This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in p...
Updated May 17, 2024
Version 4.0Blog Post
I applaud better security. But unless they somehow can do MFA for portal work only (they stated it would also be CLI, PoSh), some models don't work. We need EntraID account tokens for the DevOps PAT management API. That cannot be a PAT itself or a Service Principal etc. And when MFA is enabled that breaks automated pipelines. The idea of using a service principal/app registration that can act on behalf of breaks as well as this need to follow the authorization code flow which always requires user interaction. As far as I understand, automated PAT management will break. I hope I am missing some solution for this, but I am at a loss how to achieve it. Naturally, I would love to hear how to get this working in a pipeline with authorization code flow (requires user login) and with MFA. For now, it works with a user with a super long complex password that has been excluded from MFA.