SAML – Azure AD AADSTS75011: authentication method ‘x509′,’Multifactor’

Reading Time: 2 minutes

I had some trouble with an Azure AD integration with a SAML application. The users got Azure AD prompt, with the error below:

AADSTS75011 authentication method ‘x509′, Multifactor’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport’.

Related to the failed login screen below, most logins were successful and looking into the user getting failure, the problem could first seem like it was related to pilot users (including myself of course 🙂 ) with passwordless, since the application had not been changed the last 13 months. I started digging more into the SAML request and did see Password,ProtectedTransport like the error above.
I checked out the AADSTS75011 at the , to see if there were more details about the error

Blue color = Success logins
Pink color = Failure

I also had dialog with the application vendor. We verified that there were not any changes done with the SAML library or Claims, before I started sending the SAML logs.

In parallel, I also created a support ticket to Microsoft , and for my first time tested to use the Enable “advanced diagnostics.”

This functionality is basically pretty genius since you have a Request and Correlation ID, so that Microsoft can look into the authentication request with details about the authentication request.

After they looked into the ticket, I got the answer that with some additional details that I was unfamiliar with, even though I have been working with multiple SAMl setups for some years ?

PasswordProtectedTransport is not a supported value in Azure AD and also optional for the SAML Request. If there is no specific need for it, the application vendor can remove the value from the SAML Request.

More details at the link:

The vendor changed the SAML request, and as expected the SAML SSO worked like a charm again! That’s it for this short post


  1. Ola G September 16, 2021 at 11:42 am

    What is meant by “PasswordProtectedTransport is not a supported value in Azure AD and also optional for the SAML Request.”

    From what I can see Password is on the list of values in the Microsoft docs.
    If the app providers removes the Password, can users without Passwordless still log on?

    1. Stein-Erik Alvestad September 26, 2021 at 5:11 pm

      that could depend on what the access token lifetime is set to if I catch your question correctly

  2. jketo December 22, 2021 at 1:46 pm

    On the Message from SP RequestedAuthnContext is an optional value. Remove it, and authentication works.

    For me above happens when AAD is configured to have MFA and Authenticator app is in use and SSO is already in place. In those cases Azure will return ‘X509, Multifactor’ as authentication mechanism, which will be rejected.

    Another option is to make sure the RequestedAuthnContext will be honored. This will be done by requesting a fresh authentication. By doing this, when the SAML request is processed, a fresh authentication will be done and the AuthnContext will be honored. To request a Fresh Authentication the SAML request most contain the value forceAuthn=”true”.


    1. Stein-Erik Alvestad December 25, 2021 at 6:09 pm

      The Microsoft docs are much improved since the last time I encountered this issue 🙂

  3. jketo December 22, 2021 at 1:52 pm

    User can mitigate this by singing out from Azure AD, then logging in again by choosing “use password authentication instead” thus bypassing authenticator application. But this is obviously not optimal solution


Leave A Comment

Your email address will not be published.