How to overcome azure active directory MFA while implementing QA Automation

Question

We are developing an application that uses Azure Active directory for sign-in process. Azure AD is configured with MFA(multi-factor authentication). Now we are facing an issue with QA automation where we need to manually update the MFA code. Is there any way to get it done automatically or some other alternative for this.

Answer 1

Generally automated processes require a bit more work when MFA is involved.

You have 2 options that I can think of right now:

1. Don't use a user account, use a service principal/app registration + application permissions
   • Allows you to use client credentials to authenticate, no MFA
2. Run the authentication flow once with a user to get access token + refresh token, use refresh token to get new tokens whenever needed in the automated process
   • You will get a new refresh token as well every time you use a refresh token, be sure to replace the one you have with the new one
   • Refresh tokens can and do expire, so you may need to redo the initial authentication again
   • Take special care in storing the refresh token securely

We implemented the second case for a customer's background process: https://joonasw.net/view/adding-opt-in-feature-to-azure-ad-app

Oh, and in case you are talking about UI automation, the Azure AD product team has said to me many times that you should not try to automate the login page itself. It has invisible checks and may block your automated login. In these cases, you may need to have a user with no MFA, use the ROPC flow to get tokens, and somehow inject those tokens to your UI. Or use the refresh token approach to get the tokens and then inject them.