Is the October 2024 MFA enforcement applied on MSAL.NET accessing the Microsoft Graph API?

Question

As mentioned on many channels Microsoft want to enforce MFA on administration portals, Azure CLI, Azure PowerShell, Azure Mobile app and IaC tools.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication

Our app is using the non-interactive ROPC authentication flow https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/username-password-authentication using MSAL.NET to manage group membership in Entra ID (Azure AD) and manage SharePoint online.

We are using the following authentication method:

PublicClientApplication.AcquireTokenByUsernamePassword(scopes, userPrincipalName, securePassword)
										   .ExecuteAsync().Result;

The userPrinciapName/password are serviceaccount users (not end-users).

We are planning to migrate to a ConfidentialClient and use the Client credentials flow https://learn.microsoft.com/en-us/entra/identity-platform/msal-authentication-flows#client-credentials, but we cannot update all of our customers before October 2024.

Does the MFA requirement also applies for custom apps which are using the Microsoft Graph API? They are not listed in the Microsoft articles and the article does not state that these kind of apps are affected as well or not.

Answer 1

No. Only the list of (first-party) apps in that article will be affected come October. Microsoft will likely expand these restrictions to cover other apps, including custom ones, but that would be in the future. For now, you should be safe.