Bypassing MFA requirements for Service Users

Question

I have an Enterprise Application for Snowflake provisioning that takes users from outside our Active Directory and provisions them into the Snowflake account, using their email address as attribute on which the provisioning happens. This works well and we have users that are able to access Snowflake using their email addresses, signing in using SSO.

We now wanted to automate some testing and created a service user. Unfortunately, we are not able to create an MFA exclusion for this service user because there seems to be some limitations on users that are in the directory through a B2B record (onboarded from another Azure Directory to the directory with the Enterprise App, through an Access Package).

My question is how can we add service users with email addresses for automation testing that bypasses MFA requirements?

Answer 1

Hi @Arun Nair

Thank you for reaching Microsoft Q&A.

If you are using the Conditional Access Policy for MFA, create a group for the Service Users and exclude the group in Conditional Access Policy.
Before excluding remove the user or group from the existing policy under the Include users.
Once you have modified the policy, your service users will be able to bypass the MFA.

If you don't have the Conditional Access Policy create a new Policy and include the users or group who are need the MFA and exclude the users or group who are not need the MFA.

Reference: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups

Hope this helps. Do let us know if you any further queries by responding in the comments section.

Thanks,

Akhilesh.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.