Let get started!

This article assumes you are using your own code to perform the authentication to Azure Active Directory.

IMPORTANT: So if your using Azure App Services or Azure Function Apps Authentication/Authorization feature, this article is not for you.

You are developing a Asp.Net OWIN or Asp.Net Core Authentication web application and integrating it with Azure Active Directory. You run into some issues during the sign-in process with no error message or any hint on what the problem might be. Some of the behaviors that you might see are…

  • The dreaded infinite loop between your web app and Azure Active Directory.
  • After signing into Azure Active Directory, you land back on to your Web Application like it never signed in.
  • You land on your error page with no useful error message.

The purpose of this article is not to show you how to resolve the failed sign-in attempt. Rather, I want to show you how to troubleshoot and maybe expose the hidden error message. Once you have unraveled the hidden error message, hopefully that will lead you down a path to resolve the failed sign-in attempt.

This is where the OnAuthenticationFailed notification comes in handy…

In Asp.Net, you want to make sure your code looks something like this for the for the AuthenticationFailed event notification event notification (in startup.auth.cs)…

In Asp.Net Core, you want to make sure your code looks something like this for the for the OnAuthenticationFailed event notification event notification (in startup.cs)…

You can of course tweak this so that you can either send the error message to your logs or send it to a custom error page.

At minimum, we should see the error message in the address bar…

or in the case of the infinite loop, see it in the Fiddler capture…

For more information about using Fiddler, check out our Blog post here…

For a list of Azure Active Directory errors and and some tips on how to resolve, check out the following article…

0 0 vote
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
raja ram
raja ram
1 month ago

// On Authentication Failed

//Slight correction needed - shown below:

options.Events = new JwtBearerEvents()


OnAuthenticationFailed = async(context) =>


String ErrorMessage = context.Exception.Message;

String InnerErrorMessage = String.Empty;

String RedirectError = String.Format("?error_message={0}", ErrorMessage);

if (context.Exception.InnerException != null)


InnerErrorMessage = context.Exception.InnerException.Message;

RedirectError = String.Format("{0}&inner_error={1}", RedirectError, InnerErrorMessage);


// or you can just throw it

// throw new Exception(RedirectError);

RedirectError = RedirectError.Replace("\r\n", " ");

await context.Response.WriteAsync(RedirectError);



Bac Hoang [MSFT]
1 month ago
Reply to  raja ram

Thanks for the feedback. Your method of using JwtBearerEvents is certainly valid for web API scenario. The scenario in this post is for web apps using OpenID Connect (OIDC).