MS OAuth 2.0 not working for multi-factor authentication

2
votes

We use the below URL to generate a code using OAuth 2.0

https://login.microsoftonline.com/common/oauth2/authorize

When we try to generate a Refresh and Access Token from code using this URL:

https://login.microsoftonline.com/common/oauth2/token

We get the following error message

Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000 .

OAuth flow works when the code is generated in our desktop browsers. This error message is thrown only when the auth code is generated in mobile browsers.

Azure AD admin has enabled all users to allow mobile sign-in.

2
oauthazure-active-directorymicrosoft-graph-api

2 Answers

1
votes

If you get this error, you can redirect the user to authenticate again with amr_values=mfa. This forces MFA to take place.

This honestly seems like a bug in AAD though, if the user was able to authenticate the app should be able to get a token right after.

1
votes

I saw this error message before getting the authorization code. Once you complete the authentication and get the auth code, Azure should use the auth code to generate access/refresh tokens right away.

Did you see this error message before receiving the auth code? If so you should go through MFA step and you should be able to successfully get the tokens.