Microsoft /oauth2/v2.0/authorize 'amr_values' request parameter is not supported. (MFA)

Question

I'm trying to authenticate against the Microsoft https://login.microsoftonline.com/oauth2/v2.0/authorize endpoint with enforcing MFA. Following the documentation this is done by adding the &amr_values=ngcmfa request parameter to the authorization url. If doing so I get the following error:

AADSTS901002: The 'amr_values' request parameter is not supported.

When I instead use the https://login.microsoftonline.com/oauth2/authorize (without v2.0) it works fine. The issue is that using this endpoint leads to internal server errors(500) when requesting the partner center api of microsoft. E.g. https://api.partnercenter.microsoft.com/v1/profiles/organization

So the question is how to enforce MFA with the v2.0 endpoint?

Answer 1

Never mind, I was using the V1 endpoint, V2 still does NOT support it :(

---

Small update about this: it seems MS has added support for MFA to the v2 endpoint, because these both options do work right now:

1. "https://login.microsoftonline.com/organizations/oauth2/authorize?amr_values=mfa"
2. "https://login.microsoftonline.com/organizations/oauth2/authorize?amr_values=ngcmfa"

The first option results in the following "amr" values in the ID token:

• "amr": ["pwd","mfa"] And the second option (with forced re-mfa):
• "amr": ["pwd","ngcmfa","mfa"]