This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 0%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETV%3C/text%3E%3C/svg%3E)
We have an C# application which requests information from Microsoft EntraID by using functionality of Microsoft.Identy.Client and Microsoft.Graph namespaces. In order to access the interfaces we use IPublicClientApplication and autorize by means of userid and password. The userid used is a standard user with no assigned roles. MFA for this user is disabled (either via policy or direct configuration). Grants on the EntraID is done on basis of ApplicationID. The following grants are used:
Besides reading information from the EntraID do we also validate user logins in our application by using AcquireTokenByUsernamePassword. Also here we can't support MFA so MFA is disabled for the users of our application (either via policy or direct configuration).
The above solution works fine, although it is maybe not a recommend solution. The application is is deployed by several of our customers.
Now Microsoft is changing its policy. I have received the message below:
Starting 15 October 2024, we will require users to use multifactor authentication (MFA) to sign into the Azure portal, Microsoft Entra admin center, and Intune admin center. To ensure your users maintain access, you’ll need to enable MFA by 15 October 2024.
Will the above mcehanism still work after October 15? If not, which change is required to continue working without MFA (as our application will not be able to use MFA)?
And can we expect more issues by upcoming changes in the Microsoft policies?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Theo Vergoossen Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 54%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETV%3C/text%3E%3C/svg%3E)
See my respons to the answer of Vasil. I guess I realy need to know from Microsoft how it will be enforced en whether we will observe a difference compared to our current situation
You should switch to using a service principal (authenticate via the client credentials flow) where possible. Apart from changing the auth flow, you should replace delegate permissions with application ones. Most Graph API operations are available via application permission as well, although there are few exceptions. It all boils down to what you app is leveraging.
I know that I can change to the client credential flow, but is it mandatory to do so before the upcoming change? In our test environments we have already the security defaults enabled and if I want to login in the Azure portal with an account that has MFA disabled, then it enforces MFA Like a would expect). But when I use the same account to access the MS graph API (via user ID and password) then I am still able to access the required data. So my question remains: Is it mandatory to change or will the MS graph API continue working with User ID and password after October 2024? And will security policies still be able to disable MFA for some users?
There will be NO method to exclude users from MFA requirements, thus the suggestion to switch to client credentials instead. Apps will still be able to use public flows/run in the context of a user, but any operation involving a resource covered by the upcoming changes will only be authorized if the access token contains the relevant MFA claim.
The list of resources does not currently include the Graph API as a whole, so your app should continue working as is. However, Microsoft has plans to expand said list going forward, so that any CRUD operations are covered, regardless of which endpoint was used. It will obviously not happen overnight, so you will have time to address those changes going forward, but again, you should consider switching to service principals/client credentials flow where possible.