Is MFA authentication mandatory for Microsoft Graph

Ravindra Shukla 116 Reputation points
2021-07-22T05:23:24.32+00:00

Hello,

I am working on Microsoft Graph in my powershell script and I am authenticating to Azure AD and then getting a token for Microsoft Graph to retrieve the required information. I am using Oauth 2.0 and Authorization Code Grant Flow for this scenario.

I don't have anything mentioned in my powershell script specifically for MFA, however my script initiates MFA authentication for this to work.

What my script does is that, it gives me a login window, where I need to enter my user account credentials and after that it triggers the MFA authentication window.

So I would like to know whether MFA is a mandatory requirement for Microsoft Graph to obtain a token to work or is it by design, that MFA is required for Microsoft Graph.

Can someone please help me to understand and confirm this?

Thanks

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,023 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,524 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. CarlZhao-MSFT 42,026 Reputation points
    2021-07-22T08:14:34.437+00:00

    Of course not, Microsoft Graph does not require MFA. MFA is triggered every time you log in because your AD user has MFA enabled. If you don't want to use MFA every time you log in, then you can disable it in Azure AD.

    117036-221.png


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Vasil Michev 106.1K Reputation points MVP
    2021-07-22T08:55:40.087+00:00

    No, but if you are running any of the delegate-based flows, you might be prompted to perform an MFA if the corresponding user is required to do so. MFA itself can be enforced by a number of methods, so check for any conditional access policies, security defaults, per-user MFA. A quick look at the Azure AD sign-in logs should give you an idea what caused the MFA prompt.
    Alternatively, you can run your code in the context of an application/service principal instead, as those are not subject of MFA, currently.

    0 comments No comments

  3. Ravindra Shukla 116 Reputation points
    2021-07-23T06:47:05.707+00:00

    Hi @Vasil Michev Thank you for your reply.

    Yes, I am using delegated permissions for Microsoft Graph and also I have MFA enabled for my user account, which I am using to authenticate when the script launches the login window. So in this case, the script will always ask for MFA as its enabled for my account, is it correct?

    Also I have checked the sign-in logs in Azure AD and there I am seeing that the fields as "Status - Success", "Conditional Access - Not Applied" and "Authentication requirement - Single-factor authentication". PFA screenshots for reference.

    One more doubt I have is about Conditional Access policy, as the CA policy status "Not Applied", it means that its not mandatory for CA policy to get applied or its the required one for MFA authentication, kindly confirm.

    Thanks

    117297-ca-policy-issue.png117375-activity-details-sign-ins.png117315-ca-policy-status-details.png


  4. Ravindra Shukla 116 Reputation points
    2021-07-28T14:52:42.067+00:00

    HI @Vasil Michev Thank you for your reply and clarifying the things.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.