troubleshooting mfa

What is the issue?

Context

You have a Web Application signing-users and you want to call a Web API (for instance the Microsoft Graph) but the tenant administrator has enabled MFA on this Web API (or on one of it's downstream API, see below)

 .AddOpenIdConnect(opts =>
 {
  […]

  opts.Events = new OpenIdConnectEvents
  {
   OnTokenValidated = async ctx =>
   {
    await DoSomethingWithIdentity(ctx);
   }
  };
 }
 
 private static async Task DoSomethingWithIdentity(TokenValidatedContext context)
 {
  // Create an AAD client that will act on the user's behalf
  var authContext = new AuthenticationContext(context.Options.Authority);
  ClientCredential clientCred = new ClientCredential(context.Options.ClientId,
                                                     context.Options.ClientSecret);
  ClaimsIdentity claimsIdentity = context.Principal.Identity as ClaimsIdentity;
  if (claimsIdentity == null)
  {
   return;
  }
 
  // Get auth for the app to act on behalf of the user
  UserAssertion userAssertion = new UserAssertion(context.ProtocolMessage.IdToken, 
                                                  "urn:ietf:params:oauth:grant-type:jwt-bearer",
                                                  claimsIdentity.Name);
  AuthenticationResult authResult = = await authContext.AcquireTokenAsync(GraphResourceUrl, 
                                                                          clientCred,
                                                                          userAssertion).ConfigureAwait(false);
  […]

or

You have a Web API calling a downstream Web API for which the tenant administrator has enabled MFA (similar code, using the on behalf of flow), like the active-directory-dotnet-webapi-onbehalfof-ca sample.

What happens?

For some users, when you call the AcquireTokenAsync method, you get the following error:

AdalClaimChallengeException: AADSTS50079: Due to a configuration change made by your administrator,
or because you moved to a new location,
you must enroll in multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.

Why to you get this error?

This error is likely generated as a result of Conditional Access. The following document provides more details: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-conditional-access-developer. IT admins can apply Conditional Access policies onto resources and apps that require extra conditions to be met before granting authorization. In the case of the issue above, it's MFA; in another, it might be IP range restrictions or risk-rating.

What can you do?

You have 2 options:

1. The best option is to expect these errors, and build any necessary experience around them. This will allow your app handle CA across the board, and not have to prompt non-CA'd users. For this, check the Handling AdalClaimChallengeException.
2. You can also request the resources that are generating this error (declare them as required resources in the app registration portal, and grant permissions if needed). This will tell the token service you need to fulfill any authorization requirements up-front.