why I am able to login in CLI using username and password, when I have 2FA enabled

JA 131 Reputation points

Hi Team,
I have MFA enabled on our accounts. I first enter the credentials and then approve on microsoft authenticator app. So I believe this makes our authentication as 2FA.

I am not able to login using user credentials through MSAL library as we have MFA enabled. and it throws exception to disable it.

But now, I am trying with CLI and surprisingly, with this, I am able to log in just by using -> az login -u username -p password.

now, what I understand that CLI stores refresh token (after 1st successful login) and using which we are able to log in. But I did remove the .azure folder under my HOMEPATH and still I am able to login using just this command- > az login -u username -p password

So why so? any idea what could I be doing wrong?
From what I read from document is -> This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,617 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
682 questions
A cross-platform toolchain for developing, building, running, and publishing .NET applications.
324 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,768 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 41,926 Reputation points


    Check this page with the information on the Azure CLi and how the process works with regards to authentication, point is regarding the authentication refresh token and it is not stored on the device as per the MS article authenticate-azure-cli
    However the az command and this approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled. So it seems to me that device code is used for authentication instead of User v2-oauth2-device-code

    Read this thread with the explanation on this. login-to-azure-cli-with-mfa

    Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well