When using az login
or MSAL, the user authenticates by signing into Azure (Entra ID).
How can I force MFA during sign in?
The reason I need this is that a custom conditional access policy denies tokens in OBO flows issued to an application, where the user signed in from a non-managed device without MFA. So, proactively triggering MFA will fix the issue
Note that: To force MFA, you need to enable MFA in Microsoft Entra ID either by conditional policy, security defaults or per user MFA.
I enabled MFA for the user via per user MFA:
Now I did az login
:
Generated access token to check the amr claim:
az account get-access-token --resource https://management.azure.com/
The amr contains mfa claim successfully: