Share via

Error message: due to a configuration change made by your administrator....

Ng Jia Jian 0 Reputation points
2025-05-07T06:36:10.3766667+00:00

I have been facing this issue as below: "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi factor authentication to access resources". Because of this error, I was keep on alerted by my company security team that brute force attempts were detected on my account. But the error message doesn't seems to be an attack. I would like to know the reason.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,671 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sanoop M 3,075 Reputation points Microsoft External Staff Moderator
    2025-05-07T09:33:21.5933333+00:00

    Hello @Ng Jia Jian,

    Please note that basically you will see this error message "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi factor authentication to access resources", when the user is attempting to sign in to the application with a authentication method that requires Multi-factor authentication.

    Possible solutions:

    1. Use a interactive flow instead.
    2. If you are using a interactive flow and still getting this error, ensure openid is one of the scopes during the interactive sign-in. You might be getting the error after the interactive sign-in and trying to exchange the authorization code for a access token https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize ?client_id=3da7226c-c9b2-####-####-############ &response_type=code &scope=openid groups.read.all &nonce=1234 &redirect_uri=https://app.contoso.com

      Notice "scope=openid groups.read.all" in the request above.

    3. Add the client application to the exception list of the Conditional Access Policy.
    4. Add the user to the exception list of the Conditional Access Policy.
    5. If not using Conditional access policies and the user is directly enabled for Per-user MFA, then as a last resort, disable Per-user MFA for the user if solutions above (specifically solution 1 and 2) does not work for you.

    Please follow the below mentioned steps to disable Per-user MFA for the affected user.

    1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
    2. Browse to Users > All users and select the Per-user MFA button.
    3. Select the affected user and select Disable MFA as highlighed in the below Screenshot.

    User's image

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.