Please add the support for MFA.

[rohrerb]

Please add support for MFA to allow customers to automate deployments of MFA. At the moment, it seems Microsoft only supports MFA automation via Powershell.

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6998686-update-the-azure-active-directory-powershell-modul
http://connect.microsoft.com/site1164/content/content.aspx?ContentID=32016

[navyasric]

@rohrerb Can you please provide details about your app and its use case? How do you propose to use ADAL for your app?

[rohrerb]

The use case is the same as users who want to automate/script out this process using PS. Not all users have the capability to use powershell (MAC or Linux users). Please support mfa automation/scripting through other languages such as python.

[rayluo]

Hey @rohrerb , does the comments in the other issue here help?

[mattxbart]

I'm running into the same issue. I want to execute a script to use the graph api but since MFA doesn't work I have to use an app permission instead of delegating through my user. I would really like to see MFA support or a suggestion on how to do this without using web based interactions.

[rayluo]

@mattxbart To make sure we are on the same page, what API call was your script trying to use? Was it acquire_token_with_username_password(...) or something else?

Also, what is your expectation of "MFA support"? If you mean a fully-automation that totally bypass MFA, that is probably what MFA was trying to prevent. If you mean to trigger an interactive flow for end user to complete MFA, which can be considered as semi-automation, it would rely on web based interaction under the hood.

Nonetheless, if you can use app permission to avoid an end user role, that is probably the better way to go. Conceptually speaking, when your app does not need to impersonate an end user, it can then do lots of things, automatically.

[mattxbart]

Yes @rayluo, I'm trying to use acquire_token_with_username_password. I was expecting it to prompt for the MFA code but it threw an error message about a problem with MFA. I can use the app permission, it just didn't seem as secure as using an MFA enabled method but I will do that now. Thanks!

[Preston-Landers]

@mattxbart Is your application a web app? If so you can use acquire_token_with_authorization_code with users who must sign in with MFA.

[dimuthulakshan]

@Preston-Landers I am usingacquire_token_with_authorization_code with code_verifier='PKCE', Still it didn't pop up MFA for user login. Are there any other configuration in python?

token_response = auth_context.acquire_token_with_authorization_code(code, REDIRECT_URI, azure_config.RESOURCE, azure_config.CLIENT_ID, azure_config.CLIENT_SECRET, 'PKCE')

Appreciate your support, Thanks

[rayluo]

@dimuthulakshan The PKCE thing is not relevant in MFA topic. Just follow @Preston-Landers 's hint to use acquire_token_with_authorzation_code() in the normal way, and then the MFA - if required - would be triggered by service side and be completed inside the browser.

[rayluo]

At this point, the ADAL Python library will not receive new features. Its successor, MSAL Python, is generally available, and release the acquire_token_interactive() behavior for desktop app since MSAL 1.7.0, and the initiate_auth_code_flow() & acquire_token_by_auth_code_flow() for web app (with a working example here). You folks can give it a shot.

[rayluo]

Implemented in MSAL Python 1.7+. Please switch to MSAL Python.