A Microsoft Teams Rooms device that shows AADSTS50126 is failing during credential validation. In Microsoft Entra, code 50126 means the service could not validate the sign-in because the username or password did not match. For room systems, that usually narrows the fix to the resource account, the stored password on the device, or the way the account was created and governed. [✅Source-1]
Table of Contents
A Narrow Error When AADSTS50126 appears, start with the account and password path before you change network, hardware, or calendar settings. Those other layers still matter, but this code is far more specific than a generic sign-in failure.
What Error Code AADSTS50126 Means on Teams Rooms
The practical reading is simple: the room account did not authenticate. On Teams Rooms, that usually means one of these items is off by just enough to break sign-in:
- The stored password on the console is old.
- The room is using the wrong resource account UPN.
- The password expired earlier, was reset, and the room still holds the old secret.
- The account itself was built in a way that does not fit a Teams Rooms sign-in path.
- A nearby policy issue is being confused with 50126, even though the real code is 50055, 50076, 50079, or 53003.
| Signal or Symptom | What It Usually Means | What to Check Next |
|---|---|---|
| AADSTS50126 | Username or password did not validate. | Verify the exact resource account, reset the password, and update the password on the room. |
| AADSTS50055 | Password has expired. | Reset the room account password, then turn off password expiration for that shared device account. |
| AADSTS50076 or AADSTS50079 | Interactive MFA is required. | Remove interactive MFA from the resource account and review room-specific access policy. |
| AADSTS53003 | Conditional Access blocked token issuance. | Check whether a broad tenant policy is still catching the room account. |
| Successful Entra sign-in, room still not ready | The issue is likely mailbox, license, or service reachability, not 50126 itself. | Check the room mailbox, Teams Rooms license, and required endpoints. |
That separation matters. It keeps you from resetting passwords when the real block is MFA, Conditional Access, or a missing room license. When troubleshooting authentication failures like this, comparing the behavior with other documented Microsoft Teams error codes can also help confirm whether the failure belongs to identity validation or another policy layer.
Where to Check Before You Change Anything
Teams Rooms does not leave you guessing. Microsoft says the device checks its sign-in state, network, and Exchange connectivity every five minutes, and it logs a 2001 event when one or more of those checks fail. For credential issues, the most useful place on a Windows room is Event Viewer > Applications and Services Log > Microsoft > Windows > Microsoft Entra ID > Operational. Open the log and look for Event ID 1098. In parallel, review Microsoft Entra sign-in logs for a failure with code 50126. Microsoft also provides a Teams Rooms sign-in connectivity test in Remote Connectivity Analyzer; it requires a Global Administrator account to run. [✅Source-2]
A useful detail: Microsoft notes that AADSTS50126 can still appear after a room password has been expired for some time. So when an admin says, “We already changed that password last week,” the room can still be holding stale credentials. Seen often, that is.
- Confirm that the code in the room log is truly 50126 and not a nearby code.
- Check whether Entra sign-in logs show a matching failure for the same resource account.
- If there are no sign-in attempts at all, suspect blocked sign-in endpoints, proxy handling, or another network path issue.
- Only after that, move into password reset, account structure, mailbox, license, and policy checks.
Fix Steps That Solve Most Cases
Confirm the Exact Resource Account
A surprising number of room failures come from the wrong account string, not the wrong password. Microsoft’s setup guidance says each Teams Rooms device needs its own resource account, the UPN must match the SMTP address, and a room account that is forced to change password at first sign-in will create sign-in problems. Microsoft also notes that room mailboxes do not have usable sign-in accounts by default, so the mailbox account must be enabled when the room identity is created. [✅Source-3]
- Do not sign the room in with a normal employee account.
- Use the resource account UPN, not a guessed alias.
- Check that the room mailbox account is actually password-enabled.
- Make sure the account is not marked to change password on first sign-in.
Reset the Password and Update the Device
If Event ID 1098 and Entra logs both point to 50126, a clean password reset is still the fastest move. Reset the resource account password, then immediately update that password in the Teams Rooms device settings. Do not stop at the cloud-side reset. The room must store the new value locally as well.
Watch the order: reset first, update the room second, then test again. Reversing the order wastes time because the room simply retries with the same old secret.
Remove Password Policies That Break Shared Devices
Shared devices do better with stable credentials. Microsoft recommends that Teams shared device accounts use a Teams Rooms resource account and that password expiration be turned off to avoid service interruptions. For Android-based shared devices, Microsoft also recommends remote sign-in instead of sending passwords to setup staff, which cuts down simple credential entry mistakes. [✅Source-4]
- Turn off password expiration for room accounts.
- Do not rotate room passwords on the same schedule as user passwords unless you also update every affected device at once.
- For Android rooms and panels, use remote sign-in when possible.
Check Mailbox and License After the Password Fix
Sometimes the password fix is real, but the room still does not settle because a second setup issue remains. Microsoft says Teams Rooms devices need a Teams Rooms Basic or Teams Rooms Pro license; other user licenses do not work for room devices. Microsoft also states that organizations can assign up to 25 Teams Rooms Basic licenses, while additional rooms require Pro. If Entra sign-in succeeds and the room still fails later, check the room mailbox and the assigned room license next. [✅Source-5]
| Item | What Good Looks Like | Why It Matters |
|---|---|---|
| Room Account | A dedicated Teams Rooms resource account | User accounts create avoidable policy and lifecycle problems. |
| Mailbox | A real room mailbox tied to the room identity | Calendar fetch and meeting join depend on it. |
| License | Teams Rooms Basic or Teams Rooms Pro | Without the right room license, the device cannot complete the expected service flow. |
Teams Rooms on Windows and the Authentication Detail That Changes Troubleshooting
On Windows rooms, Microsoft says the app uses the resource owner password credentials grant in OAuth 2.0 and does not support user interactive second-factor authentication. That changes the troubleshooting angle. A room cannot sit there and complete a normal human MFA prompt. So if the tenant expects interactive approval, the design is wrong for a room account even when the account password itself is correct. [✅Source-6]
Why This Matters If the room account is protected by interactive MFA, smart card sign-in, or client certificate sign-in, the room is being asked to do something it was not built to do. In that case the repair is policy-side, not hardware-side.
Review Conditional Access and MFA Settings
Microsoft recommends excluding Teams Rooms resource accounts from broad tenant Conditional Access policies and creating a separate policy for those room accounts. Microsoft also says not to require user interactive MFA and not to attach sign-in steps that require registration during the sign-in flow, because those prompts block Teams devices. For room security, Microsoft points admins toward compliant device and known network location conditions instead. [✅Source-7]
- Exclude room accounts from broad “all users” access policies.
- Create a room-specific Conditional Access policy.
- Do not require interactive MFA on room accounts.
- Use device compliance and named locations where they fit your environment.
Settings That Commonly Keep the Error Coming Back
When 50126 returns after a reset, the room is usually telling you the first fix was only half of the work. The password may be new, yet the account string is still wrong. The room may authenticate, then fail later because the mailbox or license side was never finished. Or the room account may still be caught by a tenant-wide sign-in policy. Small differences, large effect.
- The wrong sign-in name was saved. The room should use the exact resource account UPN.
- The device still stores old credentials. Resetting in Entra alone is not enough.
- The account was forced to change password at first sign-in. Room devices do not handle that flow well.
- A second fault sits behind the first one. After 50126 is fixed, the remaining issue may be mailbox, license, or network access.
Good Repair Pattern
- Read the exact code.
- Fix the resource account.
- Update the password on the room.
- Retest sign-in.
- Only then move to mailbox, license, and network checks.
Time-Losing Pattern
- Reset the password repeatedly.
- Ignore the exact account name.
- Leave MFA or Conditional Access untouched.
- Skip mailbox and license validation.
- Assume the device is faulty before reading the logs.
Network Path Checks That Matter When Logs Stay Quiet
If the room never reaches Microsoft Entra sign-in endpoints, you may not get a clean 50126 trail in cloud logs at all. Microsoft says Windows-based Teams Rooms support some proxy setups, but not authenticated proxy servers. Microsoft also recommends bypassing proxy infrastructure for Teams traffic, keeping the path short, allowing UDP 3478-3481 for Teams media, and allowing all required Microsoft 365, Azure, Intune, and Teams Rooms URLs and IPs through the firewall. [✅Source-8]
Microsoft also recommends 10 Mbps up and down per Teams Room as a planning target for room performance. That number does not create 50126 by itself, but weak or overcomplicated network paths do make room sign-in and service registration harder to trust during testing. [✅Source-9]
A clean rule: if the room shows a credential-style failure but Entra logs are empty, do not keep rotating passwords. Check endpoint reachability, proxy behavior, certificates, and firewall rules first.
FAQ
Does AADSTS50126 Always Mean the Password Is Wrong?
It means Microsoft Entra could not validate the username or password. On Teams Rooms, that often leads back to a wrong stored password, but it can also follow a stale password after expiry, the wrong resource account UPN, or a room account that was not set up correctly.
Can MFA Cause a Teams Rooms Sign-In Failure Here?
Yes, but interactive MFA usually shows up as 50076 or 50079, not 50126. Teams Rooms resource accounts should not require user interactive MFA. Review Conditional Access if the room keeps failing after a password reset.
Why Did the Room Still Fail After We Reset the Password?
The most common reason is simple: the new password was never written back to the device. Another common reason is that the room account is set to change password on first sign-in, or the room is using the wrong UPN.
Should I Use a Normal User Account for the Room?
No. Use a dedicated Teams Rooms resource account with the right mailbox and a Teams Rooms license. Normal user accounts bring avoidable policy and lifecycle issues to shared meeting spaces.
Where Is the Fastest Place to Verify the Error on Windows?
Open Event Viewer, then go to Applications and Services Log > Microsoft > Windows > Microsoft Entra ID > Operational, and look for Event ID 1098. Pair that with Entra sign-in logs for the same room account.
What Is the Fastest Admin-Side Validation Test?
The Microsoft Teams Rooms sign-in connectivity test in Remote Connectivity Analyzer is the fastest guided check. It requires a Global Administrator account and is useful when you want one place to compare permissions, sign-in readiness, and warnings.