question

RavindraShukla-2370 avatar image
0 Votes"
RavindraShukla-2370 asked saldana-msft edited

Is MFA authentication mandatory for Microsoft Graph

Hello,

I am working on Microsoft Graph in my powershell script and I am authenticating to Azure AD and then getting a token for Microsoft Graph to retrieve the required information. I am using Oauth 2.0 and Authorization Code Grant Flow for this scenario.

I don't have anything mentioned in my powershell script specifically for MFA, however my script initiates MFA authentication for this to work.

What my script does is that, it gives me a login window, where I need to enter my user account credentials and after that it triggers the MFA authentication window.

So I would like to know whether MFA is a mandatory requirement for Microsoft Graph to obtain a token to work or is it by design, that MFA is required for Microsoft Graph.

Can someone please help me to understand and confirm this?

Thanks

windows-server-powershellmicrosoft-graph-usersmicrosoft-graph-applications
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlZhao-MSFT avatar image
0 Votes"
CarlZhao-MSFT answered

Of course not, Microsoft Graph does not require MFA. MFA is triggered every time you log in because your AD user has MFA enabled. If you don't want to use MFA every time you log in, then you can disable it in Azure AD.


117036-221.png




If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



221.png (21.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered

No, but if you are running any of the delegate-based flows, you might be prompted to perform an MFA if the corresponding user is required to do so. MFA itself can be enforced by a number of methods, so check for any conditional access policies, security defaults, per-user MFA. A quick look at the Azure AD sign-in logs should give you an idea what caused the MFA prompt.
Alternatively, you can run your code in the context of an application/service principal instead, as those are not subject of MFA, currently.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RavindraShukla-2370 avatar image
0 Votes"
RavindraShukla-2370 answered michev commented

Hi @michev Thank you for your reply.

Yes, I am using delegated permissions for Microsoft Graph and also I have MFA enabled for my user account, which I am using to authenticate when the script launches the login window. So in this case, the script will always ask for MFA as its enabled for my account, is it correct?

Also I have checked the sign-in logs in Azure AD and there I am seeing that the fields as "Status - Success", "Conditional Access - Not Applied" and "Authentication requirement - Single-factor authentication". PFA screenshots for reference.

One more doubt I have is about Conditional Access policy, as the CA policy status "Not Applied", it means that its not mandatory for CA policy to get applied or its the required one for MFA authentication, kindly confirm.

Thanks

117297-ca-policy-issue.png117375-activity-details-sign-ins.png117315-ca-policy-status-details.png


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It's not "always", it depends as explained above. If CA policies do not apply, the user might be subject to per-user MFA enforcement. Or you might be seeing something else altogether - the SSPR/MFA enrollment workflow, which guides the user to configure their account for MFA, but doesnt necessarily require that you do a full MFA login.

1 Vote 1 ·
RavindraShukla-2370 avatar image
0 Votes"
RavindraShukla-2370 answered

HI @michev Thank you for your reply and clarifying the things.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.