Skip to content

Impact of MFA requirement on Azure PowerShell #27318

New issue
New issue
Open
Open
Impact of MFA requirement on Azure PowerShell#27318
Labels
Azure PS TeamEngineeringMFAmulti factor authentication
@dcaro

Description

@dcaro
dcaro
opened on Mar 12, 2025

Context

To provide customers with the highest level of security, Microsoft has started to require multifactor authentication (MFA) for all Azure sign-in attempts.

We have identified the following issues consequences of using MFA with Azure PowerShell

1. ROPC Authentication

Login to Azure by passing directly in the command their password also known as the ROPC flow (Resource Owner Password Credential) is not supported with MFA.

The associated command is:

Connect-AzAccount -Credential $Credential

If MFA is required for the user, the above command fails with the following error message:

Connect-AzAccount : UsernamePasswordCredential authentication failed: Response status code does not indicate success: 400 (BadRequest).
See the troubleshooting guide for more information
https://aka.ms/azsdk/net/identity/usernamepasswordcredential/troubleshoot

Solution

You must switch to using an authentication flow compatible with Multifactor Authentication.


2. Cross-Tenant authentication

If the user has access to several tenants and one of them requires MFA, the login with Azure PowerShell may display a warning message similar to:

WARNING: Unable to acquire token for tenant '00000000-0000-0000-0000-000000000000' with error 'Authentication failed against tenant 00000000-0000-0000-0000-000000000000. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId 00000000-0000-0000-0000-000000000000.'

During the login phase, Azure PowerShell tries to logon to the different tenant that the user can access. The MFA claims obtained with the first tenant found cannot be used for a different tenant, the warning message above is therefore displayed.

Workaround

While we are working towards a resolution of the issue, to avoid the warning message, we recommend that you specify the tenant you want to use with the following command.

Connect-AzAccount -TenantId 00000000-0000-0000-0000-000000000000


Learn more

How to prepare for the impact of multifactor authentication on Azure PowerShell: https://aka.ms/azps-mfa

Additional information about ROPC flow: https://learn.microsoft.com/entra/identity-platform/v2-oauth-ropc

Metadata

Metadata

Assignees

No one assigned

    Labels

    Azure PS TeamEngineeringMFAmulti factor authentication

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions