I'm trying to authenticate a user using the ROPC flow via a REST API, aiming for full automation without any user interaction. However, even though I've disabled MFA for the user, Azure still prompts for it. Is there a policy that's enforcing MFA regardless of the user's settings? If so, what steps can I take to turn it off?
1 Answer
It sounds like you’re hitting a Conditional Access policy. Even if you turn off MFA for a specific user, Conditional Access policies such as 'require MFA for all users' or security defaults can still enforce it. Check under Entra ID -> Security -> Conditional Access to see if there are any active policies affecting that user or their group. Also, make sure that security defaults are disabled since those apply MFA globally. Just a heads-up, using ROPC can be tricky with MFA configurations; many folks end up choosing different flows for automation.
I ended up turning off the security defaults, but I'm curious about the other flows people are using for authentication. I’ve tried everything to automate PAT rotation through REST APIs, and ROPC seems like the only approach that works since code auth requires user interaction.