![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 34%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAO%3C/text%3E%3C/svg%3E)
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
Hello Alexander O'Reilly
Greetings! Thanks for raising this question in Q&A forum.
The reason you are seeing this error is very clear from the message itself Microsoft's mandatory MFA enforcement is blocking the Azure resource operation triggered during Synapse Link setup. Starting in 2024, Microsoft began enforcing mandatory MFA for all Azure sign-in attempts that perform Create, Read, Update, or Delete (CRUD) operations on Azure resources through the Azure portal, Azure CLI, Azure PowerShell, and related tools. When the Synapse Link setup tries to create or configure Azure resources (like the Data Lake Storage connection) on your behalf, the system is detecting that the session does not satisfy the MFA requirement and blocks it with the RequestDisallowedByAzure error.
This explains why it worked a year ago — MFA enforcement has rolled out and tightened since then. Here is how to fix it step by step:
Step 1: Sign Out and Sign Back In With MFA Completed
The most common cause is that your current browser session was authenticated without completing a proper MFA challenge. Sign out of the Azure Portal and Power Apps Maker Portal completely, then sign back in and make sure you complete the MFA prompt (authenticator app, SMS, or phone call) before attempting to set up the Synapse Link again.
Step 2: Clear Browser Cache and Use a Fresh Session
Open a new InPrivate/Incognito browser window, navigate to https://make.powerapps.com, sign in fresh with MFA, and retry the Synapse Link setup from the beginning. An old cached token without MFA claims can trigger this error even if MFA is set up on your account.
Step 3: Verify MFA Is Properly Registered for Your Account
Go to https://aka.ms/mfasetup and confirm that your account has at least one MFA method registered and working. If your MFA method is missing or expired, the portal session will silently fall back to a non-MFA token, which then gets blocked when Azure resource operations are attempted.
Step 4: Check If a Conditional Access Policy Is Involved
Ask your Entra ID / Azure AD administrator to check if there is a Conditional Access policy in your tenant that is enforcing MFA specifically for Azure management operations (https://management.azure.com). If the policy is misconfigured or your account is excluded from an MFA exemption group, it can cause this exact error. The admin can check this at Microsoft Entra admin center → Protection → Conditional Access.
Step 5: Use a Service Principal for the Synapse Link Connection (Long-Term Fix)
If this environment uses an automated or service account to configure the Synapse Link, Microsoft's recommended approach is to transition away from service accounts with passwords and instead use Managed Identities or Workload Identities, which eliminate credential management and are not subject to interactive MFA requirements. Ask your Azure admin to configure the Synapse Link using a Managed Identity or Service Principal instead of a user account.
Step 6: If the Problem Persists — Raise a Support Ticket
If you are signing in with MFA and still seeing this error, it could be a token claim issue on the platform side. Raise a support request at https://support.microsoft.com under Azure → Data + Analytics → Azure Synapse Link for Dataverse and include the full error JSON with the GUID shown in the target field, as that helps the team trace exactly which resource creation was blocked.
In short complete an MFA-authenticated fresh login session, and the Synapse Link setup should proceed without this error. This is not a Synapse Link bug — it is Microsoft's security enforcement working as designed.
If this answer helps you kindly accept the answer which will help others who have similar questions.
Best Regards,
Jerald Felix.