Will Oct 24 MFA inforcement will impact our user creation by a machin account ?

Question

Will Oct 24 MFA inforcement will impact our user creation by a machin account ?

Laurent F 1

We have a machine account that creates user account using API graph.microsoft.com/v1.0/users/ . The request is done with an autorization token.

This machine use machine email and machine pwd to get its autorization token from https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token

Will 15th Oct 24 MFA inforcement will impact our user creation process ?

0 comments

1 answer

Your answer

Answer 1

CarlZhao-MSFT 46,456

Hi @Laurent F

Yes, the MFA enforcement on October 15th may affect the automation process using machine email and machine pwd. According to Microsoft’s announcement, all user identities will require MFA verification when performing any create, read, update, or delete (CRUD) operations. This means your script might need to pass MFA verification when obtaining the OAuth token.

To avoid disruptions, it is recommended to migrate these user identities to workload identities (such as managed identities and service principals), as these identities are not affected by the MFA enforcement. If you have emergency access accounts that also need MFA configuration, consider using FIDO2 keys or certificate-based authentication to meet the MFA requirements.

Refer to similar issue.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Laurent F 1 Reputation point

2024-08-30T12:20:54.55+00:00

Thank you @CarlZhao-MST for your answer.

Will the machine account will be able to retrieve the token from login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token but the token will be unusable during the graph.microsoft.com/v1.0/users/ request ?
Laurent F 1 Reputation point

2024-08-30T13:00:27.7033333+00:00

Thanks CarlZhao-MSFT for your answer. I have one additionnal question :

Will the machine be able to retrieve the token from https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token and this token will be unusable during the CRUD request at API graph.microsoft.com/v1.0/users/ ?

Or will the https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token will be rejected ?
CarlZhao-MSFT 46,456 Reputation points

2024-09-02T01:33:11.51+00:00

Hi @Laurent F

It should be available. Did it throw any errors?
Laurent F 1 Reputation point

2024-09-02T06:50:10.67+00:00

Hi CarlZhao-MSFT,

Everything is working fine now but I wonder what will happen after the 15th of oct 2024.
CarlZhao-MSFT 46,456 Reputation points

2024-09-02T07:53:55.2766667+00:00

Hi @Laurent F

I just looked up some information and found that machine email and machine pwd are system credentials used for communication between systems, not real users. Therefore, the MFA enforcement on October 15th will not affect your automation.
CarlZhao-MSFT 46,456 Reputation points

2024-09-10T02:25:17.31+00:00

Hi @Laurent F

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily. Thank you very much!

Share via

Will Oct 24 MFA inforcement will impact our user creation by a machin account ?

1 answer

Your answer