azureazure-active-directorymicrosoft-entra-idmsal

How can I force trigger MFA, when logging into Azure?


When using az login or MSAL, the user authenticates by signing into Azure (Entra ID).

How can I force MFA during sign in?

The reason I need this is that a custom conditional access policy denies tokens in OBO flows issued to an application, where the user signed in from a non-managed device without MFA. So, proactively triggering MFA will fix the issue


Solution

  • Note that: To force MFA, you need to enable MFA in Microsoft Entra ID either by conditional policy, security defaults or per user MFA.

    I enabled MFA for the user via per user MFA:

    enter image description here

    Now I did az login:

    enter image description here

    Generated access token to check the amr claim:

    az account get-access-token --resource https://management.azure.com/
    

    enter image description here

    The amr contains mfa claim successfully:

    enter image description here