Azure MFA and Flow (Power Automate)

%3CLINGO-SUB%20id%3D%22lingo-sub-1285444%22%20slang%3D%22en-US%22%3EAzure%20MFA%20and%20Flow%20(Power%20Automate)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285444%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20successfully%20managed%20to%20implement%20Azure%20MFA%20without%20adversely%20affecting%20Flow%20(Power%20Automate)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Microsoft%20Support%20article%20%22Recommendations%20for%20conditional%20access%20and%20multi-factor%20authentication%20in%20Microsoft%20Flow%22%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F4467879%2Fconditional-access-and-multi-factor-authentication-in-flow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F4467879%2Fconditional-access-and-multi-factor-authentication-in-flow%3C%2FA%3E)%20refers%20to%20the%20Configurable%20Token%20Lifetimes%20which%20look%20as%20if%20that%20would%20work.%20However%2C%20following%20the%20link%20from%20that%20article%20to%20further%20information%20(%22Configurable%20token%20lifetimes%20in%20Azure%20Active%20Directory%20(Preview)%22%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%3C%2FA%3E)%20then%20says%20that%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3EAfter%20May%201%2C%202020%20you%20will%20not%20be%20able%20to%20use%20Configurable%20Token%20Lifetime%20policy%20to%20configure%20session%20and%20refresh%20tokens.%20You%20can%20still%20configure%20access%20token%20lifetimes%20after%20the%20deprecation.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstead%2C%20they%20will%20be%20replaced%20by%20authentication%20session%20controls%20in%20Conditional%20Access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20the%20question%20is%3A%20how%20now%20should%20we%20be%20configuring%20MFA%20via%20Conditional%20Access%20policies%20so%20that%20Flow%20is%20not%20adversely%20affected%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1285444%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2238142%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20and%20Flow%20(Power%20Automate)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2238142%22%20slang%3D%22en-US%22%3EHas%20anyone%20found%20a%20solution%20to%20this%3F%20We've%20noticed%20a%20similar%20issue%20after%20rolling%20out%20MFA.%20It%20would%20be%20great%20if%20there%20was%20some%20up%20to%20date%20guidance%20on%20the%20best%20way%20to%20utilise%20MFA%20with%20Power%20Automate.%20In%20large%20companies%20where%20many%20users%20have%20setup%20workflows%2C%20enforcing%20MFA%20has%20the%20potential%20to%20cause%20quite%20a%20bit%20of%20disruption.%3C%2FLINGO-BODY%3E
Occasional Contributor

Has anyone successfully managed to implement Azure MFA without adversely affecting Flow (Power Automate)?

 

The Microsoft Support article "Recommendations for conditional access and multi-factor authentication in Microsoft Flow" (https://support.microsoft.com/en-gb/help/4467879/conditional-access-and-multi-factor-authentication-...) refers to the Configurable Token Lifetimes which look as if that would work. However, following the link from that article to further information ("Configurable token lifetimes in Azure Active Directory (Preview)" - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...) then says that:

 

After May 1, 2020 you will not be able to use Configurable Token Lifetime policy to configure session and refresh tokens. You can still configure access token lifetimes after the deprecation.

 

Instead, they will be replaced by authentication session controls in Conditional Access.

 

So the question is: how now should we be configuring MFA via Conditional Access policies so that Flow is not adversely affected? 

1 Reply
Has anyone found a solution to this? We've noticed a similar issue after rolling out MFA. It would be great if there was some up to date guidance on the best way to utilise MFA with Power Automate. In large companies where many users have setup workflows, enforcing MFA has the potential to cause quite a bit of disruption.