how do we get OAuth\JWT token when MFA is enabled , as per the policy in our company, our test account cannot be disabled for MFA
how do we get OAuth\JWT token when MFA is enabled , as per the policy in our company, our test account cannot be disabled for MFA
Hi @PramukKCSGRECOGDVLSW-2730 · Thank you for reaching out.
When MFA is enabled for a user account, you are required to prove:
1. Who you are (using username/password) - Can be automated
2. What you own (Mobile/AuthenticatorApp/Haredware token) - Can NOT be automated as it requires manual input.
If you are looking for automating the authentication without disabling MFA for the account, you can:
- Exclude public IP address/Subnet that represents the computer(s) where you want to automate authentication for this accout.
- Use Azure AD Joined/Hybrid Joined/Registered devices, where you need to perform MFA once and MFA information will get stored in PRT, user won't be prompted for MFA afterwards.
If you are using this account for script automation:
- Use application context by using client_credentials flow for authentication.
- Or if you are running the script on Azure VM, consider using Managed Identity for authentication.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks a lot for providing this info.
just want to clarify
I am using var app = PublicClientApplicationBuilder.Create(this.ClientId).WithAuthority(this.Authority).Build();
and calling method result = await app.AcquireTokenSilent(this.ApiScopes, accounts.FirstOrDefault()).ExecuteAsync().ConfigureAwait(false);
in order to get token but when i execute the code i get errors for
{"A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'
if we make changes like this in app registration portal -> authenication blade toggle to public client
if we do this setting would it cause any potential risks wrt to security.
MFA authentication can be:
1. What user know, like a password
2. What the user has..."a certificate". Could it work for you?
The validation of a certificate can be automated.
5 people are following this question.