azure-cli: `az login` fails due to MFA

This will happen if your account is associated with multiple Azure AD’s. It can exist as a member user in one Azure AD, and as a guest user in the other Azure AD. If the Azure AD that you are a guest user in requires MFA, this error will occur.

You can mitigate this ‘problem’ by adding the Azure AD tenant to the login:

az login --tenant [tenantid]

in your case:

az login --tenant 4253165e-ba77-4eaa-bd15-e7abb69a74ef

Closing. No actions I can take from CLI’s end to make it better, the issue is on the browser ui caches old auth configurations. If more users report the same error I will transfer to AAD/ESTS team who owns the whole browser based authentication flow.

@Bessonov, you may use az login --use-device-code for user login or az login --service-principal for service principal login. Please see Create an Azure service principal with Azure CLI for details.

@sjentzsch, I have forwarded this to the AAD group, thanks for the feedback. What we have experienced are confusing, indeed.

I can reproduce this behavior by doing:

1. In portal, enable the baseline policy right away by following “Azure Active Directory=>Conditional Access=>Baseline policy” and turning on the option of “Use policy immediately”
2. Launch CLI, and click the account tile in the browser, which will sign you in, but then you will get a same error from CLI.

I ended up fixing this by re-opening the browser and re-login to the portal, which triggered the wizard for me to configure all needed for MFA authentication. After that, “az login” works again. Hope this help.

Try to use tenant ID when login in using CLI. Then you need to go through 2 steps of authentication.

I’m having this exact issue on azure-cli version 2.0.30. First noticed it a couple days ago.

Are you able to login in to portal? If yes, can you try az login again?

I think the best option is to:

1. open the browser
2. login to azure portal - accept the policy with cookies etc.
3. run cli “az login” and then login - it should work

But for sure something is not working correctly with “az login” looks like it does not get the appropriate cookies/tokens. I will try to debug it someday 😄

@Miles-Davies-HORIBA , when you use az login --tenant "xxx.onmicrosoft.com", and get denied access to artifacts, what is the error? Is it the same or something else? +@bagga from DevOps team

I think my issue was caused by a bug in az which was fixed. It works fine for me with the latest

I have the same problem. I am logged in to my companies Office 365 tenant but we have another tenant for Azure DevOps where I am a “guest” using my Office365 e-mail. My companies Office 365 has no MFA but the DevOps ADD has MFA. “az login” fails with “AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access”

"az login --tenant “<company>.onmicrosoft.com” runs MFA authentication but denies access to artifacts.

This only started happening when I updated to latest az and devops. az-cli 2.0.75 devops 0.13.0. I am the owner of the feed I am trying to access so it should be fine.

If I set the $env:AZURE_DEVOPS_EXT_PAT to my PAT the command works just fine.

@yugangw-msft - In our organization we face the same issue: az login, when using with a MFA-enabled account in AzureCloud (EU), leads to

Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code"
You have logged in. Now let us find all the subscriptions to which you have access...
Failed to authenticate '{'additional_properties': {}, 'id': '/tenants/XXX', 'tenant_id': 'XXX'}' due to error 'Get Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'XXX'.\r\nTrace ID: XXX\r\nCorrelation ID: XXX\r\nTimestamp: 2019-02-05 13:03:27Z","error_codes":[50076],"timestamp":"2019-02-05 13:03:27Z","trace_id":"XXX","correlation_id":"XXX","suberror":"basic_action"}'
No subscriptions were found for 'None'. If this is expected, use '--allow-no-subscriptions' to have tenant level accesses

When I log in via Browser manually it asks me for MFA, I confirm, re-try with az login then it works. I highly recommend forwarding this issue to AAD/ESTS team as you suggested.

Hi,

I too face similar issue. If i try to access my web app outside Microsoft office environment i getting prompted with MFA. But if i try using my application inside MS environment it just asks me basic authentication and allows access. But in this case since i didn’t do MFA when i try to access Azure APIs it throws below error:

err :AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access ‘797f4846-ba00-4fd7-ba43-dac1f8f63013’.

So everytime i have to clear browser cache, Login via Azure portal which asks for MFA and then access my site. Which is quite painful.

Any help appreciated.

This is an error from AAD server which I shall clarify with service team.

    AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'

At the same time, in browser, can you log out the portal and run “az login” again? The goal is to clear the old cache associated with non MFA accounts, and force a new authentication flow.

For MFA, you have to use interactive login through az login w/o -u. This requirement comes from AAD token service, not CLI.