This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 5%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
I have a few questions about ROPC/ passing grant_type=password.
MFA is being enforced. Is there any impact on OAuth 2.0 with grant_type= password?
It is not recommended and will be deprecated in OAuth 2.1. Is Azure Application removing support for it, too?
I saw different articles with different dates and articles, but is there any announcement from Microsoft on using this grant type with custom applications?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi @GD
Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Workload Identities are not affected by MFA, only user accounts.
I dont think they have officially announced an end date of support:
https://devblogs.microsoft.com/devops/no-new-azure-devops-oauth-apps-beginning-february-2025/
Hi @GD
Thank you for posting this in Microsoft Q&A.
Adding to the above information provided by @Andy David - MVP
The Resource Owner Password Credentials (ROPC) grant type is a legacy OAuth 2.0 flow that poses significant security risks. It exposes the user's credentials to the client application and does not support modern security mechanisms like MFA or SSO.
Multi-factor authentication (MFA) is a security implementation that requires the user to provide two or more verification factors to access their resources, adding an extra layer of security to the authentication process. The ROPC grant type does not support MFA. Instead, it restricts the authentication process to a single factor, and the token request is based solely on the user's credentials. It is impossible to implement challenge-based authentication mechanisms, such as SMS OTP, email OTP, or WebAuthn, with the ROPC grant type.
We strongly recommend avoiding the use of the ROPC grant type for your applications. We have not yet announced any plans to deprecate support.
If you have legacy authentication systems that rely on the ROPC grant type, consider migrating to more secure OAuth 2.0 flows, such as the authorization code flow or the client credentials flow.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.