Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
yasitha4
Level 1 Contributor

Cannot access some graph endpoints with MFA enabled accounts

With the recent requirement of enabling MFA to all global admins, we are having issues of accessing some graph API endpoints where application permissions are not supported.

E.g: https://docs.microsoft.com/en-us/graph/api/group-get-thread?view=graph-rest-1.0&tabs=http

 

This above endpoint supports only Delegated permissions and we were using password grant flow to obtain the access token. But after MFA enabled on the global admin it's not possible to use the global admin's credentials with the password grant flow. We are getting the below when call the token end point with password grant_type.

 

Is there any other workaround to access the above mentioned endpoint after enable MFA to all global admins?

 

{

"error": "interaction_required"
"error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'. Trace ID: bc51c0ef-a55b-4b01-98bc-e588b45b3a00 Correlation ID: 8e2646e1-00ab-410f-a5bf-4fed28699a2d Timestamp: 2019-07-25 10:57:28Z"
"error_codes": 
  50076
 
"timestamp": "2019-07-25 10:57:28Z"
"trace_id": "bc51c0ef-a55b-4b01-98bc-e588b45b3a00"
"correlation_id": "8e2646e1-00ab-410f-a5bf-4fed28699a2d"
"suberror": "basic_action"

}

1 ACCEPTED SOLUTION
idwilliams
Moderator

@yasitha4 you are encountering this error because the method you were using to get an access token is not compatible with an account that has MFA enabled. You will need to implement the secure application model framework to obtain an access token.

View solution in original post

3 REPLIES 3
Andra
Community Manager

Hi

 

 

yasitha4
Level 1 Contributor

Thank you for the response. Sorry, some how the question is updated partially when I publish. I have updated the question again.

idwilliams
Moderator

@yasitha4 you are encountering this error because the method you were using to get an access token is not compatible with an account that has MFA enabled. You will need to implement the secure application model framework to obtain an access token.

View solution in original post