How can I force trigger MFA, when logging into Azure?
When using az login or MSAL, the user authenticates by signing into Azure (Entra ID).
How can I force MFA during sign in?
The reason I need this is that a custom conditional access policy denies tokens in OBO flows issued to an application, where the user signed in from a non-managed device without MFA. So, proactively triggering MFA will fix the issue
Solution
Note that: To force MFA, you need to enable MFA in Microsoft Entra ID either by conditional policy, security defaults or per user MFA.
I enabled MFA for the user via per user MFA:
Now I did az login:
Generated access token to check the amr claim:
az account get-access-token --resource https://management.azure.com/
The amr contains mfa claim successfully:
- QuestPDF doesn't render text in Azure Functions
- Checkout Submodules in another Project in Azure DevOps Repository
- How do I enable my Azure pipeline to checkout a submodule using Git?
- Azure Stream Analytics outputs an int64 as an int32
- Spark MergeSchema on parquet columns
- AADSTS900971: No reply address provided. on SPA with http://localhost as redirect_uri
- When to use EventGrid and when to use ServiceBus / Storage Queue?
- Which IPs to allow in Azure for Github Actions?
- Can I use Azure api management for gRPC communication?
- How to register Custom Events in Application Insights by using OpenTelemetry .NET
- Azure Pipeline MS-hosted mac agent: CopyFiles Task takes a very long time
- How to read S/MIME mails and their attachments
- Azure DevOps Dashboard Widget fails with "ERR_BLOCKED_BY_LOCAL_NETWORK_ACCESS_CHECKS" in Edge 143+ (works in Firefox)
- Difference between Azure ML and Azure ML experimentation
- Is it possible to change subnet in Azure AKS deployment?
- Sql Server JSON result separated in multiple rows
- Azure Keyvault references not working in Azure Static Web App?
- Signing a JWT for Azure - how can I set the kid in the header?
- How to use wkhtmltopdf and Azure Functions Python v2 together to convert HTML to PDF in 2024?
- Why Can’t I Reduce Cosmos DB Throughput After Scaling Up? (Physical Partitions / Minimum RU Limits)
- Azure Build pipeline not able to retrieve latest source version
- Azure application with ASP.NET Core app service with Entra authentication
- SSL certificate problem: unable to get local issuer certificate AZURE DEVOPS
- CosmosDb ExpressionVisitor (SubtreeEvaluator) fails on Azure, works on local machine
- Azure App Service environment variables are not available in container
- How to change AKS cluster networking from Kubenet to Azure CNI?
- Azure Container App - Container pull image failed with reason: ImagePullFailure. Revert by terminate
- Messages in Azure Message Queue are going Straight to the Poison Message Queue
- Change Environmet Variables at runtime (React, vite) with docker and nginx
- SQL Azure import slow, hangs, but local import takes 3 minutes