azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

Impact of MFA requirement on Azure CLI

Open dcaro opened this issue 11 months ago • 4 comments

Context

To provide customers with the highest level of security, Microsoft has started to require multifactor authentication (MFA) for all Azure sign-in attempts.

We have identified the following issues consequences of using MFA with Azure CLI

1. ROPC Authentication

Login to Azure by passing directly in the command their password also known as the ROPC flow (Resource Owner Password Credential) is not supported with MFA.

The associated command is:

az login --username $username –password $password

If MFA is required for the user, the above command fails with the following error message:

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access ‘<Subscription ID>’. Trace ID <GUID> Correlation ID: <GUID> Timestamp: <Time>

Solution

You must switch to using an authentication flow compatible with Multifactor Authentication.


2. Cross-Tenant authentication

If the user has access to several tenants and one of them requires MFA, the login with Azure CLI may display a warning message similar to:

Authentication failed against tenant 00000000-0000-0000-0000-000000000000 'Tenant Name': AADSTSXXXXX: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000000-0000-0000-0000-000000000000'. Trace ID: 00000000-0000-0000-0000-000000000000 Correlation ID: 00000000-0000-0000-0000-000000000000 Timestamp: 2025-03-02 01:01:10Z

During the login phase, Azure CLI tries to logon to the different tenant that the user can access. The MFA claims obtained with the first tenant found cannot be used for a different tenant, the warning message above is therefore displayed.

Workaround

While we are working towards a resolution of the issue, to avoid the warning message, we recommend that you specify the tenant you want to use with the following command.

az login --tenant 00000000-0000-0000-0000-000000000000


Learn more

How to prepare for the impact of multifactor authentication on Azure CLI: https://aka.ms/azcli-mfa

Additional information about ROPC flow: https://learn.microsoft.com/entra/identity-platform/v2-oauth-ropc

dcaro avatar Mar 12 '25 06:03 dcaro

Impact of MFA requirement on Azure CLI

yonzhan avatar Mar 12 '25 06:03 yonzhan

Here are some similar issues that might help you. Please check if they can solve your problem.

  • #20441
  • #14395

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

Try to re-login with the following commands:

az account clear
az login

Reference:

  • https://github.com/azure/azure-cli/issues/20441#issuecomment-975021174

Solution 2:

Ensure your computer's time is correct, as an incorrect time can cause authentication issues. If the error 'The ID token is not yet valid' appears, it indicates your computer's time is not correct.

Reference:

  • https://github.com/azure/azure-cli/issues/20441#issuecomment-981238414
  • https://github.com/azure/azure-cli/issues/20441#issuecomment-981400052

Powered by issue-sentinel

github-actions[bot] avatar Mar 12 '25 06:03 github-actions[bot]