Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

Cannot access some graph endpoints with MFA enabled accounts

With the recent requirement of enabling MFA to all global admins, we are having issues of accessing some graph API endpoints where application permissions are not supported.

E.g: https://docs.microsoft.com/en-us/graph/api/group-get-thread?view=graph-rest-1.0&tabs=http

 

This above endpoint supports only Delegated permissions and we were using password grant flow to obtain the access token. But after MFA enabled on the global admin it's not possible to use the global admin's credentials with the password grant flow. We are getting the below when call the token end point with password grant_type.

 

Is there any other workaround to access the above mentioned endpoint after enable MFA to all global admins?

 

{

"error": "interaction_required"
"error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'. Trace ID: bc51c0ef-a55b-4b01-98bc-e588b45b3a00 Correlation ID: 8e2646e1-00ab-410f-a5bf-4fed28699a2d Timestamp: 2019-07-25 10:57:28Z"
"error_codes": 
  50076
 
"timestamp": "2019-07-25 10:57:28Z"
"trace_id": "bc51c0ef-a55b-4b01-98bc-e588b45b3a00"
"correlation_id": "8e2646e1-00ab-410f-a5bf-4fed28699a2d"
"suberror": "basic_action"

}

1 ACCEPTED SOLUTION
Moderator

@yasitha4 you are encountering this error because the method you were using to get an access token is not compatible with an account that has MFA enabled. You will need to implement the secure application model framework to obtain an access token.

View solution in original post

3 REPLIES 3
Community Manager

Hi

 

 

Level 1 Contributor

Thank you for the response. Sorry, some how the question is updated partially when I publish. I have updated the question again.

Moderator

@yasitha4 you are encountering this error because the method you were using to get an access token is not compatible with an account that has MFA enabled. You will need to implement the secure application model framework to obtain an access token.

View solution in original post