Reputation: 113
How can I prompt for MFA when using AzureKeyVault?
I manage a desktop application with secrets stored in Azure Key Vault. A security group is granted access to Azure Key Vault, and users in that security group should be able to access keys. I use the following code to access Azure Key Vault and retrieve secrets:
var tokenCallback = new AzureServiceTokenProvider("RunAs=CurrentUser").KeyVaultTokenCallback;
var authCallback = new KeyVaultClient.AuthenticationCallback(tokenCallback);
var client = new KeyVaultClient(authCallback);
var secret = await client.GetSecretAsync("https://keyvaultnameplaceholder.vault.azure.net/", SecretName);
This succeeds for most of my users. Recently, the code has begun failing for some users with the error:
Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired.
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
My understanding is that Active Directory Integrated Authentication does not support MFA; however, I haven't been able to figure out how to force Azure Key Vault to do a MFA prompt. I acquire a AAD token for the application elsewhere with Active Directory Interactive Authentication (which does support MFA), but the MFA prompt is not required there. I've passed that token to KeyVaultClient, but that fails as the application itself is not permitted to access AzureKeyVault: only the users themselves.
Is there any way to let Azure Key Vault prompt for MFA/force Azure Key Vault to use AAD Universal or Interactive login?
Upvotes: 1
Views: 1580
Answers (1)
Reputation: 42143
The Active Directory Integrated Authentication does not bypass MFA, if MFA is configured, it might fail.
In your case, if you want interactive login, my workaround is to use the Azure CLI to authenticate, it supports the MFA interactive login.
1.Install the Azure CLI, use az login to login your user account.
2.Then change your code as below.
var tokenCallback = new AzureServiceTokenProvider("RunAs=Developer; DeveloperTool=AzureCli").KeyVaultTokenCallback;
Upvotes: 1
Related Questions
- How do I force Azure AD MFA prompt for WInForms application logins?
- How can i login to Azure using an account with MFA using Powershell?
- Azure AD authentication with Username and Password and also have MFA
- Enable Azure MFA by changing user state
- Azure MFA for subscription admin
- Programmatically authenticate into AAD with MFA via powershell
- Azure Active Directory multi-factor check for authorization
- Cannot enable MFA on Azure Microsoft accounts
- Azure Authentication: Only allow users with MFA enabled
- How do I set multifactor authentication on windows azure management?