pythonazure-active-directoryadal

AuthenticationContext error with MFA AADSTS50076


I was using python to get access token for Dynamics 365 Marketing. This is the code that was working for me prior to the migration of our company's new policy to enable the MFA on the microsoft account so we need to approve the sign in from our device and enter the number to approve login from our phone.

import adal                    
auth_context = adal.AuthenticationContext("https://login.microsoftonline.com/common")

token_response = auth_context.acquire_token_with_username_password(https://xxxx.xxx.dynamics.com/", username, password, client_id)

Access_Token = token_response["accessToken"]

However, when I run this now I get the error "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access". Also, I don't have any admin privileges to change anything in the azure portal and I don't have client secret and there is no way to obtain it from the IT team as they don't provide that. How can I get the access token in this scenario without client secret?


Solution

  • As mentioned in this MS Document,

    If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead while generating token with username password flow.

    Initially. I too got same error when I tried to generate token using username password flow for user having MFA enabled:

    import adal                    
    auth_context = adal.AuthenticationContext("https://login.microsoftonline.com/common")
    
    username = "sri@xxxxxxxx.onmicrosoft.com"
    password = "xxxxxxxx"
    client_id = "appId"
    
    try:
        token_response = auth_context.acquire_token_with_username_password("https://xxxxx.xxxxx.crm.dynamics.com/", username, password, client_id)
        access_token = token_response["accessToken"]
        print("Access token acquired successfully:", access_token)
        
    except adal.AdalError as e:
        print(e.error_response)
    

    Response:

    enter image description here

    To resolve the error, you need to switch to either interactive flow or device code flow that involves user to login at least once for completing MFA.

    To use interactive flow for acquiring token, you need to add redirect URI as http://localhost in Mobile & Desktop applications platform. As you don't have access to change anything in Portal, you can go with device code flow.

    You can make use of below sample python code to acquire token with device code flow:

    import adal
    
    authority_url = "https://login.microsoftonline.com/common"
    client_id = "appId"
    
    auth_context = adal.AuthenticationContext(authority_url)
    
    # Initiate device code flow
    device_code = auth_context.acquire_user_code("https://xxxx.xxxxx.xxx.dynamics.com/", client_id)
    print(device_code['message'])
    
    # Poll for token using device code
    token_response = auth_context.acquire_token_with_device_code("https://xxxx.xxxxx.xxx.dynamics.com/", device_code, client_id)
    
    access_token = token_response["accessToken"]
    print("Access token acquired successfully:", access_token)
    

    When you run the code sample, it will show one message with link and device code like this:

    enter image description here

    Clicking on the link opens browser and asks you to enter device code as below:

    enter image description here

    In the Next step, it will ask you to sign in with Azure account which involves MFA prompt like this:

    enter image description here

    Once the authentication is successful, it will display below screen:

    enter image description here

    When you check the output console now, access token will be generated successfully like this:

    enter image description here