How to call GenerateToken REST API with 2FA enabled microsoft Azure account

Question

Postman request

API POST: https://login.microsoftonline.com/common/oauth2/token

MY Senerio :

Step1: I need to login to my Microsoft 2FA enabled account through rest API backend service and get the access token.

Step2: With that access token need to hit powerbi account API to get embedded token.

Issue: This process has to be fully REST API with NO prompt to take code from users. When 2FA is enabled in Microsoft account .This API doesn't work. It shows this error

"error": "interaction_required",
    "error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000009-0000-0000-c000-000000000000'. Trace ID: 05451564-7c99-454f-9f1c-85b5d0ac6a00 Correlation ID: 026670ad-9c04-46d8-828b-0c1435938e90 Timestamp: 2023-11-05 14:11:35Z",
    "error_codes": [
        50076
    ]

But by disable 2FA it works well. So, how can I call this API by enabling 2FA ?

Answer 1

If you're receiving an "interaction_required" error when calling an API with 2FA-enabled Microsoft accounts, it means that the application is trying to perform a non-interactive authentication while the account is configured for multi-factor authentication (MFA).

In such cases, you typically need to use a different authentication method, such as a certificate or client secret or Device code flow, which doesn't rely on user interaction for MFA.

Using client secret

Here's how I modified my application to use a client secret for authentication, which work is Working fine with 2FA-enabled accounts

    using System;
    using Microsoft.Identity.Client;
    using System.Net.Http;
    using System.Net.Http.Headers;
    using System.Threading.Tasks;
    
    class Program
    {
        static async Task Main(string[] args)
        {
            string clientId = "YOUR_CLIENT_ID";
            string tenantId = "YOUR_TENANT_ID";
            string clientSecret = "YOUR_CLIENT_SECRET"; // Replace with your client secret
            string authority = $"https://login.microsoftonline.com/{tenantId}";
            string apiScope = "https://api.example.com/.default"; // Replace with your API scope
            string apiEndpoint = "https://api.example.com/generateToken"; // Replace with your API endpoint
    
            var app = ConfidentialClientApplicationBuilder
                .Create(clientId)
                .WithClientSecret(clientSecret)
                .WithAuthority(new Uri(authority))
                .Build();
    
            string[] scopes = new string[] { apiScope };
    
            var result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
    
            var httpClient = new HttpClient();
            httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
    
            var response = await httpClient.PostAsync(apiEndpoint, null);
    
            if (response.IsSuccessStatusCode)
            {
                string content = await response.Content.ReadAsStringAsync();
                Console.WriteLine("API call successful.");
                Console.WriteLine(content);
            }
            else
            {
                Console.WriteLine($"API call failed with status code {response.StatusCode}");
            }
        }
    }

Result

Device code flow

The device code flow is a two-step authentication flow. In the first step, the user opens a web browser and navigates to a specific URL. They are then prompted to enter a device code that is displayed on the application. Once the user has entered the device code, they are granted access to the application.