locked
Not able to generate Bearer Token using Azure AD OAuth when Multi Factor Authentication is enabled RRS feed

  • Question

  • Hi,

    I am following the example https://github.com/Azure-Samples/active-directory-dotnet-native-headless to acquire a bearer access Token through console application using Azure AD OAuth getToken API with grant_type set to password.

    https://login.microsoftonline.com/{my-tenant}.onmicrosoft.com/oauth2/token

    This token will be sent in the Authorization header to an internal Rest API. The REST API uses the token to get the details of the user using ClaimPrincipal and it authorizes the user against AD Security group using Graph-API.

    Now the problem is, we have Multi factor authentication (MFA) enabled for our Azure AD Instance, in this case how shall I able to generate the Token using Azure OAuth getToken APIs?

    Disabling MFA solves the problem, but that is what we are not supposed to do. Is it possible to disable MFA at the website/web-app level? We don't want to disable MFA at the user level.

    Any help would be highly appreciated.

    [Note: We need grant_type=password to be used, as that way the REST API can get the details of the calling user through the Bearer Token]



    Tuesday, March 29, 2016 8:48 AM

All replies

  • Hi,

    I am following the example https://github.com/Azure-Samples/active-directory-dotnet-native-headless to acquire a bearer access Token through console application using Azure AD OAuth getToken API with grant_type set to password.

    https://login.microsoftonline.com/{my-tenant}.onmicrosoft.com/oauth2/token

    This token will be sent in the Authorization header to an internal Rest API. The REST API uses the token to get the details of the user using ClaimPrincipal and it authorizes the user against AD Security group using Graph-API.

    Now the problem is, we have Multi factor authentication (MFA) enabled for our Azure AD Instance, in this case how shall I able to generate the Token using Azure OAuth getToken APIs?

    Disabling MFA solves the problem, but that is what we are not supposed to do. Is it possible to disable MFA at the website/web-app level? We don't want to disable MFA at the user level.

    Any help would be highly appreciated.

    [Note: We need grant_type=password to be used, as that way the REST API can get the details of the calling user through the Bearer Token]

    -Vijendra


    Tuesday, March 29, 2016 8:48 AM
  • Hi Vijendra Patil,

    Thank you for reaching out to us!

    Does this answer your query? - http://stackoverflow.com/questions/36209770/how-to-programatically-generate-bearer-token-using-azure-ad-when-multifactor-aut

    Best Regards

    Sadiqh Ahmed

    ________________________________________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

    Tuesday, March 29, 2016 6:38 PM
  • Disabling MFA should solve the problem, but like I mentioned, we don't have choice to do so. Is there any better option available other than disabling MFA?

    Unfortunately we must use grant-type=password , so that, when we send the token to our internal REST API, it will have details of the user through ClaimsPrincipal .

    Friday, April 1, 2016 10:00 AM
  • I am building a Web API sample wherein I will be returning information to the user based on his role in the application secured with AD Groups. I am trying to acquire a bearer access Token through console application using Azure AD OAuth getToken API with grant_type set to password and that token (JWT) will be passed to the client application to get the data based on logged in user.

    This token will be sent in the Authorization header to an internal Rest API. The REST API uses the token to get the details of the user using ClaimPrincipal and it authorizes the user against AD Security group using Graph-API.

    However, we have Multi-Factor Authentication (MFA) enabled for our Azure AD instance. Is there a way we can generate bearer token to pass to the REST API? There have been some posts suggesting to use Service Principal or client id/secret, but that will not solve our purpose since we will not get the logged in user details.

    Any help / guidance will be highly appreciated.
    Tuesday, April 5, 2016 5:42 AM
  • Tuesday, April 5, 2016 3:07 PM
  • Disabling MFA may not be acceptable since its the prescribed way to move ahead to secure the environments.
    Wednesday, April 6, 2016 3:43 AM
  • You are using resource owner credential flow, it doesn't support MFA as https://blogs.msdn.microsoft.com/wushuai/2016/09/25/resource-owner-password-credentials-grant-in-azure-ad-oauth/ mentioned. Are you developing a application to perform management stuff? If yes, you may use client credential flow instead https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/
    Sunday, September 25, 2016 1:42 PM