When I try to authenticate an AAD user to Azure Batch account using AcquireTokenByUsernamePassword, if the user has MFA enabled it is taking some time (around 30-40 secs) to receive the MsalUiRequiredException AADSTS50076 and this keeps the user waiting unfortunately with a 'not so helpful' prompt with 'Switch To' and 'Retry' options.

I want to know beforehand that the user needs to go through MFA, so that I can redirect him to the interactive flow (AcquireTokenInteractive) instead.

Is there a way to know if the user has MFA flag enabled? (I could find one for MS Graph API but not for my requirement).

CodePudding user response：

Please note that, you cannot get user's MFA status using Azure Batch Service API. You can find operations supported by Azure Batch Service API in this MS Doc.

To know user's MFA status via APIs, you can only use Microsoft Graph API.

I tried to reproduce the same in my environment via Graph Explorer and got results like below:

I ran the below query to know specific user's MFA status by filtering it with UPN:

GET https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails?$filter=userPrincipalName eq 'User_UPN'

Response:

Code sample in c#:

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var credentialUserRegistrationDetails = await graphClient.Reports.CredentialUserRegistrationDetails
.Request()
.Filter("userPrincipalName eq 'User_UPN'")
.GetAsync();

If you want to get all the users whose MFA is enabled, you can make use of below query:

GET https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails?$filter=isMfaRegistered eq true 

Response:

Code sample in c#:

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var credentialUserRegistrationDetails = await graphClient.Reports.CredentialUserRegistrationDetails
.Request()
.Filter("isMfaRegistered eq true")
.GetAsync();