ADF lost access to Dynamics CRM / Dataverse after MFA was turned on

Question

Today my ADF pipelines started throwing errors:

Operation on target Process order failed: ErrorCode=DynamicsFailedToConnect,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Failed to connect to Dynamics: Unable to Login to Dynamics CRM: ERROR REQUESTING Token FROM THE Authentication context - USER intervention required but not permitted by prompt behavior AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000007-0000-0000-c000-000000000000' 

It seems that it was caused by turning on the MFA and all of my datasets authenticate with user - password.

I believe I will need to re-authenticate the linked service with Dynamics / Dataverse somehow, but I am unsure how to proceed.

Is there any chance for a step-by-step walkthrough? I am not an Admin in the Azure Account so I don't have any permissions to grant access etc. I would really appreciate a solution that I could send to the admin so he can somehow fix the access issue.

Answer 1

The error you ae encountering indicates that Multi-Factor Authentication (MFA) requirements are preventing your Azure Data Factory (ADF) pipelines from connecting to Dynamics 365. Since MFA has been enabled, the previous method of authentication using just a username and password is no longer sufficient. To resolve this, you’ll need to switch to using a service principal or a managed identity for authentication, which supports MFA.

Here’s a step-by-step guide you can provide to your Azure administrator to re-authenticate the linked service with Dynamics/Dataverse:

Create a Managed Identity:

In the Azure portal, go to the Azure Data Factory’s Identity section.

Enable a System-assigned managed identity or create a User-assigned managed identity.

Grant Permissions to the Managed Identity:

Assign the necessary permissions to the managed identity in Dynamics 365. This typically involves Azure AD roles and Dynamics 365 security roles.

Update the ADF Linked Service:

Navigate to the ADF instance and go to the Linked services section.

Find the linked service that connects to Dynamics 365.

Edit the linked service to use the managed identity for authentication.

Configure Dynamics 365 to Accept the Managed Identity:

In Dynamics 365, set up the necessary configurations to accept connections from the managed identity.

Test the Connection:

After updating the linked service, test the connection to ensure that it’s working correctly with the new authentication method.

By following these steps, the administrator should be able to update the authentication method for the ADF pipelines to work with Dynamics 365 post-MFA enforcement. Please note that the exact steps and permissions required may vary based on your organization’s setup and the specific configurations of Dynamics 365 and Azure Data Factory.

https://learn.microsoft.com/en-us/azure/data-factory/credentials?tabs=data-factory