seamless SSO failed because the user's Kerberos ticket has expired or is invalid."
    },
    {
        "ErrorCode": "81011",
        "Message": "Failed to find user by on-premise SID in the user's Kerberos ticket."
    },
    {
        "ErrorCode": "81012",
        "Message": "The user trying to sign in to Azure AD is different from the user signed into the device.",
        "Remediation": "This is not an error condition. It indicates that user trying to sign in to AzureAD is different from the user signed into the device. You can safely ignore this code in the logs"
    },
    {
        "ErrorCode": "81013",
        "Message": "Failed to lookup the user whose kerberos ticket was used to login."
    },
    {
        "ErrorCode": "81014",
        "Message": "The DesktopSSO auth token has expired."
    },
    {
        "ErrorCode": "81015",
        "Message": "Rejecting DesktopSSO Kerberos ticket as it was obtained through delegation. Delegated Kerberos ticket does not originate from user directly. Please contact your tenant administrator to disable delegation on the AZUREADSSOACC account."
    },
    {
        "ErrorCode": "81016",
        "Message": "Invalid STS request."
    },
    {
        "ErrorCode": "90000",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "90002",
        "Message": "Tenant '{tenant_name}' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.",
        "Remediation": "The application developer will recieve this error if their app attempts to sign into a tenant that we cannot find. Often, this is because a cross-cloud app was used against the wrong cloud, or the developer attempted to sign in to a tenant derived from an email address, byut the domain isn't registered."
    },
    {
        "ErrorCode": "90004",
        "Message": "The request is not properly formatted."
    },
    {
        "ErrorCode": "90005",
        "Message": "Unable to complete request. The request was invalid since SID and login_hint cannot be used together."
    },
    {
        "ErrorCode": "90006",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "90007",
        "Message": "Bad Request. The passed session ID cannot be parsed."
    },
    {
        "ErrorCode": "90008",
        "Message": "The user or administrator has not consented to use the application with ID '{appId}'({appName}). This happened because application is misconfigured: it must require access to Microsoft Graph by specifying at least 'Sign in and read user profile' permission.",
        "Remediation": "This happened because application is misconfigured: it must require access to Microsoft Graph by specifying at least 'Sign in and read user profile' permission."
    },
    {
        "ErrorCode": "90009",
        "Message": "Application '{appId}'({appName}) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier."
    },
    {
        "ErrorCode": "90010",
        "Message": "Unable to create {algoName} algorithm.",
        "Remediation": "Contact the application developer. The request is not supported for various reasons. For example, the request is made using an unsupported request method (only POST method is supported) or the token signing algorithm that was requested is not supported."
    },
    {
        "ErrorCode": "90012",
        "Message": "This request has timed out."
    },
    {
        "ErrorCode": "90013",
        "Message": "Invalid input received from the user."
    },
    {
        "ErrorCode": "90014",
        "Message": "The required field '{name}' is missing from the credential. Ensure that you have all the necessary parameters for the login request.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "90015",
        "Message": "Requested query string is too long."
    },
    {
        "ErrorCode": "90016",
        "Message": "Invalid access token. Required claim is missing."
    },
    {
        "ErrorCode": "90017",
        "Message": "Unexpected field '{fieldName}'."
    },
    {
        "ErrorCode": "90019",
        "Message": "No tenant-identifying information found in either the request or implied by any provided credentials.",
        "Remediation": "Application error - the request can't be routed to a tenant, but needs to be."
    },
    {
        "ErrorCode": "90020",
        "Message": "The SAML 1.1 Assertion is missing ImmutableID of the user.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "90022",
        "Message": "Principal name format is invalid for '{name}'. Expected format: name[/instance][@realm]. The principal name is required, host and realm are optional and may be set to null."
    },
    {
        "ErrorCode": "90023",
        "Message": "Invalid STS request."
    },
    {
        "ErrorCode": "90024",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "90025",
        "Message": "Request processing has exceeded gateway allowance."
    },
    {
        "ErrorCode": "90026",
        "Message": "Hostname contains an invalid wildcard '*' character."
    },
    {
        "ErrorCode": "90027",
        "Message": "We are unable to issue tokens from this API version on the MSA tenant. Please contact the application vendor as they need to use version 2.0 of the protocol to support this."
    },
    {
        "ErrorCode": "90028",
        "Message": "Principal name format is invalid for name '{name}'. Primary component of the name is required."
    },
    {
        "ErrorCode": "90029",
        "Message": "The realm '{name}' is a Unicode domain name. Domain names of this form are not supported."
    },
    {
        "ErrorCode": "90030",
        "Message": "A transient error has occurred. Try again after some time."
    },
    {
        "ErrorCode": "90031",
        "Message": "A transient error has occurred. Try again after some time."
    },
    {
        "ErrorCode": "90032",
        "Message": "A transient error has occurred. Try again after some time."
    },
    {
        "ErrorCode": "90033",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "90035",
        "Message": "Service is temporarily unavailable. Please retry later."
    },
    {
        "ErrorCode": "90036",
        "Message": "An unexpected, non-retryable error stemming from the directory service has occurred.",
        "Remediation": "If you see this consistently, open a support ticket to get more details on the error: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto"
    },
    {
        "ErrorCode": "90037",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "90038",
        "Message": "Tenant '{tenant_name}' request is being redirected to the National Cloud '{cloud}'."
    },
    {
        "ErrorCode": "90039",
        "Message": "Service is temporarily unavailable. Please retry later."
    },
    {
        "ErrorCode": "90040",
        "Message": "A non-retryable error has occurred."
    },
    {
        "ErrorCode": "90041",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "90042",
        "Message": "National Cloud Name is missing in the postback request."
    },
    {
        "ErrorCode": "90043",
        "Message": "OAuth2 grant was issued by National Cloud STS.",
        "Remediation": "This is not an error scenario, but is handled like one by Azure AD to handle certain authentication flows.  This is not an indication that anything went wrong."
    },
    {
        "ErrorCode": "90044",
        "Message": "National Cloud Request Process Switched off."
    },
    {
        "ErrorCode": "90045",
        "Message": "Service is too busy. Please try again later."
    },
    {
        "ErrorCode": "90046",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "90047",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "90049",
        "Message": "Application could not be found."
    },
    {
        "ErrorCode": "90050",
        "Message": "Response content length from external IdP exceeds supported limit."
    },
    {
        "ErrorCode": "90051",
        "Message": "Invalid Delegation Token. Invalid national Cloud ID ({cloudId}) is specified."
    },
    {
        "ErrorCode": "90052",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "90053",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "90055",
        "Message": "The server has terminated the request due to excessive request rate. Please wait a few seconds and try again.",
        "Remediation": "Your tenant has sent too many requests to AAD, triggering anti-abuse throttling measures. Please check to see if there are any misbehaving applications that are sending too many requests to AAD."
    },
    {
        "ErrorCode": "90056",
        "Message": "Requested resource cannot be found."
    },
    {
        "ErrorCode": "90057",
        "Message": "Server encountered an internal problem."
    },
    {
        "ErrorCode": "90058",
        "Message": "Service is temporarily unavailable. Please retry later."
    },
    {
        "ErrorCode": "90059",
        "Message": "HealthInfoController Failed with the following Exception: {ex}"
    },
    {
        "ErrorCode": "90061",
        "Message": "Request to External OIDC endpoint failed."
    },
    {
        "ErrorCode": "90071",
        "Message": "An admin from {tenant} must update their access settings to accept inbound multifactor authentication."
    },
    {
        "ErrorCode": "90072",
        "Message": "User account '{user}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{application}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account",
        "Remediation": "The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account"
    },
    {
        "ErrorCode": "90073",
        "Message": "Invalid Fairfax Gateway Redirect."
    },
    {
        "ErrorCode": "90081",
        "Message": "An error occurred when the service tried to process a WS-Federation message. The message was invalid."
    },
    {
        "ErrorCode": "90082",
        "Message": "Authentication policy '{name}' selected for the request is not currently supported."
    },
    {
        "ErrorCode": "90083",
        "Message": "Request is unsupported."
    },
    {
        "ErrorCode": "90084",
        "Message": "Guest accounts are not allowed for this site."
    },
    {
        "ErrorCode": "90085",
        "Message": "The service is unable to issue a token because the company object hasn't been provisioned yet."
    },
    {
        "ErrorCode": "90086",
        "Message": "The user DA token is expired."
    },
    {
        "ErrorCode": "90087",
        "Message": "An error occurred while creating the WS-Federation message from the URI."
    },
    {
        "ErrorCode": "90088",
        "Message": "Authentication failed due to email address domain is not in allowed domains list for identity provider.",
        "Remediation": "The email address domain is not in the application's whitelisted domains."
    },
    {
        "ErrorCode": "90089",
        "Message": "User token should not be used in App on behalf of flow."
    },
    {
        "ErrorCode": "90090",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "90091",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "90092",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "90093",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "90094",
        "Message": "Admin consent is required for the permissions requested by this application.",
        "Remediation": "Ask your tenant administrator to provide consent for this application."
    },
    {
        "ErrorCode": "90095",
        "Message": "Admin consent is required for the permissions requested by this application. An admin consent request may be sent to the admin."
    },
    {
        "ErrorCode": "90096",
        "Message": "Admin consent is required for the permissions requested by this application. Admin consent request sent for processing."
    },
    {
        "ErrorCode": "90097",
        "Message": "An error has occured during admin consent processing."
    },
    {
        "ErrorCode": "90098",
        "Message": "An unexpected approval request ID was provided."
    },
    {
        "ErrorCode": "90099",
        "Message": "The application '{appId}' ({appName}) has not been authorized in the tenant '{tenant}'. Applications must be authorized to access the customer tenant before partner delegated administrators can use them.",
        "Remediation": "Provide pre-consent or execute the appropriate Partner Center API to authorize the application."
    },
    {
        "ErrorCode": "90100",
        "Message": "{name} parameter is empty or not valid."
    },
    {
        "ErrorCode": "90101",
        "Message": "The supplied data isn't a valid email address. Please provide it in the format someone@example.com",
        "Remediation": "Application or user error - if this persists, reach out to the impacted user or developer for more details."
    },
    {
        "ErrorCode": "90102",
        "Message": "'{name}' value must be a valid absolute URI."
    },
    {
        "ErrorCode": "90107",
        "Message": "The request is not valid. Make sure your data doesn't have invalid characters."
    },
    {
        "ErrorCode": "90112",
        "Message": "Application identifier is expected to be a GUID."
    },
    {
        "ErrorCode": "90114",
        "Message": "The specified bulk AADJ token expiration timestamp will cause an expired token to be issued."
    },
    {
        "ErrorCode": "90115",
        "Message": "Code/npotc parameter is not allowed together with password."
    },
    {
        "ErrorCode": "90116",
        "Message": "{method} request is made, while POST is the only supported verb."
    },
    {
        "ErrorCode": "90117",
        "Message": "Invalid request."
    },
    {
        "ErrorCode": "90119",
        "Message": "The user code is null or missing."
    },
    {
        "ErrorCode": "90120",
        "Message": "This request was already authorized or declined."
    },
    {
        "ErrorCode": "90121",
        "Message": "Invalid empty request."
    },
    {
        "ErrorCode": "90122",
        "Message": "User identifier is not present."
    },
    {
        "ErrorCode": "90123",
        "Message": "The token can't be issued because the identity or claim issuance provider denied the request. Response code: {errorCode}."
    },
    {
        "ErrorCode": "90124",
        "Message": "{resConstant} '{resourceId}' {resourceName} is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.",
        "Remediation": "Use the /organizations or tenant-specific endpoint."
    },
    {
        "ErrorCode": "90125",
        "Message": "{userName} isn't in our system. Make sure you entered the user name correctly."
    },
    {
        "ErrorCode": "90126",
        "Message": "User Type is not supported on this endpoint. The system can't infer the user's tenant from the user name: {userName}"
    },
    {
        "ErrorCode": "90128",
        "Message": "Unable to load OptIn store for user."
    },
    {
        "ErrorCode": "90129",
        "Message": "{resConstant} '{resourceId}' {resourceName} has a configured token version of '1' and is not supported over the /common or /consumers endpoints."
    },
    {
        "ErrorCode": "90130",
        "Message": "{appConstant} '{appId}' {appName} is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint."
    },
    {
        "ErrorCode": "90131",
        "Message": "Invalid ambiguous request. sid cannot be used with prompt {prompt}."
    },
    {
        "ErrorCode": "90132",
        "Message": "The provided value for the input parameter 'device_code' is not valid. Device codes supporting the personal Microsoft Account sign-in audience can only be used for v2 common or consumers tenants."
    },
    {
        "ErrorCode": "90133",
        "Message": "Device Code flow is not supported under /common or /consumers endpoint."
    },
    {
        "ErrorCode": "90134",
        "Message": "Retrieving claims from identity provider '{idp}' failed."
    },
    {
        "ErrorCode": "90135",
        "Message": "The user decided not to continue the authentication. No remediation is required."
    },
    {
        "ErrorCode": "90136",
        "Message": "Device Code flow is not supported for Confidential Clients."
    },
    {
        "ErrorCode": "90137",
        "Message": "Token issuance cannot proceed because user declined consent approval to release their profile information."
    },
    {
        "ErrorCode": "90138",
        "Message": "Invalid ambiguous request. sid cannot be used with login_hint."
    },
    {
        "ErrorCode": "90150",
        "Message": "Failed to read request."
    },
    {
        "ErrorCode": "90160",
        "Message": "An internal error occurred while attempting to remediate the user."
    },
    {
        "ErrorCode": "90170",
        "Message": "An internal error occured while attempting to proxy binding redirect request"
    },
    {
        "ErrorCode": "90171",
        "Message": "An internal error occured for cell based fallback"
    },
    {
        "ErrorCode": "90201",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "90202",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "90401",
        "Message": "Access denied."
    },
    {
        "ErrorCode": "90500",
        "Message": "Tenant belongs to fault domain {domain}.",
        "Remediation": "This is not an error scenario, but is handled like one by Azure AD to handle certain authentication flows.  This is not an indication that anything went wrong."
    },
    {
        "ErrorCode": "90501",
        "Message": "Tenant ({name} ({identifier})) request is being redirected to USGov."
    },
    {
        "ErrorCode": "100000",
        "Message": "The Regional Cache Auth Service does not have the encrypted global signing key."
    },
    {
        "ErrorCode": "100001",
        "Message": "The Regional Cache Auth Service fails to retrieve the global signing key."
    },
    {
        "ErrorCode": "100002",
        "Message": "Non-retryable error has occurred in regional cache."
    },
    {
        "ErrorCode": "100003",
        "Message": "Timeout occurred in request to global sts."
    },
    {
        "ErrorCode": "100004",
        "Message": "Empty or Error response from Global Sts when called in by Regional Cache Auth instance."
    },
    {
        "ErrorCode": "100005",
        "Message": "Regional Cache Auth instance is not allowed to issue a token for this environment."
    },
    {
        "ErrorCode": "100006",
        "Message": "Regional Cache Auth Service token requests for audience App that requires custom signing keys or that has claims mapping policy are forbidden."
    },
    {
        "ErrorCode": "100007",
        "Message": "AAD Regional ONLY supports auth either for MSIs OR for requests from MSAL using SN+I for 1P apps or 3P apps in Microsoft infrastructure tenants."
    },
    {
        "ErrorCode": "100008",
        "Message": "Regional Cache Auth Service token requests for audience App that has opted in for a PFT token is forbidden."
    },
    {
        "ErrorCode": "100009",
        "Message": "Regional Cache Auth Service token requests for flows that require encrypted tokens are forbidden."
    },
    {
        "ErrorCode": "100010",
        "Message": "App specific discovery requests for Regional Cache Auth Service are forbidden."
    },
    {
        "ErrorCode": "100011",
        "Message": "Tenant Domain Name specific discovery requests for Regional Cache Auth Service are forbidden."
    },
    {
        "ErrorCode": "100012",
        "Message": "MSAonly tenant specific discovery requests for MSA tenant for Regional Cache Auth Service are forbidden."
    },
    {
        "ErrorCode": "100013",
        "Message": "The current discovery keys requests scenarios for Regional Cache Auth Service are forbidden."
    },
    {
        "ErrorCode": "100014",
        "Message": "Force cache flow parameter was specified as true but no cached response was found"
    },
    {
        "ErrorCode": "100015",
        "Message": "Regional Cache Auth Pipeline miss StsTenant"
    },
    {
        "ErrorCode": "100016",
        "Message": "Regional Cache Auth Pipeline missing Signing credentials"
    },
    {
        "ErrorCode": "100017",
        "Message": "There was an error issuing a token or an issue with our sign-in service.",
        "Remediation": "If this persists, open a support ticket to resolve this issue: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto"
    },
    {
        "ErrorCode": "100018",
        "Message": "The regional cache auth requests that expects confirmation (cnf) claim in the token response are forbidden."
    },
    {
        "ErrorCode": "100019",
        "Message": "The regional cache auth requests from tenants with token lifetime policy defined are forbidden."
    },
    {
        "ErrorCode": "100020",
        "Message": "Regional key discovery endpoint is forbidden."
    },
    {
        "ErrorCode": "100021",
        "Message": "The regional cache auth requests that reach max hop count are dropped."
    },
    {
        "ErrorCode": "100022",
        "Message": "The request was failed due to AAD outage simulation for a participating tenant."
    },
    {
        "ErrorCode": "100023",
        "Message": "Regional endpoints are not yet supported in sovereign clouds."
    },
    {
        "ErrorCode": "100024",
        "Message": "AAD Regional ONLY supports auth either for MSIs OR for requests from supported MSAL using SN+I for 1P apps or 3P apps in Microsoft infrastructure tenants. This request is forbidden because it comes from neither 1P app nor 3P apps in Microsoft infrastructure tenants."
    },
    {
        "ErrorCode": "100026",
        "Message": "AAD Regional ONLY supports auth either for MSIs OR for requests from supported MSAL using SN+I for 1P apps or 3P apps in Microsoft infrastructure tenants. This request is forbidden because it does not use SN+I."
    },
    {
        "ErrorCode": "100027",
        "Message": "AAD Regional does not support traffic from client application {clientId} at this time."
    },
    {
        "ErrorCode": "120000",
        "Message": "Incorrect password."
    },
    {
        "ErrorCode": "120001",
        "Message": "New password doesn't meet complexity requirements. Passwords can't contain user ID, and need to be 8-16 characters long, with at least 3 of the following: uppercase letters, lowercase letters, numbers, and symbols."
    },
    {
        "ErrorCode": "120002",
        "Message": "New password doesn't meet complexity requirements. Passwords can't contain user ID, and need to be 8-16 characters long, with at least 3 of the following: uppercase letters, lowercase letters, numbers, and symbols."
    },
    {
        "ErrorCode": "120003",
        "Message": "New password doesn't meet complexity requirements. Passwords can't contain user ID, and need to be 8-16 characters long, with at least 3 of the following: uppercase letters, lowercase letters, numbers, and symbols."
    },
    {
        "ErrorCode": "120004",
        "Message": "New password doesn't match the password complexity requirements of the user's company's OnPrem Active Directory."
    },
    {
        "ErrorCode": "120005",
        "Message": "Password was successfully updated, but servers take time to catch up. Please try signing in again in a few minutes."
    },
    {
        "ErrorCode": "120006",
        "Message": "Password change request got interrupted. Check if the password got updated, else try again."
    },
    {
        "ErrorCode": "120012",
        "Message": "User's organization does not allow them to change their password themselves through AAD."
    },
    {
        "ErrorCode": "120013",
        "Message": "Password change failed due to connectivity issues trying to write to user's onprem AD. Try again in a few minutes."
    },
    {
        "ErrorCode": "120014",
        "Message": "User account is either disabled or temporarily locked by user's organization."
    },
    {
        "ErrorCode": "120015",
        "Message": "Password change failed due to user account misconfiguration."
    },
    {
        "ErrorCode": "120016",
        "Message": "User not found."
    },
    {
        "ErrorCode": "120017",
        "Message": "Operation not supported."
    },
    {
        "ErrorCode": "120018",
        "Message": "New password does not comply with the policy. The password is too common."
    },
    {
        "ErrorCode": "120019",
        "Message": "New password contains a word, phrase, or pattern that is banned by a policy in user's organization."
    },
    {
        "ErrorCode": "120020",
        "Message": "Change user password operation failed."
    },
    {
        "ErrorCode": "121000",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "121003",
        "Message": "User's organization does not allow them to change their password themselves through AAD."
    },
    {
        "ErrorCode": "130001",
        "Message": "Signature key ID is not provided."
    },
    {
        "ErrorCode": "130004",
        "Message": "UserPrincipal doesn't have the NGC key configured."
    },
    {
        "ErrorCode": "130005",
        "Message": "NGC key signature verification failed."
    },
    {
        "ErrorCode": "130006",
        "Message": "The NGC transport key isn't configured on the device."
    },
    {
        "ErrorCode": "130007",
        "Message": "The device is disabled."
    },
    {
        "ErrorCode": "130008",
        "Message": "Device referenced by the NGC key is not found."
    },
    {
        "ErrorCode": "130009",
        "Message": "Device key was found weak."
    },
    {
        "ErrorCode": "130500",
        "Message": "Phone sign in was blocked due to User Credential Policy."
    },
    {
        "ErrorCode": "130501",
        "Message": "Sign in was blocked due to User Credential Policy."
    },
    {
        "ErrorCode": "130502",
        "Message": "Temporary Access Pass sign in was blocked due to User Credential Policy."
    },
    {
        "ErrorCode": "130503",
        "Message": "Your Temporary Access Pass is incorrect. If you don't know your pass, contact your administrator."
    },
    {
        "ErrorCode": "130504",
        "Message": "Your Temporary Access Pass has expired. Contact your administrator to obtain a new pass."
    },
    {
        "ErrorCode": "130505",
        "Message": "Your one-time Temporary Access Pass has been redeemed. Contact your admin to get a new pass."
    },
    {
        "ErrorCode": "130506",
        "Message": "Access Pass must be used for Web Sign In. Contact your admin to get an Access Pass."
    },
    {
        "ErrorCode": "130507",
        "Message": "An access pass could not be found or verified for the user."
    },
    {
        "ErrorCode": "131000",
        "Message": "PublicIdentifier has an invalid GUID."
    },
    {
        "ErrorCode": "131001",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "131002",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "131003",
        "Message": "A transient error has occurred. Please try again."
    },
    {
        "ErrorCode": "131005",
        "Message": "Phone Entry not found during GetOneTimeCode request."
    },
    {
        "ErrorCode": "131006",
        "Message": "Public Identifier SAS Authentication has encountered a problem."
    },
    {
        "ErrorCode": "131008",
        "Message": "Trying to create credential from unvalidated PIA data."
    },
    {
        "ErrorCode": "131009",
        "Message": "Phone Number signin is not enabled for this tenant."
    },
    {
        "ErrorCode": "131010",
        "Message": "User not allowed by policy conditions."
    },
    {
        "ErrorCode": "131011",
        "Message": "A invalid input was entered."
    },
    {
        "ErrorCode": "131012",
        "Message": "This attempt to sign in has been throttled."
    },
    {
        "ErrorCode": "131100",
        "Message": "User account has to be a resource account to request a 'resource_account' grant type."
    },
    {
        "ErrorCode": "131101",
        "Message": "Resource Account key is malformed."
    },
    {
        "ErrorCode": "131102",
        "Message": "Resource Account key signature verification failed."
    },
    {
        "ErrorCode": "135000",
        "Message": "Fido signature verification failed."
    },
    {
        "ErrorCode": "135001",
        "Message": "UserPrincipal doesn't have the key ID configured."
    },
    {
        "ErrorCode": "135002",
        "Message": "Fido key does not have authenticator data."
    },
    {
        "ErrorCode": "135003",
        "Message": "Fido assertion verification failed. Invalid gesture provided."
    },
    {
        "ErrorCode": "135004",
        "Message": "Invalid postBackUrl parameter."
    },
    {
        "ErrorCode": "135005",
        "Message": "Invalid cancelUrl parameter."
    },
    {
        "ErrorCode": "135006",
        "Message": "Invalid resumeUrl parameter."
    },
    {
        "ErrorCode": "135007",
        "Message": "Client data type is not valid."
    },
    {
        "ErrorCode": "135008",
        "Message": "Relying Party Origin is not valid."
    },
    {
        "ErrorCode": "135009",
        "Message": "Flow Token Scenario must be login scenario."
    },
    {
        "ErrorCode": "135010",
        "Message": "UserPrincipal doesn't have the key ID configured."
    },
    {
        "ErrorCode": "135011",
        "Message": "Device used during the authentication is disabled."
    },
    {
        "ErrorCode": "135012",
        "Message": "UserObjectId from the UserHandle does not match with UserPrincipal UserObjectId."
    },
    {
        "ErrorCode": "135013",
        "Message": "Invalid UserHandle prefix."
    },
    {
        "ErrorCode": "135014",
        "Message": "Invalid UserHandle length."
    },
    {
        "ErrorCode": "135015",
        "Message": "The FIDO exclude list was not a valid JSON blob."
    },
    {
        "ErrorCode": "135016",
        "Message": "FIDO sign-in is disabled via policy."
    },
    {
        "ErrorCode": "135017",
        "Message": "Unexpected Signature Counter received from authenticator."
    },
    {
        "ErrorCode": "135018",
        "Message": "Invalid challenge received from fido assertion."
    },
    {
        "ErrorCode": "135019",
        "Message": "Expired Challenge received from Fido assertion."
    },
    {
        "ErrorCode": "135020",
        "Message": "Invalid Fido assertion."
    },
    {
        "ErrorCode": "135021",
        "Message": "Invalid UserHandle prefix."
    },
    {
        "ErrorCode": "135022",
        "Message": "Redirect uri provided by MSA is not valid."
    },
    {
        "ErrorCode": "140000",
        "Message": "Request nonce is expired. Current time: {curTime}, expiry time of assertion {expTime}."
    },
    {
        "ErrorCode": "140001",
        "Message": "The session key is not valid."
    },
    {
        "ErrorCode": "140002",
        "Message": "Key not found"
    },
    {
        "ErrorCode": "140003",
        "Message": "Nonce purpose not supported"
    },
    {
        "ErrorCode": "140004",
        "Message": "Invalid Ticket Granting Ticket request."
    },
    {
        "ErrorCode": "140005",
        "Message": "Invalid Ticket Granting Ticket request."
    },
    {
        "ErrorCode": "140006",
        "Message": "Invalid Ticket Granting Ticket request."
    },
    {
        "ErrorCode": "140007",
        "Message": "Invalid Ticket Granting Service request."
    },
    {
        "ErrorCode": "140008",
        "Message": "Invalid ApReq assertion provided."
    },
    {
        "ErrorCode": "160011",
        "Message": "Selected user account was invalid."
    },
    {
        "ErrorCode": "160021",
        "Message": "Application requested a user session which does not exist."
    },
    {
        "ErrorCode": "165000",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details.",
        "Remediation": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "165001",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "165002",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "165003",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "165004",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "165900",
        "Message": "Invalid request."
    },
    {
        "ErrorCode": "180001",
        "Message": "Cannot encrypt auth ticket with key version '{version}'."
    },
    {
        "ErrorCode": "180002",
        "Message": "Cannot decrypt buffer with key version '{version}'."
    },
    {
        "ErrorCode": "200000",
        "Message": "User object type ('{type}') not expected."
    },
    {
        "ErrorCode": "200001",
        "Message": "Authorization code redemption cannot be forked."
    },
    {
        "ErrorCode": "200121",
        "Message": "Unsupported WS-Federation message of type '{messageType}'."
    },
    {
        "ErrorCode": "200122",
        "Message": "Invalid WS-Federation message. {paramName} parameter is required."
    },
    {
        "ErrorCode": "219000",
        "Message": "Cannot open pfx. Pfx bytes or password is wrong."
    },
    {
        "ErrorCode": "220000",
        "Message": "Authenc: cache value is expired. Date: {expectedTime}, Now: {currentTime}."
    },
    {
        "ErrorCode": "220025",
        "Message": "Encryption key {version} not found."
    },
    {
        "ErrorCode": "220050",
        "Message": "The specified encryption key version override {num} was not found in the list of keys."
    },
    {
        "ErrorCode": "220100",
        "Message": "Authenc decryption failed."
    },
    {
        "ErrorCode": "220200",
        "Message": "Authenc incorrect version."
    },
    {
        "ErrorCode": "220450",
        "Message": "The Chrome WebView version is not supported.",
        "Remediation": "Developer issue - they should ensure that their app is using appropriate and supported webviews when signing in the user."
    },
    {
        "ErrorCode": "220501",
        "Message": "Unable to download CRL. Invalid or no response from CRL source {source}."
    },
    {
        "ErrorCode": "221000",
        "Message": "The resource is not configured to accept device-only tokens."
    },
    {
        "ErrorCode": "230000",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230002",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230003",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230004",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230005",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230006",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230007",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230008",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230009",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230010",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230011",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230012",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230013",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230014",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230015",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230016",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230017",
        "Message": "CCS couldn't find valid user data. Data could be missing, expired or invalid."
    },
    {
        "ErrorCode": "230018",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230019",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230020",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230021",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230022",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230023",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230024",
        "Message": "Empty cached credential cert list or failed to find valid cached credential cert."
    },
    {
        "ErrorCode": "230025",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230026",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230027",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230028",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230029",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230030",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230031",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230032",
        "Message": "User's mailbox has exceeded maximum mailbox size."
    },
    {
        "ErrorCode": "230033",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230034",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230035",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230036",
        "Message": "Internal use"
    },
    {
        "ErrorCode": "230037",
        "Message": "Required auth methods from cached token are not satisfied."
    },
    {
        "ErrorCode": "230038",
        "Message": "Retrieved token with unsupported auth methods (amr)."
    },
    {
        "ErrorCode": "230039",
        "Message": "Exchange Api Error."
    },
    {
        "ErrorCode": "230040",
        "Message": "Failed to load key from Torus."
    },
    {
        "ErrorCode": "230041",
        "Message": "Failed to load cert from machine."
    },
    {
        "ErrorCode": "230042",
        "Message": "Cannot find Service Key in cache."
    },
    {
        "ErrorCode": "230043",
        "Message": "Cannot find public cert shared by partners in cache."
    },
    {
        "ErrorCode": "230044",
        "Message": "Cannot find private cert owned by CCS in cache."
    },
    {
        "ErrorCode": "230045",
        "Message": "Password Cred not retrieved."
    },
    {
        "ErrorCode": "230046",
        "Message": "SDS BEToBEMisroute error"
    },
    {
        "ErrorCode": "230047",
        "Message": "SDS ErrorInternalServerError error"
    },
    {
        "ErrorCode": "230048",
        "Message": "SDS ApplicationThrottled error"
    },
    {
        "ErrorCode": "230049",
        "Message": "SDS ErrorADUnavailable error"
    },
    {
        "ErrorCode": "230050",
        "Message": "SDS ResourceUnhealthy error"
    },
    {
        "ErrorCode": "230051",
        "Message": "SDS ErrorItemNotFound error"
    },
    {
        "ErrorCode": "230052",
        "Message": "SDS ErrorTooManyObjectsOpened error"
    },
    {
        "ErrorCode": "230053",
        "Message": "SDS ErrorMailboxQuotaExceeded error"
    },
    {
        "ErrorCode": "230054",
        "Message": "SDS MailboxNotEnabledForRESTAPI error"
    },
    {
        "ErrorCode": "230055",
        "Message": "SDS ErrorConnectionFailed error"
    },
    {
        "ErrorCode": "230056",
        "Message": "SDS RequestBroker--ParseUri error"
    },
    {
        "ErrorCode": "230057",
        "Message": "SDS ErrorADOperation error"
    },
    {
        "ErrorCode": "230058",
        "Message": "SDS ErrorDataSourceOperation error"
    },
    {
        "ErrorCode": "230059",
        "Message": "SDS ErrorInternalServerTransientError error"
    },
    {
        "ErrorCode": "230060",
        "Message": "SDS ErrorInvalidProperty error"
    },
    {
        "ErrorCode": "230061",
        "Message": "Could not get enforcement event successfully"
    },
    {
        "ErrorCode": "230062",
        "Message": "Presented or requested primary refresh token could not be supported."
    },
    {
        "ErrorCode": "230063",
        "Message": "Remote forest discovery is not supported on restricted forests."
    },
    {
        "ErrorCode": "230064",
        "Message": "Exchange Api Error returned by SDS when tenant guid not found while storing tokens."
    },
    {
        "ErrorCode": "230065",
        "Message": "Exchange Api request timed out."
    },
    {
        "ErrorCode": "230066",
        "Message": "Exchange SDS requests timed out."
    },
    {
        "ErrorCode": "230067",
        "Message": "Exchange Auth Api requests timed out."
    },
    {
        "ErrorCode": "230068",
        "Message": "Exchange DsApi request timed out."
    },
    {
        "ErrorCode": "230069",
        "Message": "The Exchange Service returned a 503 Service Unavailable."
    },
    {
        "ErrorCode": "230070",
        "Message": "The Exchange SDS returned a 503 Service Unavailable."
    },
    {
        "ErrorCode": "230071",
        "Message": "The Exchange Auth Api returned a 503 Service Unavailable."
    },
    {
        "ErrorCode": "230072",
        "Message": "The Exchange DsApi returned a 503 Service Unavailable."
    },
    {
        "ErrorCode": "230073",
        "Message": "An Exchange Api error not defined in CCS"
    },
    {
        "ErrorCode": "230074",
        "Message": "An Exchange SDS Api error indicating invalid serialized access token"
    },
    {
        "ErrorCode": "230075",
        "Message": "An Exchange SDS Api error indicating mailbox or account cannot be accessed"
    },
    {
        "ErrorCode": "230076",
        "Message": "An Exchange SDS Api error indicating mailbox cannot be opened."
    },
    {
        "ErrorCode": "230077",
        "Message": "Error due to AD Topology Endpoint not found in CCS."
    },
    {
        "ErrorCode": "230078",
        "Message": "Error due to Collection not found in CCS."
    },
    {
        "ErrorCode": "230079",
        "Message": "Error due to not enough memory in CCS."
    },
    {
        "ErrorCode": "230080",
        "Message": "Skip cached credential storage."
    },
    {
        "ErrorCode": "230081",
        "Message": "CCS StoreProxy Returned Internal Server Error"
    },
    {
        "ErrorCode": "230082",
        "Message": "CCS StoreProxy Timed out"
    },
    {
        "ErrorCode": "230083",
        "Message": "There is insufficient Cafe Routing Info to forward call"
    },
    {
        "ErrorCode": "230084",
        "Message": "KVCache call failed with RPC error"
    },
    {
        "ErrorCode": "230085",
        "Message": "KVCacheClient failed to process request"
    },
    {
        "ErrorCode": "230086",
        "Message": "Call to KVCache timed out"
    },
    {
        "ErrorCode": "230087",
        "Message": "Call to KVCache timed out"
    },
    {
        "ErrorCode": "230088",
        "Message": "Key not found in KVCache"
    },
    {
        "ErrorCode": "230089",
        "Message": "Request is blocked by custom policy evaluation."
    },
    {
        "ErrorCode": "230090",
        "Message": "Request is blocked by resiliency defaults disablement."
    },
    {
        "ErrorCode": "230091",
        "Message": "Token posted from ESTS can not be validated by CCS"
    },
    {
        "ErrorCode": "230092",
        "Message": "SDS Error due to corrupt data."
    },
    {
        "ErrorCode": "230093",
        "Message": "SDS Error due to invalid decryption key."
    },
    {
        "ErrorCode": "230094",
        "Message": "SDS Error due to relocation of tenant to different forest than expected."
    },
    {
        "ErrorCode": "230095",
        "Message": "SDS Error due to collection creation progress."
    },
    {
        "ErrorCode": "230096",
        "Message": "SDS Error indicating that mailbox was quarantined and unable to be accessed."
    },
    {
        "ErrorCode": "230097",
        "Message": "SDS Error due to duplicate secondary key."
    },
    {
        "ErrorCode": "230098",
        "Message": "SDS Error indicating that CollectionId could not be found."
    },
    {
        "ErrorCode": "230099",
        "Message": "Lookup User Mailbox Id from DsApi failed with Not Found."
    },
    {
        "ErrorCode": "230100",
        "Message": "Lookup User Mailbox Id from DsApi timed out."
    },
    {
        "ErrorCode": "230101",
        "Message": "Attempt to access data at KVCache failed indicating issue with service."
    },
    {
        "ErrorCode": "230102",
        "Message": "Attempt to access data at KVCache failed due to invalid Key or Value data format."
    },
    {
        "ErrorCode": "240000",
        "Message": "Limit for BulkAADJ tokens is reached for the tenant."
    },
    {
        "ErrorCode": "240001",
        "Message": "User is not authorized to register devices in Azure AD."
    },
    {
        "ErrorCode": "240002",
        "Message": "Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant."
    },
    {
        "ErrorCode": "240003",
        "Message": "Unexpected result from authorize endpoint call."
    },
    {
        "ErrorCode": "240004",
        "Message": "Authorization code not received from authorize endpoint call. Error: {errorInfo}"
    },
    {
        "ErrorCode": "250001",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "250002",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "250003",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "250004",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "250005",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "250006",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "293001",
        "Message": "Invalid target-machine. RDP connection was initiated to a different target-machine."
    },
    {
        "ErrorCode": "293002",
        "Message": "Proof-of-possesion validation failed."
    },
    {
        "ErrorCode": "293003",
        "Message": "RDP protocol is not supported for the requested client or resource application."
    },
    {
        "ErrorCode": "293004",
        "Message": "The target-device identifier in the request {targetDeviceId} was not found in the tenant {tenantId}."
    },
    {
        "ErrorCode": "392100",
        "Message": "Unable to locate a user using the provided user information."
    },
    {
        "ErrorCode": "392101",
        "Message": "User has not set up remote sign-in with the Authenticator app."
    },
    {
        "ErrorCode": "392102",
        "Message": "The session tracking token has expired."
    },
    {
        "ErrorCode": "392103",
        "Message": "The user has not yet addressed the request in the Authenticator app. Continue polling."
    },
    {
        "ErrorCode": "392104",
        "Message": "The authorization state is in an unexpected state."
    },
    {
        "ErrorCode": "392105",
        "Message": "The 'auth_req_id' provided is invalid."
    },
    {
        "ErrorCode": "392106",
        "Message": "The 'client_id' provided does not match the client ID provided to the /bc-authorize endpoint."
    },
    {
        "ErrorCode": "400051",
        "Message": "Malformed token received from external Identity Provider."
    },
    {
        "ErrorCode": "400131",
        "Message": "Claims Provider Federation disabled."
    },
    {
        "ErrorCode": "500011",
        "Message": "The resource principal named {name} was not found in the tenant named {tenant}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.",
        "Remediation": "Developer error - the app requested access to a resource (application) that isn't installed in your tenant. If you expect the app to be installed, you may need to provide administrator permissions to add it. Check with the developers of the resource and application to understand what the right setup for your tenant is."
    },
    {
        "ErrorCode": "500012",
        "Message": "Resource application name '{name}' is not valid."
    },
    {
        "ErrorCode": "500013",
        "Message": "Resource identifier is not provided."
    },
    {
        "ErrorCode": "500014",
        "Message": "The service principal for resource '{identifier}' is disabled. This indicate that a subscription within the tenant has lapsed, or that the administrator for this tenant has disabled the application, preventing tokens from being issued for it."
    },
    {
        "ErrorCode": "500015",
        "Message": "MSA provisioned resources are not supported in the tenant named {tenant}."
    },
    {
        "ErrorCode": "500021",
        "Message": "Access to '{tenant}' tenant is denied.",
        "Remediation": "Please contact your IT department."
    },
    {
        "ErrorCode": "500022",
        "Message": "Access to '{tenant}' tenant is denied.",
        "Remediation": "Please contact your IT department."
    },
    {
        "ErrorCode": "500023",
        "Message": "'{headerFromCredential}' is not the same as '{headerFromRequest}'.",
        "Remediation": "A refresh token was received that was controlled under a different tenant restrictions policy than what was received on the request header. To prevent data leakage and bypass of security controls, the request was blocked. Users will need to sign out and sign back in to reset the tenant restrictions policy in their refresh token. This may not be possible if their device enforces one restriction, but the network they're on enforces another."
    },
    {
        "ErrorCode": "500024",
        "Message": "Conflicting tenant restrictions signals received by the server on the login request. The header indicated '{headerFromRequest}' while the application added a claims request for '{headerFromClaims}'. This can indicate conflicting network and device policies, which Azure AD does not support."
    },
    {
        "ErrorCode": "500025",
        "Message": "Conflicting tenant restrictions signals received by the server from a claims request. The header from the Id Token '{headerFromIdToken}' is different than the header from the access token '{headerFromAccessToken}'."
    },
    {
        "ErrorCode": "500031",
        "Message": "Cannot find signing certificate configured."
    },
    {
        "ErrorCode": "500032",
        "Message": "Cannot find signing certificate/private key to issue a certificate."
    },
    {
        "ErrorCode": "500061",
        "Message": "Assertion failed signature validation.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "500062",
        "Message": "Enveloped Signature Transform cannot be the last transform in the chain. The last transform must compute the digest which Enveloped Signature transform is not capable of."
    },
    {
        "ErrorCode": "500063",
        "Message": "The '{type}' input type is not supported for the transform."
    },
    {
        "ErrorCode": "500064",
        "Message": "The required attribute Algorithm in the element '{name}' is missing."
    },
    {
        "ErrorCode": "500065",
        "Message": "Enveloped Signature Transform does not support the algorithm '{algo}'."
    },
    {
        "ErrorCode": "500066",
        "Message": "Cannot resolve the '{uri}' URI in the signature to compute the digest."
    },
    {
        "ErrorCode": "500067",
        "Message": "Invalid signature. Cannot create a hash or a keyed hash algorithm using the '{method}' signature method."
    },
    {
        "ErrorCode": "500068",
        "Message": "Invalid signature. Cannot create a signature deformatter for the '{method}' signature method."
    },
    {
        "ErrorCode": "500069",
        "Message": "The element with ID '{id}' was either unsigned or the signature was invalid."
    },
    {
        "ErrorCode": "500081",
        "Message": "SAML assertion validation failed: no supported token signature is provided."
    },
    {
        "ErrorCode": "500082",
        "Message": "SAML assertion is not present in the token."
    },
    {
        "ErrorCode": "500083",
        "Message": "Unable to verify token signature. No trusted realm was found with identifier '{issuer}'."
    },
    {
        "ErrorCode": "500084",
        "Message": "Cannot read SecurityToken. Expected element is ({expectedName}, {expectedNamespace}) the actual element is ({localName}, {actualNamespace})."
    },
    {
        "ErrorCode": "500085",
        "Message": "SAML Assertion with MajorVersion '{actualMajor}' and MinorVersion '{actualMinor}' is not supported. The supported version is MajorVersion '{major}' and MinorVersion '{minor}'."
    },
    {
        "ErrorCode": "500086",
        "Message": "SAML Assertion AssertionId '{id}' is not a valid xsd:ID value."
    },
    {
        "ErrorCode": "500087",
        "Message": "SAML Assertion does not have any SAML Statement elements. SAML Assertion must have at least one SAML Statement element."
    },
    {
        "ErrorCode": "500088",
        "Message": "SAML Assertion is missing the required '{name}' Attribute."
    },
    {
        "ErrorCode": "500089",
        "Message": "SAML 2.0 assertion validation failed: {details}"
    },
    {
        "ErrorCode": "500101",
        "Message": "Audience URI validation failed. No token audiences were found."
    },
    {
        "ErrorCode": "500102",
        "Message": "Audience URI validation failed. No allowed audiences are configured."
    },
    {
        "ErrorCode": "500103",
        "Message": "Validation of Audience URI(s) {uri} failed. No match was found with allowed audience(s) {audience}."
    },
    {
        "ErrorCode": "500111",
        "Message": "The reply uri specified in the request has an invalid scheme."
    },
    {
        "ErrorCode": "500112",
        "Message": "The reply address '{actual}' does not match the reply address '{provided}' provided when requesting Authorization code."
    },
    {
        "ErrorCode": "500113",
        "Message": "No reply address is registered for the application{idPhrase}."
    },
    {
        "ErrorCode": "500114",
        "Message": "Protocol not specified for reply address validation."
    },
    {
        "ErrorCode": "500115",
        "Message": "The reply uri specified in the request is missing or not a valid URL."
    },
    {
        "ErrorCode": "500116",
        "Message": "The reply uri specified in the request is not a valid URL. Allowed schemes: '{schemes}'."
    },
    {
        "ErrorCode": "500117",
        "Message": "The reply uri specified in the request isn't using a secure scheme."
    },
    {
        "ErrorCode": "500118",
        "Message": "The reply uri specified in the request failed validation. The reply uri host must match one of the registered DNS host names '{host}' for site with ID '{id}'."
    },
    {
        "ErrorCode": "500119",
        "Message": "Redirect URIs with urn: schemes are prohibited. Use a different scheme, or https://login.microsoftonline.com/common/oauth2/nativeclient"
    },
    {
        "ErrorCode": "500121",
        "Message": "Authentication failed during strong authentication request.",
        "Remediation": "The user didn't complete the MFA prompt. They may have decided not to authenticate, timed out while doing other work, or has an issue with their authentication setup."
    },
    {
        "ErrorCode": "500122",
        "Message": "SWT assertion failed signature validation. Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "500123",
        "Message": "SWT assertion failed signature validation. Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "500124",
        "Message": "No device secret is provisioned in the store."
    },
    {
        "ErrorCode": "500125",
        "Message": "Invalid device secret is provided."
    },
    {
        "ErrorCode": "500126",
        "Message": "External ID token from issuer '{issuer}' failed signature verification. KeyID of token is '{identifier}'."
    },
    {
        "ErrorCode": "500127",
        "Message": "No authenticated credentials found in request."
    },
    {
        "ErrorCode": "500128",
        "Message": "No session key found."
    },
    {
        "ErrorCode": "500129",
        "Message": "No NGC transport key found."
    },
    {
        "ErrorCode": "500131",
        "Message": "Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was '{tokenAudience}' and the expected audience is '{expectedAudience}' or one of the Application Uris of this application with App ID '{appId}'({appName}). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.",
        "Remediation": "Assertion is invalid because of various reasons:      - The token issuer doesn't match the api version within its valid time range      - Expired      - Malformed      - Refresh token in the assertion is not a primary refresh token"
    },
    {
        "ErrorCode": "500132",
        "Message": "Assertion is malformed and cannot be read.",
        "Remediation": "Assertion is invalid because of various reasons:      - The token issuer doesn't match the api version within its valid time range      - Expired      - Malformed      - Refresh token in the assertion is not a primary refresh token"
    },
    {
        "ErrorCode": "500133",
        "Message": "Assertion is not within its valid time range. Ensure that the access token is not expired before using it for user assertion, or request a new token. Current time: {curTime}, expiry time of assertion {expTime}.",
        "Remediation": "Assertion is invalid because of various reasons:      - The token issuer doesn't match the api version within its valid time range      - Expired      - Malformed      - Refresh token in the assertion is not a primary refresh token"
    },
    {
        "ErrorCode": "500135",
        "Message": "Authentication code is missing in the assertion."
    },
    {
        "ErrorCode": "500136",
        "Message": "The token issuer doesn't match the api version: A version 2 token can only be used with the v2 endpoint."
    },
    {
        "ErrorCode": "500137",
        "Message": "The token issuer doesn't match the api version: A version 1 token cannot be used with the v2 endpoint."
    },
    {
        "ErrorCode": "500138",
        "Message": "No Refresh Token claim provided in the assertion."
    },
    {
        "ErrorCode": "500139",
        "Message": "Refresh token in the assertion is not a primary refresh token."
    },
    {
        "ErrorCode": "500171",
        "Message": "Certificate has been revoked."
    },
    {
        "ErrorCode": "500172",
        "Message": "Certificate '{name}' issued by '{issuer}' is not valid. Current time: '{curTime}'. Certificate NotBefore: '{startTime}'. Certificate NotAfter: '{endTime}'."
    },
    {
        "ErrorCode": "500173",
        "Message": "Unable to download CRL. Invalid status code {code} from CRL distribution point."
    },
    {
        "ErrorCode": "500174",
        "Message": "Unable to construct valid CRL from response."
    },
    {
        "ErrorCode": "500175",
        "Message": "Unable to find expected CrlSegment."
    },
    {
        "ErrorCode": "500176",
        "Message": "Cannot find issuing certificate in trusted certificates list."
    },
    {
        "ErrorCode": "500177",
        "Message": "Delta CRL distribution point is configured without a corresponding CRL distribution point."
    },
    {
        "ErrorCode": "500178",
        "Message": "Unable to retrieve valid CRL segments for {type}. Please try again later."
    },
    {
        "ErrorCode": "500179",
        "Message": "CRL validation timed out. Please try again later."
    },
    {
        "ErrorCode": "500180",
        "Message": "No TLS certificate was provided."
    },
    {
        "ErrorCode": "500181",
        "Message": "The TLS certificate provided does not match the certificate in the assertion."
    },
    {
        "ErrorCode": "500182",
        "Message": "The issuing certificate authority failed to validate because it is missing the required subject key identifier extension."
    },
    {
        "ErrorCode": "500183",
        "Message": "Certificate has been revoked."
    },
    {
        "ErrorCode": "500200",
        "Message": "User account '{email}' is a consumer account. Consumer guest accounts cannot sign in using the /common authority of the v1 endpoint - the app must specify which tenant authority to sign the user into."
    },
    {
        "ErrorCode": "500201",
        "Message": "We are unable to issue tokens from this API version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this."
    },
    {
        "ErrorCode": "500202",
        "Message": "User account '{email}' from external identity provider '{idp}' is not supported for API version '{version}'. Microsoft account pass-thru users and guests are not supported by the tenant-independent endpoint."
    },
    {
        "ErrorCode": "500204",
        "Message": "Microsoft account '{email}' can’t be used to log in to application {appName}. Please get this user invited to {tenant} directory or sign out and sign in again with a Work or School account."
    },
    {
        "ErrorCode": "500205",
        "Message": "A consumer (B2C) account can't be used to log into non consumer applications."
    },
    {
        "ErrorCode": "500212",
        "Message": "The user's administrator has set an outbound access policy that does not allow access to the resource tenant.",
        "Remediation": "The user's administrator must update their cross-tenant access policy to allow access to the resource tenant."
    },
    {
        "ErrorCode": "500213",
        "Message": "The resource tenant's cross-tenant access policy does not allow this user to access this tenant.",
        "Remediation": "This block occurred due to the resource tenant's cross-tenant access policy. Contact that tenant's administrator to ensure that these users are allowed access."
    },
    {
        "ErrorCode": "500241",
        "Message": "The reader is not positioned on an EncryptedKey element that can be read."
    },
    {
        "ErrorCode": "500242",
        "Message": "A ReferenceList must contain at least one reference, none were found."
    },
    {
        "ErrorCode": "500243",
        "Message": "The reader is not positioned on a KeyReference. XmlEnc specifies that once a KeyReference is found only a KeyReference must exist."
    },
    {
        "ErrorCode": "500244",
        "Message": "The reader is not positioned on a DataReference. XmlEnc specifies that once a DataReference is found only a DataReference must exist."
    },
    {
        "ErrorCode": "500245",
        "Message": "The key identifier must be set before writing the encrypted data element."
    },
    {
        "ErrorCode": "500246",
        "Message": "The reader is not positioned on an EncryptedData element that can be read."
    },
    {
        "ErrorCode": "500247",
        "Message": "No CipherData present in EncryptedData element."
    },
    {
        "ErrorCode": "500248",
        "Message": "The reader is not positioned on a CipherData element that can be read."
    },
    {
        "ErrorCode": "500251",
        "Message": "The issuer name cannot be {name}."
    },
    {
        "ErrorCode": "500252",
        "Message": "The issuer name is too long, maximum length is {length}."
    },
    {
        "ErrorCode": "500271",
        "Message": "ID Token doesn't contain nonce claim."
    },
    {
        "ErrorCode": "500272",
        "Message": "ID Token doesn't contain sub claim."
    },
    {
        "ErrorCode": "500273",
        "Message": "Invalid JWT token. Subject identifier mismatch."
    },
    {
        "ErrorCode": "500274",
        "Message": "ID Token doesn't contain expected claim: {claim}."
    },
    {
        "ErrorCode": "500275",
        "Message": "Duplicated claim found in ID Token claims."
    },
    {
        "ErrorCode": "500276",
        "Message": "Token presented by external Identity Provider has failed signature validation."
    },
    {
        "ErrorCode": "500277",
        "Message": "External ID Token has unexpected issuer: {issuer}."
    },
    {
        "ErrorCode": "500278",
        "Message": "External ID Token issued to unexpected audience: {audience}."
    },
    {
        "ErrorCode": "500279",
        "Message": "External ID Token is not within its valid time range. Current time: {curTime}, expiry time of assertion {expTime}."
    },
    {
        "ErrorCode": "500301",
        "Message": "The audience {audience} in assertion is not included in forwardableOnBehalfOfOriginsAcceptedAudiencesList for PFT OBO flow.",
        "Remediation": "The application owner must update their app registration to indicate that this is an expected audience."
    },
    {
        "ErrorCode": "500302",
        "Message": "The client id {appId} in subassertion (actor token) is not included in forwardableOnBehalfOfOriginsAcceptedPrecedingAppsList for PFT OBO flow.",
        "Remediation": "The app owner must update the app registration to include the appid as an expected sender of PFTs."
    },
    {
        "ErrorCode": "500303",
        "Message": "The Audience {audience} in Jwt Subassertion does not match the client."
    },
    {
        "ErrorCode": "500331",
        "Message": "An error occurred while attempting to create a certificate from bytes."
    },
    {
        "ErrorCode": "500341",
        "Message": "The user account {identifier} has been deleted from the {tenant} directory. To sign into this application, the account must be added to the directory.",
        "Remediation": "To sign into this application, the account must be added to the directory. If the user account is deleted from the tenant, see these docs to restore the user: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-restore"
    },
    {
        "ErrorCode": "500342",
        "Message": "User account is not configured for remote NGC."
    },
    {
        "ErrorCode": "500343",
        "Message": "Could not create remote sign-in session."
    },
    {
        "ErrorCode": "500344",
        "Message": "User Account is not found for Fido Sign in flow."
    },
    {
        "ErrorCode": "500346",
        "Message": "E-Mail OTP user cannot sign in with local password."
    },
    {
        "ErrorCode": "500501",
        "Message": "Invalid value for '{apiVersion}'."
    },
    {
        "ErrorCode": "500502",
        "Message": "Expected exactly one of '{issuer}' and '{authEndpoint}'."
    },
    {
        "ErrorCode": "500531",
        "Message": "The sign-in was blocked because it came from an IP blocked for legal reasons.",
        "Remediation": "The sign-in was blocked because it came from an IP blocked for legal reasons."
    },
    {
        "ErrorCode": "500571",
        "Message": "The guest user account is disabled.",
        "Remediation": "The guest user object in Active Directory backing this account has been disabled. An admin can re-enable this account through Powershell: https://docs.microsoft.com/powershell/module/addsadministration/enable-adaccount?view=win10-ps"
    },
    {
        "ErrorCode": "500581",
        "Message": "Rendering JavaScript. Fetching sessions for single-sign-on on V2 with prompt=none requires javascript to verify if any MSA accounts are signed in.",
        "Remediation": "Intermediate step during SSO, and does not represent an error"
    },
    {
        "ErrorCode": "500582",
        "Message": "Microsoft Account session_id with prompt=none not supported on AAD tenant."
    },
    {
        "ErrorCode": "500583",
        "Message": "Storage Access required."
    },
    {
        "ErrorCode": "500761",
        "Message": "Due to a configuration change made by your administrator, or because you moved to a new location, the service principal '{servicePrincipal}' must use a certificate for authentication to access '{resource}'.",
        "Remediation": "Service principal needs to perform multi-factor authentication by using certificate."
    },
    {
        "ErrorCode": "500881",
        "Message": "Limit on telecom MFA calls reached. Please retry with PhoneAppNotification or try again in a few minutes."
    },
    {
        "ErrorCode": "500882",
        "Message": "Limit on telecom MFA calls reached. Please retry with PhoneAppCode or try again in a few minutes."
    },
    {
        "ErrorCode": "500981",
        "Message": "Malformed JWT token."
    },
    {
        "ErrorCode": "500982",
        "Message": "Unexpected field '{field}' in JWT header."
    },
    {
        "ErrorCode": "500983",
        "Message": "JWT header must contain '{field}'."
    },
    {
        "ErrorCode": "500984",
        "Message": "Unsupported signing algorithm."
    },
    {
        "ErrorCode": "500985",
        "Message": "Unexpected JWT token header type."
    },
    {
        "ErrorCode": "500986",
        "Message": "Unexpected field '{field}' in JWT body."
    },
    {
        "ErrorCode": "500991",
        "Message": "Unexpected AuthToken audience. Expected token audience: '{expected}', Actual token audience: '{actual}'."
    },
    {
        "ErrorCode": "500992",
        "Message": "Public Key Authentication assertion signature is invalid."
    },
    {
        "ErrorCode": "501051",
        "Message": "Application '{appId}'({appName}) is not assigned to a role for the application '{resourceId}'({resourceName})."
    },
    {
        "ErrorCode": "501111",
        "Message": "JWT tokens are not supported by FederatedAppsClaimsTransformer."
    },
    {
        "ErrorCode": "501201",
        "Message": "Unexpected claim(s) in JWT: {claims}."
    },
    {
        "ErrorCode": "501202",
        "Message": "Unexpected grant type in JWT."
    },
    {
        "ErrorCode": "501203",
        "Message": "Nonce is required in JWT."
    },
    {
        "ErrorCode": "501204",
        "Message": "Malformed JWT."
    },
    {
        "ErrorCode": "501205",
        "Message": "Unexpected field '{name}' in JWT header."
    },
    {
        "ErrorCode": "501206",
        "Message": "JWT header must contain '{name}'."
    },
    {
        "ErrorCode": "501207",
        "Message": "Unsupported algorithm."
    },
    {
        "ErrorCode": "501208",
        "Message": "Unexpected JWT token type."
    },
    {
        "ErrorCode": "501209",
        "Message": "JWT signature is invalid."
    },
    {
        "ErrorCode": "501210",
        "Message": "Assertion is null or empty."
    },
    {
        "ErrorCode": "501241",
        "Message": "Mandatory Input '{paramName}' missing from transformation id '{transformId}'."
    },
    {
        "ErrorCode": "501242",
        "Message": "ClaimsTransformations with ID '{identifier}' contains an unsupported InputClaim.Source '{source}'."
    },
    {
        "ErrorCode": "501271",
        "Message": "Broker app needs to be installed for device authentication to succeed."
    },
    {
        "ErrorCode": "501291",
        "Message": "Client app is a Mam app, device is not registered and request is sent using a broker. Work place join needs to be done to register the device before the app can be accessed."
    },
    {
        "ErrorCode": "501292",
        "Message": "Client application cannot satisfy app protection requirement. If it's a first party app, then it's not whitelisted to be used with app protection policies, otherwise, the app has not advertised as app-compliant capable, or the authentication library used does not support app protection policies."
    },
    {
        "ErrorCode": "501311",
        "Message": "Browser not supported."
    },
    {
        "ErrorCode": "501312",
        "Message": "Device used during the authentication is not registered for the account."
    },
    {
        "ErrorCode": "501313",
        "Message": "Your device is required to be managed to access this resource."
    },
    {
        "ErrorCode": "501314",
        "Message": "Silent interrupt required to recognize browser capabilities. Used to differentiate between Safari running in iPadOS or Mac.",
        "Remediation": "No action required, this is expected as part of determining device identities due to application or conditional access requirements."
    },
    {
        "ErrorCode": "501431",
        "Message": "Session is invalid due to different resource."
    },
    {
        "ErrorCode": "501461",
        "Message": "AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. Either change the resource identifier, or use an application-specific signing key."
    },
    {
        "ErrorCode": "501471",
        "Message": "Missing code_challenge parameter."
    },
    {
        "ErrorCode": "501481",
        "Message": "The Code_Verifier does not match the code_challenge supplied in the authorization request."
    },
    {
        "ErrorCode": "501482",
        "Message": "The Code_Verifier length is less than invalid."
    },
    {
        "ErrorCode": "501491",
        "Message": "Invalid size of Code_Challenge parameter."
    },
    {
        "ErrorCode": "501571",
        "Message": "User routing cookie missing."
    },
    {
        "ErrorCode": "501591",
        "Message": "Missing claim requested to external provider."
    },
    {
        "ErrorCode": "501592",
        "Message": "idToken doesn't contain expected claim: '{claim}'."
    },
    {
        "ErrorCode": "501593",
        "Message": "Value of {type} claim in idToken: {value} doesn't match expected values: {expected}"
    },
    {
        "ErrorCode": "501621",
        "Message": "Regular expression replacement for claims transformation has timed out. This indicates a too complex regular expression may have been configured for this application. A retry of the request may succeed. Otherwise, please contact your admin to fix the configuration."
    },
    {
        "ErrorCode": "501631",
        "Message": "Regular expression replacement for claims transformation results in too many replacements in the input sourceClaim. Please contact your admin to fix the configuration."
    },
    {
        "ErrorCode": "501632",
        "Message": "Regular expression replacement for claims transformation has too many substitution parameters in the replacement input parameter. Please contact your admin to fix the configuration."
    },
    {
        "ErrorCode": "501661",
        "Message": "Request to External OIDC endpoint failed."
    },
    {
        "ErrorCode": "501791",
        "Message": "Client_info is only supported for MSAL/ADAL, please ensure that MSAL/ADAL custom headers are being sent."
    },
    {
        "ErrorCode": "501811",
        "Message": "No otp for the given tenant/user."
    },
    {
        "ErrorCode": "501831",
        "Message": "Cannot generate more one time passcode due to cache exception."
    },
    {
        "ErrorCode": "501941",
        "Message": "Resource '{resourceId}'({resourceName}) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '{time}'. Use a tenant-specific endpoint or configure the application to be multi-tenant."
    },
    {
        "ErrorCode": "510001",
        "Message": "Cannot meet the requirements stated in the request."
    },
    {
        "ErrorCode": "530001",
        "Message": "Browser not supported.",
        "Remediation": "The user is using a browser that does not support device identification so the device state is unknown. Access to the resource requires a compliant device. To see a list of browsers that support device identification, see https://docs.microsoft.com/azure/active-directory/conditional-access/technical-reference#supported-browsers"
    },
    {
        "ErrorCode": "530002",
        "Message": "Your device is required to be compliant to access this resource.",
        "Remediation": "The requested resource can only be accessed using a compliant device. The user is using a device already managed by a Mobile-Device-Management (MDM) agent like Intune, but it's not being reported as compliant yet. The user could check with your MDM provider on how to become compliant. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation"
    },
    {
        "ErrorCode": "530003",
        "Message": "Your device is required to be managed to access this resource.",
        "Remediation": "The requested resource can only be accessed using a compliant device. The user is either using a device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication. The user could enroll their devices with an approved MDM provider, or use a different app to sign in, or find the app vendor and ask them to update their app. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation"
    },
    {
        "ErrorCode": "530004",
        "Message": "AcceptCompliantDevice setting isn't configured for this organization. The admin needs to configure this setting to allow external users access to protected resources.",
        "Remediation": "AcceptCompliantDevice setting isn't configured for this organization. The admin needs to configure this setting to allow external users access to protected resources."
    },
    {
        "ErrorCode": "530011",
        "Message": "Browser not supported.",
        "Remediation": "The user is using a browser that does not support device identification so the device state is unknown. Access to the resource requires a Hybrid Azure AD joined device. To see a list of browsers that support device identification, see https://docs.microsoft.com/azure/active-directory/conditional-access/technical-reference#supported-browsers"
    },
    {
        "ErrorCode": "530021",
        "Message": "Application does not meet the conditional access approved app requirements.",
        "Remediation": "Application used is not an approved application for conditional access. User needs to use one of the apps from the list of approved applications to use in order to get access. To see a list of approved apps, see https://docs.microsoft.com/azure/active-directory/conditional-access/technical-reference#approved-client-app-requirement"
    },
    {
        "ErrorCode": "530022",
        "Message": "Browser not supported.",
        "Remediation": "Application used is not an approved application for conditional access. User needs to use one of the apps from the list of approved applications to use in order to get access. To see a list of approved apps, see https://docs.microsoft.com/azure/active-directory/conditional-access/technical-reference#approved-client-app-requirement"
    },
    {
        "ErrorCode": "530031",
        "Message": "Access policy does not allow token issuance.",
        "Remediation": "A classic conditional access policy, or a policy from Azure AD Identity Protection, prevented this resource from being accessed. View the Conditional Access information for this request in the sign-in logs for more details about the policy applied here."
    },
    {
        "ErrorCode": "530032",
        "Message": "User blocked due to risk on home tenant.",
        "Remediation": "If this user is risky in your tenant, learn more here: aka.ms/unblockrisk. If this is a guest user, learn more here: aka.ms/riskyguestuser."
    },
    {
        "ErrorCode": "530033",
        "Message": "Remote device flow blocked due to device based conditional access.",
        "Remediation": "This request is authorizing a remote device, and there is a conditional access policy that requires device authentication. The request is blocked because we cannot assert the properties of the remote device. View the Conditional Access information for this request in the sign-in logs for more details about the policy applied here."
    },
    {
        "ErrorCode": "530034",
        "Message": "A delegated administrator was blocked from accessing the tenant due to account risk.",
        "Remediation": "Azure AD blocked delegated administrator access due to account risk in their home tenant."
    },
    {
        "ErrorCode": "530081",
        "Message": "Managed browser or Microsoft Edge is required for device registration to succeed."
    },
    {
        "ErrorCode": "530082",
        "Message": "Workplace join is required to register the device.",
        "Remediation": "User is required to add their work account to the device. To learn more, see https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation"
    },
    {
        "ErrorCode": "600071",
        "Message": "An error occurred while attempting to create a certificate from bytes."
    },
    {
        "ErrorCode": "650011",
        "Message": "The user or administrator has not consented to use the application with ID '{identifier}'{namePhrase}. Send an interactive authorization request for this user and resource. Alternatively, the Application URI {uri} for the App:'{appId}'{name} in the tenant '{tenant}' might be in conflict with the Application URI for the multitenant app '{conflict}'. Update the registered Application URI to something else to avoid the conflict."
    },
    {
        "ErrorCode": "650041",
        "Message": "User terminated the request."
    },
    {
        "ErrorCode": "650051",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "650052",
        "Message": "The app needs access to a service ('{name}') that your organization '{organization}' has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.",
        "Remediation": "Contact your IT Admin to review the configuration of your service subscriptions."
    },
    {
        "ErrorCode": "650053",
        "Message": "The application '{name}' asked for scope '{scope}' that doesn't exist on the resource '{resource}'. Contact the app vendor."
    },
    {
        "ErrorCode": "650054",
        "Message": "The application '{name}' asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor."
    },
    {
        "ErrorCode": "650055",
        "Message": "The application '{name}' required resource access list does not contain applications discoverable by '{resource}'."
    },
    {
        "ErrorCode": "650056",
        "Message": "Misconfigured application. This could be due to one of the following: the client has not listed any permissions for '{name}' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: {id}.",
        "Remediation": "Please contact your admin to fix the configuration or consent on behalf of the tenant."
    },
    {
        "ErrorCode": "650057",
        "Message": "Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: {appId}({appName}). Resource value from request: {resource}. Resource app ID: {resourceAppId}. List of valid resources from app registration: {regList}."
    },
    {
        "ErrorCode": "650058",
        "Message": "The app needs access to a service that your organization has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions."
    },
    {
        "ErrorCode": "650061",
        "Message": "Requested permission ID: '{permissionId}' in the resource access for client '{clientId}' has an invalid type. Please followup with the owner of Resource '{resourceId}' to fix the resource entitlement configuration."
    },
    {
        "ErrorCode": "699981",
        "Message": "OfficeS2S delegation service endpoints are not supported for calling application '{appId}'({appName})."
    },
    {
        "ErrorCode": "700001",
        "Message": "Application: {samlAudience} needs to opt-in for 'aio' optional claim for On Behalf Of flow to work with SAML tokens issued to this application",
        "Remediation": "Invalid grant due to the following reasons:      - Requested SAML 2.0 assertion has invalid Subject Confirmation Method      - Application On-Behalf-Of flow is not supported on V2      - Primary refresh token is not signed with session key      - Invalid external refresh token      - The access grant was obtained for a different tenant"
    },
    {
        "ErrorCode": "700002",
        "Message": "SAML 1.1 Bearer assertion must be a valid Base64 encoded value."
    },
    {
        "ErrorCode": "700003",
        "Message": "Device object was not found in the tenant '{tenantName}' directory.",
        "Remediation": "Invalid grant due to the following reasons:      - Requested SAML 2.0 assertion has invalid Subject Confirmation Method      - Application On-Behalf-Of flow is not supported on V2      - Primary refresh token is not signed with session key      - Invalid external refresh token      - The access grant was obtained for a different tenant"
    },
    {
        "ErrorCode": "700004",
        "Message": "onpremobjectguid '{objGuid}' attribute in the presented grant is malformed.",
        "Remediation": "Invalid grant due to the following reasons:      - Requested SAML 2.0 assertion has invalid Subject Confirmation Method      - Application On-Behalf-Of flow is not supported on V2      - Primary refresh token is not signed with session key      - Invalid external refresh token      - The access grant was obtained for a different tenant"
    },
    {
        "ErrorCode": "700005",
        "Message": "Provided Authorization Code is intended to use against other tenant, thus rejected.",
        "Remediation": "OAuth2 Authorization Code must be redeemed against same tenant it was acquired for."
    },
    {
        "ErrorCode": "700006",
        "Message": "The Audience: {audience} of the token is NOT an absolute Uri"
    },
    {
        "ErrorCode": "700007",
        "Message": "The grant was issued for a different client id."
    },
    {
        "ErrorCode": "700008",
        "Message": "Social IDP users are not expected to have home tenant."
    },
    {
        "ErrorCode": "700009",
        "Message": "Reply address must be provided when presenting an authorization code requested with an explicit reply address."
    },
    {
        "ErrorCode": "700011",
        "Message": "Application with identifier {appIdentifier} was not found in the directory.",
        "Remediation": "A client application requested a token from your tenant, but the client app doesn't exist in your tenant, so the call failed."
    },
    {
        "ErrorCode": "700012",
        "Message": "Missing Authorization header with bearer token. Client was not authenticated."
    },
    {
        "ErrorCode": "700013",
        "Message": "Client is not authorized to request managed browser purpose token."
    },
    {
        "ErrorCode": "700014",
        "Message": "Mobile Edge app needs to provide an enrollment id in order to acquire a purpose token that can satisfy the compliant app requirement."
    },
    {
        "ErrorCode": "700016",
        "Message": "Application with identifier '{appIdentifier}' was not found in the directory '{tenantName}'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.",
        "Remediation": "The application named X was not found in the tenant named Y. This can happen if the application with identifier X has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have misconfigured the Identifier value for the application or sent your authentication request to the wrong tenant"
    },
    {
        "ErrorCode": "700017",
        "Message": "{resourceConstant} '{resourceIdentifier}' is not supported as resource."
    },
    {
        "ErrorCode": "700018",
        "Message": "{resourceConstant} '{resourceIdentifier}' is not supported as resource."
    },
    {
        "ErrorCode": "700019",
        "Message": "Application ID {identifier} cannot be used or is not authorized."
    },
    {
        "ErrorCode": "700020",
        "Message": "Application ID {identifier} is a reserverd identifier and should be removed on the application: {applicationId}."
    },
    {
        "ErrorCode": "700021",
        "Message": "Client assertion application identifier doesn't match 'client_id' parameter. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "700022",
        "Message": "No Subject claim provided in the assertion. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials ."
    },
    {
        "ErrorCode": "700023",
        "Message": "Client assertion audience claim does not match Realm issuer. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials ."
    },
    {
        "ErrorCode": "700024",
        "Message": "Client assertion is not within its valid time range. Current time: {curTime}, expiry time of assertion {expTime}. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .",
        "Remediation": "The app used an expired client assertion. It needs to be updated in the Azure Portal to generate a new client secret or certificate."
    },
    {
        "ErrorCode": "700025",
        "Message": "Client is public so neither 'client_assertion' nor 'client_secret' should be presented."
    },
    {
        "ErrorCode": "700026",
        "Message": "Client application has no configured keys."
    },
    {
        "ErrorCode": "700027",
        "Message": "Client assertion failed signature validation.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "700028",
        "Message": "Certificate with thumbprint {thumbprint} is not authorized.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "700029",
        "Message": "Invalid signing certificate."
    },
    {
        "ErrorCode": "700030",
        "Message": "Invalid certificate - subject name in certificate is not authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: {certificateSubjects}."
    },
    {
        "ErrorCode": "700031",
        "Message": "Invalid certificate - SubjectName or SubjectAlternativeName is missing"
    },
    {
        "ErrorCode": "700032",
        "Message": "Invalid certificate - Trusted Certificate Subjects for application are missing"
    },
    {
        "ErrorCode": "700033",
        "Message": "Client assertion should declare both custom_claims and xms_actor_token claims when overriding managed resource ID."
    },
    {
        "ErrorCode": "700034",
        "Message": "Client assertion contains an invalid xms_actor_token claim."
    },
    {
        "ErrorCode": "700035",
        "Message": "Client assertion contains custom_claims in the incorrect format."
    },
    {
        "ErrorCode": "700036",
        "Message": "Client is not authorized to override managed identity claim in the token."
    },
    {
        "ErrorCode": "700037",
        "Message": "Client assertion must declare x5c header when overriding managed resource ID."
    },
    {
        "ErrorCode": "700038",
        "Message": "00000000-0000-0000-0000-000000000000 is not a valid application identifier."
    },
    {
        "ErrorCode": "700039",
        "Message": "00000000-0000-0000-0000-000000000000 is not a valid resource identifier"
    },
    {
        "ErrorCode": "700040",
        "Message": "Managed Resource ID '{inputManagedResourceId}' is not a valid resource identifier."
    },
    {
        "ErrorCode": "700041",
        "Message": "Post-logout redirect uri is not in approved list. Requested post-logout url: {url}."
    },
    {
        "ErrorCode": "700042",
        "Message": "The reply address does not match the reply addresses configured for the application."
    },
    {
        "ErrorCode": "700043",
        "Message": "The redirect address '{address}' does not match the redirect addresses configured for service identity '{serviceId}'."
    },
    {
        "ErrorCode": "700044",
        "Message": "The redirect address '{address}' corresponding to this authorization code does not match the redirect address '{requestAddress}' specified in the request."
    },
    {
        "ErrorCode": "700045",
        "Message": "Redirect address '{address}' specified by the client does not match any configured addresses '{configuredAddress}' or any addresses on the OIDC approve list."
    },
    {
        "ErrorCode": "700046",
        "Message": "Invalid Reply Address. Reply Address must have scheme brk-{brkApplicationId}:// and be of Single Page Application type."
    },
    {
        "ErrorCode": "700047",
        "Message": "Invalid Reply Address. Broker must use Single-Page Application Reply Address."
    },
    {
        "ErrorCode": "700048",
        "Message": "Client assertion contains an invalid xms_actor_token claim. The audience of the claim is not correctly set."
    },
    {
        "ErrorCode": "700049",
        "Message": "Claim override is only allowed for User Assigned Managed Service Identities. Make sure the caller app is a Managed Identity, and the override is being done for a User Assigned identity."
    },
    {
        "ErrorCode": "700050",
        "Message": "Actor token is not within its valid time range. Current time: {curTime}, expiry time of actor token {expTime}."
    },
    {
        "ErrorCode": "700051",
        "Message": "response_type 'token' is not enabled for the application.",
        "Remediation": "The application requested an unsupported response type due to the following reasons: response_type 'token' is not enabled for the application. Application owner should go to the Azure portal or call MS Graph to enable the implicit access token grant."
    },
    {
        "ErrorCode": "700052",
        "Message": "The token request contains one or more unsupported response token type(s): '{ResType}'."
    },
    {
        "ErrorCode": "700053",
        "Message": "response_type 'id_token' requires the 'openid' scope."
    },
    {
        "ErrorCode": "700054",
        "Message": "response_type 'id_token' is not enabled for the application.",
        "Remediation": "The application requested an unsupported response type due to the following reasons: response_type 'id_token' is not enabled for the application. Application owner should go to the Azure portal or call MS Graph to enable the implicit id token grant."
    },
    {
        "ErrorCode": "700055",
        "Message": "Redirection to B2C first party app is permitted only to the /authresp endpoint."
    },
    {
        "ErrorCode": "700081",
        "Message": "The refresh token has expired due to maximum lifetime. The token was issued on {issueDate} and the maximum allowed lifetime for this application is {time}.",
        "Remediation": "Expected part of the token lifecycle - the user went an extended period of time without using the application, so the token was expired when the app attempted to refresh it."
    },
    {
        "ErrorCode": "700082",
        "Message": "The refresh token has expired due to inactivity. The token was issued on {issueDate} and was inactive for {time}.",
        "Remediation": "Expected part of the token lifecycle - the user went an extended period of time without using the application, so the token was expired when the app attempted to refresh it."
    },
    {
        "ErrorCode": "700083",
        "Message": "The primary refresh token has expired due to maximum lifetime. The token was issued on {issueDate} and the maximum allowed lifetime for this application is {time}."
    },
    {
        "ErrorCode": "700084",
        "Message": "The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of {time}, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on {issueDate}.",
        "Remediation": "Single page apps receive fixed, shorter-lived refresh tokens, and are expected to encounter this error on a regular basis. Apps must handle this error by redirecting the user to the sign in page for a refreshed sign in session."
    },
    {
        "ErrorCode": "700171",
        "Message": "End-user declined to authorize the request."
    },
    {
        "ErrorCode": "700172",
        "Message": "Authentication loop detected: please check application's configuration."
    },
    {
        "ErrorCode": "700221",
        "Message": "Issuer from the provided JWT '{jwtIssuer}' does not match the issuer published in the OIDC discovery metadata ('{metadataIssuer}') registered for this federated credential.",
        "Remediation": "Ensure that the OpenID Connect metadata issuer matches issuer presented in the JWT."
    },
    {
        "ErrorCode": "700222",
        "Message": "AAD-issued tokens may not be used for federated identity flows.",
        "Remediation": "The federated identity credentials flow does not support tokens issued by Azure AD at this time."
    },
    {
        "ErrorCode": "700311",
        "Message": "Remote auth session in cache is invalid."
    },
    {
        "ErrorCode": "701011",
        "Message": "Unable to save code into cache."
    },
    {
        "ErrorCode": "701012",
        "Message": "Unable to create remote auth session in device flow cache."
    },
    {
        "ErrorCode": "701013",
        "Message": "Unable to create remote auth session for user in activity store."
    },
    {
        "ErrorCode": "701014",
        "Message": "Cannot generate more one time passcodes."
    },
    {
        "ErrorCode": "750011",
        "Message": "Cannot validate RelayState. Check that RequestDataStorage is properly configured."
    },
    {
        "ErrorCode": "750012",
        "Message": "RelayState of response does not match with RelayState from request. Expected '{expected}' actual '{actual}'."
    },
    {
        "ErrorCode": "750013",
        "Message": "Cannot serialize SAML message container with no endpoint specified."
    },
    {
        "ErrorCode": "750014",
        "Message": "Could not find a SAMLRequest or SAMLResponse in the message. Check if the request contains a valid Uri or Form Post that contains protocol parameters for SAML HTTP bindings."
    },
    {
        "ErrorCode": "750015",
        "Message": "Wrong SAML message type '{wrongType}', expected '{expectedType}'."
    },
    {
        "ErrorCode": "750016",
        "Message": "Parameter '{name}' must be unique in HTTP SAML message."
    },
    {
        "ErrorCode": "750017",
        "Message": "The specified encoding method '{actual}' is not supported. Use '{expected}' encoding instead."
    },
    {
        "ErrorCode": "750018",
        "Message": "The signature algorithm '{algo}' is not valid."
    },
    {
        "ErrorCode": "750019",
        "Message": "The query string hash could not be computed for signature generation/validation. Neither SAMLRequest nor SAMLResponse was present in the message."
    },
    {
        "ErrorCode": "750031",
        "Message": "The requested protocol binding '{reqBinding}' is not supported. The supported bindings are GET (HTTP Redirect) and POST.",
        "Remediation": "Use either HTTP Redirect binding or HTTP Post binding to send the SAML AuthnRequest or LogoutRequest."
    },
    {
        "ErrorCode": "750032",
        "Message": "SAML protocol response cannot be sent via bindings other than HTTP POST. Requested binding: {reqBinding}",
        "Remediation": "In the SAML AuthnRequest, specify POST as the ProtocolBinding."
    },
    {
        "ErrorCode": "750051",
        "Message": "Must specify HTTP POST operation for SAML POST binding."
    },
    {
        "ErrorCode": "750052",
        "Message": "SAMLRequest or SAMLResponse must be present in body of HTTP request for SAML POST binding.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "750053",
        "Message": "Must specify HTTP GET operation for SAML HTTP Redirect binding."
    },
    {
        "ErrorCode": "750054",
        "Message": "SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.",
        "Remediation": "Azure AD wasn't able to identify the SAML request within the URL parameters in the HTTP request. This can happen if the application is not using HTTP Redirect Binding for sending the SAML request to Azure AD.    The application needs to send the SAML request encoded into the location header using HTTP Redirect Binding. For more information about how to implement it, read the section HTTP Redirect Binding in the SAML protocol specification document.[https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf]"
    },
    {
        "ErrorCode": "750055",
        "Message": "SAML message was not properly DEFLATE-encoded."
    },
    {
        "ErrorCode": "750056",
        "Message": "SAML message was not properly base64-encoded."
    },
    {
        "ErrorCode": "750057",
        "Message": "SAML message was not properly UTF8-encoded."
    },
    {
        "ErrorCode": "750058",
        "Message": "XML attribute '{attributeName}' in the SAML message must be a boolean."
    },
    {
        "ErrorCode": "750059",
        "Message": "XML attribute '{attributeName}' in the SAML message must be an integer."
    },
    {
        "ErrorCode": "750161",
        "Message": "Allowed SAML authentication request's NameIDPolicy formats are: {format}."
    },
    {
        "ErrorCode": "800111",
        "Message": "Encryption keys retrieved is null or empty."
    },
    {
        "ErrorCode": "800181",
        "Message": "Invalid configuration detected causing multiple redirects."
    },
    {
        "ErrorCode": "800182",
        "Message": "Failed to determine on-premises password validation endpoints for request."
    },
    {
        "ErrorCode": "800183",
        "Message": "The on-premises region configuration is invalid for the tenant."
    },
    {
        "ErrorCode": "800184",
        "Message": "The on-premises password validation request was throttled."
    },
    {
        "ErrorCode": "900000",
        "Message": "Environment error."
    },
    {
        "ErrorCode": "900001",
        "Message": "The browser is having problems downloading resources from the CDN (Content Delivery Network). Please check with your organization's system administrators to ensure that they have not blocked the resource url endpoint and that the files exists and are accessible."
    },
    {
        "ErrorCode": "900021",
        "Message": "Requested tenant identifier '{tenant_id}' is not valid. Tenant identifiers may not be an empty GUID."
    },
    {
        "ErrorCode": "900022",
        "Message": "Provided tenant identifier is empty."
    },
    {
        "ErrorCode": "900023",
        "Message": "Specified tenant identifier '{tenant_id}' is neither a valid DNS name, nor a valid external domain.",
        "Remediation": "Application error - the login request was malformed and could not be matched with an existing authentication endpoint or instance."
    },
    {
        "ErrorCode": "900041",
        "Message": "The request contains {num} tokens separated by '{splitter}' instead of a single key value pair."
    },
    {
        "ErrorCode": "900042",
        "Message": "Authorization header is missing or malformed."
    },
    {
        "ErrorCode": "900043",
        "Message": "Bad request. Passed context cannot be parsed."
    },
    {
        "ErrorCode": "900044",
        "Message": "Only version {num} of PKeyAuth is supported."
    },
    {
        "ErrorCode": "900045",
        "Message": "Missing PKeyAuth Authorization header."
    },
    {
        "ErrorCode": "900046",
        "Message": "Unprotected credential key parsing failed: invalid JWE format."
    },
    {
        "ErrorCode": "900047",
        "Message": "Malformed PKeyAuth header."
    },
    {
        "ErrorCode": "900048",
        "Message": "Request too large."
    },
    {
        "ErrorCode": "900049",
        "Message": "Malformed request."
    },
    {
        "ErrorCode": "900051",
        "Message": "Unable to complete request. The request was invalid since sid and domain_hint cannot be used together."
    },
    {
        "ErrorCode": "900052",
        "Message": "Request body may not be encoded in UTF-16."
    },
    {
        "ErrorCode": "900053",
        "Message": "Request body must not begin with UTF-8 BOM."
    },
    {
        "ErrorCode": "900054",
        "Message": "Specified Broker Client ID does not match ID in provided grant."
    },
    {
        "ErrorCode": "900055",
        "Message": "Broker Client ID expected in GUID format."
    },
    {
        "ErrorCode": "900056",
        "Message": "redirect_uri is a required parameter for brokered authentication."
    },
    {
        "ErrorCode": "900057",
        "Message": "Unexpected 'brk_client_id' or 'brk_redirect_uri' parameters when obtaining or redeeming grants for broker application."
    },
    {
        "ErrorCode": "900058",
        "Message": "Server cannot satisfy the request. MSIs do not support user-based flows, only the client credentials flow. Use a multi-tenant application and secret or certificate in order to sign in users at this time.",
        "Remediation": "This is a platform error - a certificate was used by an Azure component in a way that Azure AD does not support."
    },
    {
        "ErrorCode": "900059",
        "Message": "You must request the hybrid SPA auth code on your confidential client back-end, while redeeming the original auth code requested for a web type redirect URI. Auth codes obtained for the Pairwise broker flow cannot be redeemed for a hybrid SPA authorization code."
    },
    {
        "ErrorCode": "900101",
        "Message": "Unable to create default encryption algorithm: {algoName}."
    },
    {
        "ErrorCode": "900102",
        "Message": "'{algoName}' algorithm not supported."
    },
    {
        "ErrorCode": "900103",
        "Message": "The digest algorithm '{algoName}' is not supported."
    },
    {
        "ErrorCode": "900104",
        "Message": "Lifetime must be greater than or equal to TimeSpan.Zero."
    },
    {
        "ErrorCode": "900105",
        "Message": "The token signing digest algorithm '{algoName}' requested by the application is not supported for this type of token. This indicates the application is misconfigured."
    },
    {
        "ErrorCode": "900106",
        "Message": "The '{name}' input type is not supported for the transform."
    },
    {
        "ErrorCode": "900107",
        "Message": "The exclusive canonicalization transform does not support the '{algoName}' algorithm."
    },
    {
        "ErrorCode": "900108",
        "Message": "{name} implementation not supported."
    },
    {
        "ErrorCode": "900109",
        "Message": "Cannot create a signature deformatter for the requested algorithm."
    },
    {
        "ErrorCode": "900143",
        "Message": "'{name}' is required for the '{type}' grant type."
    },
    {
        "ErrorCode": "900144",
        "Message": "The request body must contain the following parameter: '{name}'.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "900161",
        "Message": "Invalid access token. Required tenant ID claim is missing."
    },
    {
        "ErrorCode": "900191",
        "Message": "The 'client_credentials' grant type requires a tenant to be specified."
    },
    {
        "ErrorCode": "900192",
        "Message": "Unable to determine the tenant identifier from the request. Client ID '{id}' does not specify a tenant realm."
    },
    {
        "ErrorCode": "900193",
        "Message": "The 'urn:microsoft.com:grant-type:device:credentials' grant type requires a tenant to be specified."
    },
    {
        "ErrorCode": "900194",
        "Message": "Unable to determine the tenant identifier from the request. Token audience '{audienceSpn}' does not specify a tenant realm."
    },
    {
        "ErrorCode": "900195",
        "Message": "Unable to determine the tenant identifier from the request. Token audience '{audienceSpn}' is not valid."
    },
    {
        "ErrorCode": "900231",
        "Message": "Unable to authenticate the user."
    },
    {
        "ErrorCode": "900232",
        "Message": "Request specified an authentication method '{authRequirementInRequest}' that is not in the allowed list of authentication methods supported by application '{appName}'."
    },
    {
        "ErrorCode": "900233",
        "Message": "The SAML AuthnRequest or LogoutRequest must specify an Issuer."
    },
    {
        "ErrorCode": "900234",
        "Message": "The SAML AuthnRequest or LogoutRequest must specify the default Issuer Format '{expectedIssuerFormat}'. Received Issuer Format: '{receivedIssuerFormat}'."
    },
    {
        "ErrorCode": "900235",
        "Message": "SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'. Received value: '{samlComparison}'."
    },
    {
        "ErrorCode": "900236",
        "Message": "The SAML authentication request property '{propertyName}' is not supported and must not be set."
    },
    {
        "ErrorCode": "900237",
        "Message": "AssertionConsumerServiceIndex cannot be set when ProtocolBinding or AssertionConsumerServiceUrl are set."
    },
    {
        "ErrorCode": "900238",
        "Message": "AssertionConsumerServiceUrl cannot be set when AssertionConsumerServiceIndex is set."
    },
    {
        "ErrorCode": "900239",
        "Message": "ProtocolBinding cannot be set when AssertionConsumerServiceIndex is set."
    },
    {
        "ErrorCode": "900281",
        "Message": "Principal name format is invalid. Realm component of the name cannot be empty."
    },
    {
        "ErrorCode": "900282",
        "Message": "Principal name format is invalid for name '{name}'. Expected primary[@realm]."
    },
    {
        "ErrorCode": "900381",
        "Message": "Request redirection failed. Tenant '{tenant_name}' specified belongs to the National Cloud '{tenant_cloud}', but Current Cloud Instance '{current_cloud}' does not federate with '{tenant_cloud}'."
    },
    {
        "ErrorCode": "900382",
        "Message": "Confidential Client is not supported in Cross Cloud request."
    },
    {
        "ErrorCode": "900383",
        "Message": "Internal error has occurred during a redirect. Please login directly to your National Cloud dedicated portal."
    },
    {
        "ErrorCode": "900384",
        "Message": "JWT token failed signature validation. Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "900385",
        "Message": "JWT token must be signed."
    },
    {
        "ErrorCode": "900386",
        "Message": "WsFederation metadata request for Tenant '{tenantName}' must be made on Cloud '{cloud}'."
    },
    {
        "ErrorCode": "900387",
        "Message": "Unsupported version '{apiVersion}' specified in discovery request"
    },
    {
        "ErrorCode": "900388",
        "Message": "Http request to national cloud failed with time out error"
    },
    {
        "ErrorCode": "900410",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "900421",
        "Message": "Actual message content is runtime specific. Please see returned exception message for details."
    },
    {
        "ErrorCode": "900431",
        "Message": "National Cloud Federation or Proxy Request feature is disabled."
    },
    {
        "ErrorCode": "900432",
        "Message": "Confidential Client is not supported in Cross Cloud request."
    },
    {
        "ErrorCode": "900433",
        "Message": "Invalid National Cloud Token."
    },
    {
        "ErrorCode": "900434",
        "Message": "National Cloud request processing failed: {details}"
    },
    {
        "ErrorCode": "900435",
        "Message": "Received Empty OAuth response from National Cloud: {name}."
    },
    {
        "ErrorCode": "900436",
        "Message": "Invalid request method {name} received."
    },
    {
        "ErrorCode": "900437",
        "Message": "Auth Code value is missing."
    },
    {
        "ErrorCode": "900438",
        "Message": "Refresh token value is missing."
    },
    {
        "ErrorCode": "900439",
        "Message": "Confidential Client requests are not supported on the public endpoint (login.microsoftonline.com) for tenants in the Azure Government cloud. Send your login requests to https://login.microsoftonline.us instead. Please see https://devblogs.microsoft.com/azuregov/azure-government-aad-authority-endpoint-update/ for more details",
        "Remediation": "Starting May 5th 2020, Azure AD began enforcing the change in login endpoints for Azure Government that was announced April 3rd, 2018. The app must be updated to sign in users to the US Government cloud instead of the public cloud."
    },
    {
        "ErrorCode": "900440",
        "Message": "Requests to tenants hosted in the public cloud are not supported on USGov endpoints. This user must sign into https://login.microsoftonline.com instead of https://login.microsoftonline.us. The application must send the user to the right login endpoint, usually by hosting two versions of the site (e.g. portal.azure.us and portal.azure.com)",
        "Remediation": "Starting May 5th 2020, Azure AD began enforcing the change in login endpoints for Azure Government that was announced April 3rd, 2018. Users from the public cloud cannot be signed into the US Government cloud. This is by design - those users must sign into the public cloud instead."
    },
    {
        "ErrorCode": "900441",
        "Message": "Requests to applications hosted in the public cloud are not supported for USGov tenants."
    },
    {
        "ErrorCode": "900442",
        "Message": "Requests from the public cloud user for USGov resource, and requests from USGov user for public cloud resource are not supported."
    },
    {
        "ErrorCode": "900443",
        "Message": "The requested endpoint {endpoint} is not supported on air-gapped cloud using public hostname. Please use hostname {hostname} instead."
    },
    {
        "ErrorCode": "900491",
        "Message": "Service principal '{identifier}' not found."
    },
    {
        "ErrorCode": "900501",
        "Message": "Json format queue length exceeds the threshold."
    },
    {
        "ErrorCode": "900521",
        "Message": "Static Content Manager: Has not been initialized."
    },
    {
        "ErrorCode": "900522",
        "Message": "You can't have an alias map to another alias."
    },
    {
        "ErrorCode": "900523",
        "Message": "Passed in value is not an enum - {type}."
    },
    {
        "ErrorCode": "900524",
        "Message": "No CDN roots configured."
    },
    {
        "ErrorCode": "900525",
        "Message": "Service configuration error has occurred: unable to obtain SAS certificate."
    },
    {
        "ErrorCode": "900561",
        "Message": "The endpoint only accepts {valid_verbs} requests. Received a {invalid_verb} request.",
        "Remediation": "This can be due to developer error, or due to users pressing the back button in their browser, triggering a bad request. It can be ignored."
    },
    {
        "ErrorCode": "900562",
        "Message": "Unsupported GUID resource format specified, only supported GUID formats types are '00000000000000000000000000000000' and '00000000-0000-0000-0000-000000000000'."
    },
    {
        "ErrorCode": "900610",
        "Message": "Non-retryable error has occurred during request to external OIDC endpoint."
    },
    {
        "ErrorCode": "900611",
        "Message": "Failed to parse provider metadata."
    },
    {
        "ErrorCode": "900612",
        "Message": "Failed to parse provider signing keys."
    },
    {
        "ErrorCode": "900620",
        "Message": "Token Remint endpoint generic error."
    },
    {
        "ErrorCode": "900621",
        "Message": "Token Remint endpoint missing signing credentials to sign tokens."
    },
    {
        "ErrorCode": "900622",
        "Message": "Token Remint endpoint cannot use the asserting token because of allow remint claim is not preset."
    },
    {
        "ErrorCode": "900623",
        "Message": "Token Remint endpoint cannot use the token because its issued at value is not valid."
    },
    {
        "ErrorCode": "900624",
        "Message": "Token Remint endpoint cannot use the token because asserting token signature is invalid."
    },
    {
        "ErrorCode": "900625",
        "Message": "Token Remint endpoint cannot use the token because asserting token type is not eligible for remint."
    },
    {
        "ErrorCode": "900626",
        "Message": "Token Remint endpoint cannot use the token because asserting token type has expired."
    },
    {
        "ErrorCode": "900627",
        "Message": "Token Remint endpoint cannot parse the request."
    },
    {
        "ErrorCode": "900700",
        "Message": "Security Event Token signing endpoint generic error."
    },
    {
        "ErrorCode": "900701",
        "Message": "Security Event Token signing endpoint received invalid request."
    },
    {
        "ErrorCode": "900702",
        "Message": "Security Event Token signing endpoint received SET which could not be parsed to a JWT"
    },
    {
        "ErrorCode": "900703",
        "Message": "Security Event Token signing endpoint received SET with null claims."
    },
    {
        "ErrorCode": "900704",
        "Message": "Security Event Token signing endpoint received SET with invalid issuer. Issuer: {invalidIssuer}"
    },
    {
        "ErrorCode": "900705",
        "Message": "Security Event Token signing endpoint received SET with invalid IssuedAt value. IssuedAt: {invalidIssuedAt}"
    },
    {
        "ErrorCode": "900706",
        "Message": "Security Event Token signing endpoint received SET with unexpected claims. Unexpected claims: {unexpectedClaims}"
    },
    {
        "ErrorCode": "900811",
        "Message": "Unsupported web method is used."
    },
    {
        "ErrorCode": "900812",
        "Message": "Unsupported WS-Federation message of type '{name}'."
    },
    {
        "ErrorCode": "900821",
        "Message": "Unsupported WS-Federation message of type '{type}'."
    },
    {
        "ErrorCode": "900822",
        "Message": "Requested '{type}' value is unsupported."
    },
    {
        "ErrorCode": "900851",
        "Message": "Unable to issue a token since user account is not provisioned yet."
    },
    {
        "ErrorCode": "900941",
        "Message": "Administrator consent is required. App is considered risky."
    },
    {
        "ErrorCode": "900942",
        "Message": "Admin consent is required in order to allow token to be issued for clients to access resource."
    },
    {
        "ErrorCode": "900971",
        "Message": "No reply address provided."
    },
    {
        "ErrorCode": "900981",
        "Message": "An admin consent request was received for a risky app."
    },
    {
        "ErrorCode": "901001",
        "Message": "Invalid request. The {name} request parameter value '{value}' is invalid."
    },
    {
        "ErrorCode": "901002",
        "Message": "The '{name}' request parameter is not supported."
    },
    {
        "ErrorCode": "901003",
        "Message": "Invalid request. The request contains too many encoded parameters."
    },
    {
        "ErrorCode": "901004",
        "Message": "Expected parameter {name} not found."
    },
    {
        "ErrorCode": "901005",
        "Message": "'{value}' is not a supported value for {name} parameter. Expected values are '{expectedVal}'."
    },
    {
        "ErrorCode": "901006",
        "Message": "The following extra parameters were found in the request and should be removed from subsequent requests: [{names}]"
    },
    {
        "ErrorCode": "901121",
        "Message": "No certificates found for {application}."
    },
    {
        "ErrorCode": "901122",
        "Message": "Application '{application}' has no encryption certificate configured."
    },
    {
        "ErrorCode": "901123",
        "Message": "Misconfigured application '{application}'."
    },
    {
        "ErrorCode": "901124",
        "Message": "Application '{application}' does not exist.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "901125",
        "Message": "Application does not exist."
    },
    {
        "ErrorCode": "901141",
        "Message": "Bad request - expiration time is in the past."
    },
    {
        "ErrorCode": "901142",
        "Message": "Bad request - requested token lifetime exceeds allowed limit."
    },
    {
        "ErrorCode": "901151",
        "Message": "Fallback_domain parameter is not allowed together with domain_hint."
    },
    {
        "ErrorCode": "901171",
        "Message": "Unable to sign in. Please sign out and sign in again with your identity provider."
    },
    {
        "ErrorCode": "901181",
        "Message": "Mapped Microsoft Graph permissions are not supported for application permissions."
    },
    {
        "ErrorCode": "901182",
        "Message": "Application '{applicationId}' must be preauthorized by Microsoft Graph for scopes '{scope}'."
    },
    {
        "ErrorCode": "901183",
        "Message": "The service principal with an identifier of {spIdentifier} does not exist in the directory."
    },
    {
        "ErrorCode": "901201",
        "Message": "This request is invalid, cannot be processed."
    },
    {
        "ErrorCode": "901202",
        "Message": "Device identifier in the device signature is different from the device assigned to the resource account."
    },
    {
        "ErrorCode": "1000000",
        "Message": "The Bind API requires the Azure AD user to also authenticate with an external IDP, which hasn't happened yet. Redirecting to external IDP.",
        "Remediation": "Expected error when the user attempts to connect a LinkedIn account to their AAD account."
    },
    {
        "ErrorCode": "1000001",
        "Message": "The specified bind provider '{provider}' is not supported."
    },
    {
        "ErrorCode": "1000002",
        "Message": "The bind completed successfully, but the user must be informed.",
        "Remediation": "This is not an error scenario, but is handled like one by Azure AD to handle certain authentication flows.  This is not an indication that anything went wrong."
    },
    {
        "ErrorCode": "1000003",
        "Message": "MSA redirected to ESTS for an AAD user to login."
    },
    {
        "ErrorCode": "1000004",
        "Message": "Values '{notAllowedValues}' are not valid for claim request '{requestedClaim}'."
    },
    {
        "ErrorCode": "1000005",
        "Message": "Invalid definition for external identity provider, domain is missing"
    },
    {
        "ErrorCode": "1000006",
        "Message": "Invalid definition for external identity provider with domain '{domain}'. Reason: Following properties are mandatory: domain, issuer URI, passive authentication URL."
    },
    {
        "ErrorCode": "1000007",
        "Message": "Invalid definition for external identity provider with domain '{domain}'. Reason: The value '{url}' in the property '{urlType}' must be an absolute URL."
    },
    {
        "ErrorCode": "1000008",
        "Message": "Invalid definition for external identity provider with domain '{domain}'. Reason: The value '{url}' in the property '{urlType}' must be https."
    },
    {
        "ErrorCode": "1000009",
        "Message": "Invalid definition for external identity provider with domain '{domain}'. Reason: Only WsFederation/SamlP protocols are allowed."
    },
    {
        "ErrorCode": "1000010",
        "Message": "Invalid definition for external identity provider with domain '{domain}'. Reason: Domain '{value}' is not in expected format."
    },
    {
        "ErrorCode": "1000011",
        "Message": "Invalid definition for external identity provider with domain '{domain}'. Reason: Issuer '{value}' is not in expected format."
    },
    {
        "ErrorCode": "1000012",
        "Message": "Invalid definition for external identity provider with domain '{domain}'. Reason: Domain '{value}' is a reserved value."
    },
    {
        "ErrorCode": "1000013",
        "Message": "Invalid definition for external identity provider with domain '{domain}'. Reason: Issuer '{value}' is a reserved value."
    },
    {
        "ErrorCode": "1000014",
        "Message": "Cannot issue On-Behalf-Of token for tenant '{tenant1}' as JWT bearer token was issued for '{tenant2}'."
    },
    {
        "ErrorCode": "1000015",
        "Message": "Direct federation users are not expected to have home tenant."
    },
    {
        "ErrorCode": "1000018",
        "Message": "Realm with domain '{domain}' is not an external realm."
    },
    {
        "ErrorCode": "1000019",
        "Message": "The provided certificate authority type '{certificateAuthorityType}' is not valid."
    },
    {
        "ErrorCode": "1000020",
        "Message": "The provided application '{applicationId}' may not be used on this endpoint."
    },
    {
        "ErrorCode": "1000021",
        "Message": "External Claims Provider unavailable: general exception."
    },
    {
        "ErrorCode": "1000022",
        "Message": "External Claims Provider unavailable: WebException status code '{status}'."
    },
    {
        "ErrorCode": "1000023",
        "Message": "The GitHub access token forwarded exceeds the configured length of '{sizeLimit}'."
    },
    {
        "ErrorCode": "1000024",
        "Message": "Requested claim 'ClientIpReportedByRP' should have a single and valid ip address."
    },
    {
        "ErrorCode": "1000025",
        "Message": "Received invalid stk_jwk."
    },
    {
        "ErrorCode": "1000026",
        "Message": "Received invalid Primary Refresh Token."
    },
    {
        "ErrorCode": "1000027",
        "Message": "Session Transport Key is not present."
    },
    {
        "ErrorCode": "1000028",
        "Message": "Received invalid Windows SSO Credential."
    },
    {
        "ErrorCode": "1000029",
        "Message": "The provided confirmation request (req_cnf or pop_jwk) is not properly formatted."
    },
    {
        "ErrorCode": "1000030",
        "Message": "Microsoft Account granted Refresh Token Credential is not supported on AAD tenant."
    },
    {
        "ErrorCode": "1000031",
        "Message": "Application {appDisplayName} cannot be accessed at this time. Contact your administrator.",
        "Remediation": "Contact your administrator for more information."
    },
    {
        "ErrorCode": "1000032",
        "Message": "Received invalid stk_jwk key thumbprint."
    },
    {
        "ErrorCode": "1000033",
        "Message": "Stk_jwk key doesn't match session transport key thumbprint specified at the beginning of the session."
    },
    {
        "ErrorCode": "1000034",
        "Message": "Stk_jwk key must not be submitted via x5c."
    },
    {
        "ErrorCode": "1000035",
        "Message": "There was an error issuing Bound RT token."
    },
    {
        "ErrorCode": "1000036",
        "Message": "BoundRT use as a bearer refresh token is unsupported."
    },
    {
        "ErrorCode": "1000037",
        "Message": "Stk_jwk thumbprint is not provided for SSO Bound RT redemption."
    },
    {
        "ErrorCode": "1000038",
        "Message": "Received invalid req_cnf key thumbprint."
    },
    {
        "ErrorCode": "1000039",
        "Message": "Req_cnf key '{kid}' doesn't match proof of possession key thumbprint specified at the beginning of the session."
    },
    {
        "ErrorCode": "1000101",
        "Message": "Access denied."
    },
    {
        "ErrorCode": "1000102",
        "Message": "Invalid request."
    },
    {
        "ErrorCode": "1000103",
        "Message": "Invalid request."
    },
    {
        "ErrorCode": "1000104",
        "Message": "Resource cloud {resourceCloud} is not allowed on identity tenant {identityTenant}."
    },
    {
        "ErrorCode": "1000106",
        "Message": "The provided sec-Restrict-Tenant-Access-Policy header ({headerValue}) is invalid. Please double check the format of the header and try again."
    },
    {
        "ErrorCode": "1000107",
        "Message": "The tenant ID {tenantId} provided in the sec-Restrict-Tenant-Access-Policy header was not found in Azure Active Directory. Please contact your administrator for assistance."
    },
    {
        "ErrorCode": "1000108",
        "Message": "The policy ID {policyId} provided in the sec-Restrict-Tenant-Access-Policy header did not match a policy ID in tenant {tenantName}. Please contact your administrator for assistance."
    },
    {
        "ErrorCode": "1000110",
        "Message": "Invalid request, identity tenant '{identityTenant}' is not allowed on resource tenant '{resourceTenant}' for cross cloud B2B call."
    },
    {
        "ErrorCode": "1000112",
        "Message": "Cannot issue On-Behalf-Of token for tenant '{tenant1}' as JWT bearer token was issued for '{tenant2}'."
    },
    {
        "ErrorCode": "1000113",
        "Message": "Non Retryable Error Occured."
    },
    {
        "ErrorCode": "1000114",
        "Message": "Invalid request. Endpoint does not accept requests with multiple DataCriteria items of type {dataCriteriaType}."
    },
    {
        "ErrorCode": "1000115",
        "Message": "Invalid request. TenantId in the URL and DataCriteria has to match."
    },
    {
        "ErrorCode": "1000116",
        "Message": "Invalid request. One of the ids in the PolicyObjectIds is not a valid Guid."
    },
    {
        "ErrorCode": "1000117",
        "Message": "Invalid request. Max policyIds count of {policyObjectIdsMaxCount} exceeded."
    },
    {
        "ErrorCode": "1000118",
        "Message": "Invalid request. UserId cannot be an empty Guid."
    },
    {
        "ErrorCode": "1000119",
        "Message": "Invalid global bloomfilter name: {name}."
    },
    {
        "ErrorCode": "1000202",
        "Message": "Migration to public cloud is complete for this tenant. Please use login.microsoftonline.com endpoint for this tenant."
    },
    {
        "ErrorCode": "1000203",
        "Message": "There’s been a change to your organization. You’ll need to sign out and sign back in to continue using this app. To learn more, refer https://go.microsoft.com/fwlink/?linkid=2150446."
    },
    {
        "ErrorCode": "1000401",
        "Message": "The requested tenant has been migrated to {targetCloud}."
    },
    {
        "ErrorCode": "1000450",
        "Message": "There is only MSA user active session and need to redirect to Msa."
    },
    {
        "ErrorCode": "1000460",
        "Message": "The provided x-ms-plid header value '{headerValue}' is not a properly formatted private link identifier."
    },
    {
        "ErrorCode": "1000461",
        "Message": "Private link data couldn't be read. Please try again."
    },
    {
        "ErrorCode": "1000462",
        "Message": "The specified private link was not found. If you just provisioned this private link, please wait a few minutes and try again."
    },
    {
        "ErrorCode": "1000463",
        "Message": "The tenant you're trying to access, '{tenantName}', is not authorized to use this private link."
    },
    {
        "ErrorCode": "1000464",
        "Message": "Private link data couldn't be upserted/read. Please try again."
    },
    {
        "ErrorCode": "1000465",
        "Message": "The required private link state could not be found."
    },
    {
        "ErrorCode": "1000466",
        "Message": "The provided AppID ACR value is not supported."
    },
    {
        "ErrorCode": "1000470",
        "Message": "The protocol {protocolId} is blocked for tenant {tenantId}. Please contact your administrator for assistance."
    },
    {
        "ErrorCode": "1000471",
        "Message": "The document with private link id {plid} already present associated with private link resource id {plrid}"
    },
    {
        "ErrorCode": "1000472",
        "Message": "Unable to parse the session store last written time {lastWrittenTime}."
    },
    {
        "ErrorCode": "1000473",
        "Message": "Unable to create session pointer for {sessionType} due to {reason}."
    },
    {
        "ErrorCode": "1000474",
        "Message": "User is creating too many freshly logged-in sessions or new refresh tokens in a short period of time. Please try again later."
    },
    {
        "ErrorCode": "1000501",
        "Message": "Unable to read session document from Session Store."
    },
    {
        "ErrorCode": "1000502",
        "Message": "The provided certificate is not within its specified validity window."
    },
    {
        "ErrorCode": "1000503",
        "Message": "Request contains mismatched device ids."
    },
    {
        "ErrorCode": "1000601",
        "Message": "This API is not currently supported."
    },
    {
        "ErrorCode": "1000602",
        "Message": "Action not permitted. Only managed identity service could call this API."
    },
    {
        "ErrorCode": "1000603",
        "Message": "Unsupported tenant provided. The tenant must be a guid."
    },
    {
        "ErrorCode": "1000604",
        "Message": "Invalid request parameters."
    },
    {
        "ErrorCode": "1000605",
        "Message": "An error occurred during certificate creation."
    },
    {
        "ErrorCode": "1000606",
        "Message": "A requested pass through claim is not permitted for this client."
    },
    {
        "ErrorCode": "1000607",
        "Message": "This API is not currently supported."
    },
    {
        "ErrorCode": "1000608",
        "Message": "Invalid request parameters."
    },
    {
        "ErrorCode": "1000701",
        "Message": "Multiple devices with the same device-name found in tenant {tenant}. Please reach out to your tenant-admin to ensure uniqueness of device display-name."
    },
    {
        "ErrorCode": "1000800",
        "Message": "Unsupported compound-resource format."
    },
    {
        "ErrorCode": "1000901",
        "Message": "The provided certificate cannot be used for requesting tokens. The value of token_not_after extension on the certificate should be greater than the current time."
    },
    {
        "ErrorCode": "1000902",
        "Message": "The certificate provided for authentication should contain the Authority Key Identifier (AKI) extension."
    },
    {
        "ErrorCode": "1000903",
        "Message": "The Authority Key Identifier extension in the provided certificate doesn't match with the Key Identifier of any available Keys used for signing the certificates."
    },
    {
        "ErrorCode": "1000904",
        "Message": "The Format of token_not_after extension is invalid."
    },
    {
        "ErrorCode": "1001000",
        "Message": "Unable to acquire certificate policy from tenant"
    },
    {
        "ErrorCode": "1001001",
        "Message": "Certificate policy acquired from tenant is invalid and contains no user bindings"
    },
    {
        "ErrorCode": "1001002",
        "Message": "Certificate policy does not contain any valid user bindings"
    },
    {
        "ErrorCode": "1001003",
        "Message": "Unable to acquire value specified in binding from certificate"
    },
    {
        "ErrorCode": "1001004",
        "Message": "Unable to create rsa key with the provided exponent and modulus"
    },
    {
        "ErrorCode": "1001005",
        "Message": "Invalid Request. A certificate should be provided with a non empty value."
    },
    {
        "ErrorCode": "1001006",
        "Message": "A transient issue occured, please try again"
    },
    {
        "ErrorCode": "1001007",
        "Message": "Failed to write revocation events into the storage"
    },
    {
        "ErrorCode": "1001008",
        "Message": "Failed to read revocation events from the storage"
    },
    {
        "ErrorCode": "1001010",
        "Message": "The client or resource application: {applicationId} is missing service principal in the tenant: {tenant}. See instructions here: https://go.microsoft.com/fwlink/?linkid=2167121."
    },
    {
        "ErrorCode": "1001011",
        "Message": "The request to proxy a call to MSA via this AAD instance is not currently supported."
    },
    {
        "ErrorCode": "1001012",
        "Message": "The user principal name entered does not match the user specific information from the certificate."
    },
    {
        "ErrorCode": "1100000",
        "Message": "Non-retryable error has occurred."
    },
    {
        "ErrorCode": "1300011",
        "Message": "NGC key is malformed."
    },
    {
        "ErrorCode": "1300012",
        "Message": "Signature key type is not provided."
    },
    {
        "ErrorCode": "1300041",
        "Message": "NGC key cannot be decoded."
    },
    {
        "ErrorCode": "1300042",
        "Message": "NGC key is not associated with a device."
    },
    {
        "ErrorCode": "1350001",
        "Message": "Fido assertion verification failed. Result: '{result}'"
    },
    {
        "ErrorCode": "1350011",
        "Message": "Key ID cannot be decoded."
    },
    {
        "ErrorCode": "1350101",
        "Message": "Key ID cannot be decoded."
    },
    {
        "ErrorCode": "1400001",
        "Message": "Request nonce is not provided."
    },
    {
        "ErrorCode": "1400002",
        "Message": "Request nonce is malformed."
    },
    {
        "ErrorCode": "1400011",
        "Message": "Session key is not provided."
    },
    {
        "ErrorCode": "1400012",
        "Message": "Session key type {type} is not supported."
    },
    {
        "ErrorCode": "1659001",
        "Message": "Unexpected error decoding the required request."
    },
    {
        "ErrorCode": "2190001",
        "Message": "Cannot find a certificate in the pfx."
    },
    {
        "ErrorCode": "2190002",
        "Message": "Cannot use the pfx."
    },
    {
        "ErrorCode": "2200501",
        "Message": "No cache encryption keys are available for encryption."
    },
    {
        "ErrorCode": "2200502",
        "Message": "No cache encryption keys are available for encryption - no key was more than 48 hours old."
    },
    {
        "ErrorCode": "2201001",
        "Message": "Authenc: VerifySignatureAndDecrypt failed. {ex}"
    },
    {
        "ErrorCode": "2300241",
        "Message": "Failed to find cached credential cert with thumbprint: {thumbPrint}."
    },
    {
        "ErrorCode": "5000211",
        "Message": "A tenant restrictions policy added to this request by a device or network administrator does not allow access to the resource tenant.",
        "Remediation": "The administrator of the tenant that owns this tenant restrictions policy does not allow this access. If this is not expected, that administrator should allow access by editing their cross tenant access policy."
    },
    {
        "ErrorCode": "5000221",
        "Message": "Access to '{tenant}' tenant is denied.",
        "Remediation": "Please contact your IT department."
    },
    {
        "ErrorCode": "5000222",
        "Message": "Access to '{tenant}' tenant is denied. It looks like you are trying to access a resource in Microsoft Cloud Deutschland. This organization is in the process of being decommissioned and needs to be re-created in a German datacenter region. Please see aka.ms/office365germancymove for more information, or contact deblockres@microsoft.com for assistance.",
        "Remediation": "Please contact your IT department."
    },
    {
        "ErrorCode": "5000610",
        "Message": "Symmetric Key Derivation Function version '{version}' is invalid."
    },
    {
        "ErrorCode": "5000611",
        "Message": "Symmetric Key Derivation Function version '{version}' is invalid."
    },
    {
        "ErrorCode": "5000810",
        "Message": "Unable to verify token signature. Signing key identifier is missing."
    },
    {
        "ErrorCode": "5000811",
        "Message": "Unable to verify token signature. The signing key identifier does not match any valid registered keys."
    },
    {
        "ErrorCode": "5000812",
        "Message": "The SAML 1.1 credential must contain exactly one or zero claims of type '{type}'."
    },
    {
        "ErrorCode": "5000813",
        "Message": "The SAML 1.1 credential must provide non empty value for claim of type '{type}'."
    },
    {
        "ErrorCode": "5000815",
        "Message": "The SAML 1.1 credential contains invalid Device ID claim."
    },
    {
        "ErrorCode": "5000816",
        "Message": "The SAML 1.1 credential must contain exactly one Audience in AudienceRestriction."
    },
    {
        "ErrorCode": "5000817",
        "Message": "The SAML 1.1 credential must contain SamlAudienceRestrictionCondition."
    },
    {
        "ErrorCode": "5000818",
        "Message": "SAML Assertion is invalid. NameId is not present in the token."
    },
    {
        "ErrorCode": "5000819",
        "Message": "SAML Assertion is invalid. Email address claim is missing or does not match domain from an external realm."
    },
    {
        "ErrorCode": "7000011",
        "Message": "Requested SAML 2.0 assertion has invalid SubjectConfirmation Method: {method}."
    },
    {
        "ErrorCode": "7000012",
        "Message": "The grant was obtained for a different tenant."
    },
    {
        "ErrorCode": "7000013",
        "Message": "The grant is not supported by API version {apiVersion}."
    },
    {
        "ErrorCode": "7000014",
        "Message": "The provided value for the input parameter 'device_code' is not valid."
    },
    {
        "ErrorCode": "7000015",
        "Message": "The grant was obtained for a different tenant."
    },
    {
        "ErrorCode": "7000016",
        "Message": "Primary refresh token is not signed with session key."
    },
    {
        "ErrorCode": "7000017",
        "Message": "Broker restricted refresh token can't be used as credential."
    },
    {
        "ErrorCode": "7000018",
        "Message": "Token binding header is empty."
    },
    {
        "ErrorCode": "7000019",
        "Message": "Token binding hash does not match."
    },
    {
        "ErrorCode": "7000020",
        "Message": "SAML 2.0 Bearer assertion must be a valid Base64Url encoded value."
    },
    {
        "ErrorCode": "7000021",
        "Message": "Unrecognized grant type {type}."
    },
    {
        "ErrorCode": "7000022",
        "Message": "VSM Binding Key missing from Ticket Granting Ticket request."
    },
    {
        "ErrorCode": "7000023",
        "Message": "VSM Binding key mismatch."
    },
    {
        "ErrorCode": "7000024",
        "Message": "Inconsistent broker application IDs asserted by incoming credentials."
    },
    {
        "ErrorCode": "7000025",
        "Message": "Ambiguous request. The grant contains duplicate claims."
    },
    {
        "ErrorCode": "7000026",
        "Message": "Provided grant is invalid or malformed. The grant requires an encrypted response, but the client is not indicating it understands encrypted responses."
    },
    {
        "ErrorCode": "7000110",
        "Message": "Request is ambiguous, multiple application identifiers found."
    },
    {
        "ErrorCode": "7000112",
        "Message": "Application '{appIdentifier}'({appName}) is disabled."
    },
    {
        "ErrorCode": "7000113",
        "Message": "Application '{appIdentifier}' is not authorized to make application on-behalf-of calls."
    },
    {
        "ErrorCode": "7000114",
        "Message": "Application '{appIdentifier}' is not allowed to make application on-behalf-of calls."
    },
    {
        "ErrorCode": "7000115",
        "Message": "This grant is reedemable only by broker application."
    },
    {
        "ErrorCode": "7000116",
        "Message": "Application '{appIdentifier}'({appName}) is disabled in tenant {tenant}. Please review the documentation: https://go.microsoft.com/fwlink/?linkid=2167553"
    },
    {
        "ErrorCode": "7000117",
        "Message": "Resource application '{appIdentifier}'({appName}) is disabled in tenant {tenant}. Please review the documentation: https://go.microsoft.com/fwlink/?linkid=2167553"
    },
    {
        "ErrorCode": "7000210",
        "Message": "Unable to find source of Trusted Certificate Authority policy."
    },
    {
        "ErrorCode": "7000211",
        "Message": "Trusted Certificate Authority policy is not configured on the tenant '{tenantId}'."
    },
    {
        "ErrorCode": "7000212",
        "Message": "No matching Trusted Certificate Authority policy found for authorized subject name."
    },
    {
        "ErrorCode": "7000213",
        "Message": "Invalid certificate chain."
    },
    {
        "ErrorCode": "7000214",
        "Message": "Certificate has been revoked."
    },
    {
        "ErrorCode": "7000215",
        "Message": "Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{identifier}'.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "7000216",
        "Message": "'client_assertion', 'client_secret' or 'request' is required for the 'client_credentials' grant type.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "7000217",
        "Message": "The service principal named {appPhrase} was not found in the tenant named {tenant_name}. This can happen if the application has not been installed by the administrator of the tenant."
    },
    {
        "ErrorCode": "7000218",
        "Message": "The request body must contain the following parameter: 'client_assertion' or 'client_secret'.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "7000219",
        "Message": "'client_assertion' or 'client_secret' is required for the '{type}' grant type."
    },
    {
        "ErrorCode": "7000220",
        "Message": "Client application identifier in the provided grant doesn't match 'client_id' parameter."
    },
    {
        "ErrorCode": "7000221",
        "Message": "Certificate Subject must match Issuer claim in the client assertion."
    },
    {
        "ErrorCode": "7000222",
        "Message": "The provided client secret keys for app '{identifier}' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "7000223",
        "Message": "Application {brokerAppId} is not authorized to broker tokens."
    },
    {
        "ErrorCode": "7000224",
        "Message": "Application {childAppId} is not authorized to have tokens brokered on its behalf."
    },
    {
        "ErrorCode": "7000225",
        "Message": "Invalid credentials: An MSI certificate was included in the request for the app, but the app (object ID: {oid}, application id: {clientId}) is not an MSI. Ensure that your code is matching MSI identities and certificates appropriately.",
        "Remediation": "This is a platform error, and cannot be remediated by the app developer or admin. Consider filing a support ticket against the Azure service that is failing."
    },
    {
        "ErrorCode": "7000226",
        "Message": "No federated identity credential policy found on application ({appid}). The client_assertion used to authenticate the request does not match the subject or application being requested.  Ensure that the application ID in the request is correct, that the app has a policy applied to it, and that the correct client_assertion is being provided in the request.",
        "Remediation": "The request attempted to use a credential from one service to authenticate as another service, which requires a federated identity credential to be in place. The application ID in the request does not have a federated credentials policy applied to it, so the request was rejected. Ensure that the app has a policy applied to it, and that the developer intended to perform a cross-service authentication."
    },
    {
        "ErrorCode": "7000227",
        "Message": "No Federated Identity Credential policy found on application that matched the presented MSI-signed client assertion. Expecting a Federated Identity Credential with subject: '{msiSpid}', issuer: '{expectedIssuer}' and audience: '{expectedAudience}'.",
        "Remediation": "Ensure that the federated identity credential policy on the application matches the expected values."
    },
    {
        "ErrorCode": "7000281",
        "Message": "Certificate with thumbprint {thumbprint} is not authorized.",
        "Remediation": "Developer error - the app is attempting to sign in without the necessary or correct authentication parameters."
    },
    {
        "ErrorCode": "7000361",
        "Message": "Client assertion claim '{claimName}' can only contain a maximum of '{maxItems}' items."
    },
    {
        "ErrorCode": "7000471",
        "Message": "A reply address scheme starting with 'brk-' was seen on a request that wasn't for brokering. This scheme is reserved for brokered application requests. Use a valid reply URI instead, either a native app reply URI or an https:// uri.",
        "Remediation": "The app sent an inappropriate reply URI on this request. The app should be updated to provide a reply URI that is supported for their flow (https:// or a native app URI)"
    },
    {
        "ErrorCode": "7500110",
        "Message": "The query string hash could not be computed for signature generation/validation. Signature algorithm was not specified."
    },
    {
        "ErrorCode": "7500111",
        "Message": "The query string hash could not be computed for signature generation/validation. Cannot create a SAML binding message from the given HttpRequest parameters. Check if the request contains a valid Uri or Form POST that contains protocol parameters for SAML HTTP bindings."
    },
    {
        "ErrorCode": "7500112",
        "Message": "MessageType property get is not supported by this class."
    },
    {
        "ErrorCode": "7500510",
        "Message": "XML attribute '{attributeName}' in the SAML message must be a dateTime."
    },
    {
        "ErrorCode": "7500511",
        "Message": "XML attribute '{attributeName}' in the SAML message must be a URI."
    },
    {
        "ErrorCode": "7500512",
        "Message": "XML element '{elementName}' in XML namespace '{xmlNamespace}' was not expected in the SAML message. Either the element is not an expected part of a SAML message or was in the wrong location in the message. Check the names and ordering of the elements to confirm they conform to the SAML protocol specifications."
    },
    {
        "ErrorCode": "7500513",
        "Message": "The message type '{messageType}' is not a supported type of SAML request. Supported SAML requests are AuthnRequest and LogoutRequest."
    },
    {
        "ErrorCode": "7500514",
        "Message": "A supported type of SAML response was not found. The supported response types are 'Response' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol') or 'Assertion' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:assertion').",
        "Remediation": "Application error - the developer will handle this error."
    },
    {
        "ErrorCode": "7500515",
        "Message": "Was expecting to find XML element '{xmlElement}' in XML namespace '{xmlNamespace}', but it was not present. Either the expected element is not present or was in the wrong location in the message. Check the names and ordering of the elements to confirm they conform to the SAML protocol specifications."
    },
    {
        "ErrorCode": "7500516",
        "Message": "A required attribute is not present in the SAML message: '{xmlAttribute}'."
    },
    {
        "ErrorCode": "7500517",
        "Message": "The element '{xmlElement}' in XML namespace '{xmlNamespace}' cannot be empty."
    },
    {
        "ErrorCode": "7500518",
        "Message": "The specified comparison '{comparison}' is not a supported value for samlp:AuthnContextComparisonType."
    },
    {
        "ErrorCode": "7500519",
        "Message": "An unsupported SAML version was encountered: {version}."
    },
    {
        "ErrorCode": "7500520",
        "Message": "Unrecognized XML content of type '{nodeType}', name '{name}' was found at the beginning of the the SAML message. Expected to find an element 'AuthnRequest', 'Response', 'LogoutRequest' or 'LogoutResponse' from XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol'."
    },
    {
        "ErrorCode": "7500521",
        "Message": "Unrecognized XML content of type '{nodeType}' was found at the beginning of the the SAML message. Expected to find an element 'AuthnRequest', 'Response', 'LogoutRequest' or 'LogoutResponse' from XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol'."
    },
    {
        "ErrorCode": "7500522",
        "Message": "XML element '{xmlElement}' in XML namespace '{xmlNamespace}' in the SAML message must be a URI."
    },
    {
        "ErrorCode": "7500523",
        "Message": "The SAML IDPList must contain one or more IDPEntry elements."
    },
    {
        "ErrorCode": "7500524",
        "Message": "No saml:AuthnContextClassRef or saml:AuthnContextDeclRefs elements were found within samlp:RequestedAuthnContext."
    },
    {
        "ErrorCode": "7500525",
        "Message": "There was an XML error in the SAML message at line {lineNumber}, position {linePosition}. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications."
    },
    {
        "ErrorCode": "7500526",
        "Message": "The value '{value}' must be nonnegative."
    },
    {
        "ErrorCode": "7500527",
        "Message": "The value '{value}' must be nonnegative and less than or equal to 65535."
    },
    {
        "ErrorCode": "7500528",
        "Message": "Unexpected xsi:type: '{message}'"
    },
    {
        "ErrorCode": "7500529",
        "Message": "The value '{value}' is not a valid SAML ID. The ID must not begin with a number.",
        "Remediation": "Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. The ID must not begin with a number, so a common strategy is to prepend a string like id to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID."
    },
    {
        "ErrorCode": "7500530",
        "Message": "SAML NameId cannot be null."
    },
    {
        "ErrorCode": "7500531",
        "Message": "The end of an XML element was expected, but instead XML content of type '{nodeType}', name '{name}' was found. XML content may be present that is not defined in the SAML protocol specifications."
    },
    {
        "ErrorCode": "7500532",
        "Message": "The end of an XML element was expected, but instead XML content of type '{nodeType}' was found. XML content may be present that is not defined in the SAML protocol specifications."
    },
    {
        "ErrorCode": "7500533",
        "Message": "The SAML response was expected to start with either a Response element or a LogoutResponse element, from the XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol'."
    },
    {
        "ErrorCode": "7500534",
        "Message": "Exactly one saml:AuthnContextClassRef or saml:AuthnContextDeclRefs element is expected in the samlp:RequestedAuthnContext."
    },
    {
        "ErrorCode": "9000410",
        "Message": "Malformed JSON."
    },
    {
        "ErrorCode": "9000411",
        "Message": "The request is not properly formatted. The parameter '{name}' is duplicated."
    },
    {
        "ErrorCode": "9000412",
        "Message": "The request is missing a key."
    },
    {
        "ErrorCode": "9000413",
        "Message": "'Context' field is required."
    },
    {
        "ErrorCode": "9000414",
        "Message": "Malformed request."
    },
    {
        "ErrorCode": "9000510",
        "Message": "Hybrid SPA authorization codes cannot be requested on the app-only flow."
    },
    {
        "ErrorCode": "9000511",
        "Message": "Cannot emit Hybrid SPA auth code for Public or SPA client.  You must request the hybrid SPA auth code on your confidential client back-end, while redeeming the original auth code requested for a web type redirect URI."
    },
    {
        "ErrorCode": "9000512",
        "Message": "A Hybrid SPA code can only be requested while redeeming a confidential client authorization code (a code issued to a web-type redirect URI). Do not request a hybrid code otherwise."
    },
    {
        "ErrorCode": "9004351",
        "Message": "Requested resource '{resource}' cannot accept cross-cloud tokens, where user belongs to the cloud '{nationalCloud}' and authentication request is to https://login.microsoftonline.com."
    }
]