Share via

GDAP API authentication issues - unauthorizedMissingMfaTokenClaim

James Thomas 1 Reputation point
2022-06-15T15:11:14.607+00:00

Hi

We are trying to leverage the GDAP Partner API to change all our DAP relationships to GDAP. We were able to start leveraging some of the API functionality a few weeks ago, and then without knowingly changing anything we now are getting 'unauthorizedMissingMfaTokenClaim' errors when calling the beta API endpoints.

We have created the relevant app registrations with delegated admin permissions:
211724-image.png

Steps to repro:

  1. POST request to login endpoint:

211715-image.png

2) GET request to delegatedAdminRelationships endpoint:

211629-image.png

We do have some Conditional Access policies on the tenant which enforces MFA for all users, apart from this 1 that we are trying to interrogate the API with. We can login as this user and go into the Partner Center GUI and interact with all our CSP customers, and as mentioned these same API calls were working about 3 weeks ago and we are unsure what has changed!

Any help is appreciated.

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 127K Reputation points MVP Volunteer Moderator
    2022-06-15T16:11:41.33+00:00

    Since you are using the ROPC flow, you are effectively bypassing any MFA requirements and thus the obtained token does not contain the mfa claim (which you can verify by looking at the amr value). So my guess here is Microsoft started explicitly checking for it, thus the error message above. MFA is a requirement when performing any operation as a partner via the UI tools.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.