Share via

Permissions and consent evaluation by CA policy

Identity_Q 41 Reputation points
2020-05-08T07:56:38.677+00:00

If application needs to use different services owned by AzureAD/Office365 like User.Read and Mail.Read and send a request to retrieve code from authorization endpoint, i expect CA policy to trigger MFA when it is set on Exchange online. However, i noticed that MFA was not triggered due to which when i tried to get Access Token from Token endpoint it failed with error : failed to obtain access token (status: 400 data: {error interaction_required& ;error_description& ;AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access. I understand it will be obvious since MFA wasn't triggered. But what are the recommendations to fix the same ? If client used to request Code is not capable of performing MFA, then it should fail on authentication but here MFA was skipped ? MFA gets triggered on same machine when Exchange online service is accessed using browser.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,083 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,811 Reputation points Microsoft Employee
    2020-05-08T08:11:13.093+00:00

    @Identity_Q , Microsoft Graph API acts as an aggregator where it houses many other Azure AAD protected Services under it, like Exchange Online, Sharepoint Online, Teams etc. Now as per the request request you shared, it looks like you have asked for provided the scopes for user.read and mail.read. Now both these scopes would be evaluated by CA when you go for asking a code from /authorize endpoint of AAD, and once CA policy evaluations starts, it would prompt for MFA since Exchange Online has a CA policy applied on it.

    I am not sure how the request was made initially to obtain the code and then to obtain the token from AAD, but if the MFA was not done during/before the token request was made, then the token wont contain the MFA claim in it and hence when that same token is posted to an Azure Service like Exchange online that has CA policy enabled on it would likely to throw that error that you encountered.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Identity_Q 41 Reputation points
    2020-05-08T08:13:20.307+00:00

    Alright, it makes sense. I will see what i can find into CA policy logs to understand why MFA wasn't triggered.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.