ROPC (Username/Password) flow fails with AADSTS50126: Invalid username or password for federated users

Pre-requisites:

• Make sure you have Password Hash Sync (PHS) enabled for your tenant
• Latest version of AzureAD PowerShell Module (2.0.2.105).

Steps:

• Run Connect-AzureAD command and sign-in with Global Administrator account and run below cmdlet:
• New-AzureADPolicy -Definition @(“{`”HomeRealmDiscoveryPolicy`”:{`”AccelerateToFederatedDomain`”:false, `”PreferredDomain`”:`”your_federated_domain.com`”, `”AllowCloudPasswordValidation`”:true}}”) -DisplayName ROPC4ADFS -Type HomeRealmDiscoveryPolicy
• Run Get-AzureADPolicy and copy the policy id of the ROPC4ADFS policy, created in the above step.
• Run Get-AzureADServicePrincipal -SearchString < display_name_of_the_app > and copy the object ID of the service principal from the output.
• Run Add-AzureADServicePrincipalPolicy -Id < objectId_of_the_service_principal > -RefObjectId < objectId_of_the_policy >

This will allow federated user to authenticate directly from AzureAD without requiring to redirect to the federated Identity Provider (IDP) for the specific application.