Microsoft Entra sign-in failed because MFA is required
Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '{resource}'.
Microsoft Entra ID interrupted the sign-in because the current authentication attempt does not satisfy a multi-factor authentication requirement. This is usually enforced by a Conditional Access policy, per-user MFA enforcement, or Security Defaults. The request must be retried interactively so the user can complete the MFA challenge.
Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '{resource}'.
Why it happens
A Conditional Access policy in the tenant requires MFA for the user, application, or network location involved in the sign-in attempt.
Per-user MFA enforcement is enabled for the account in the Microsoft Entra admin center.
Security Defaults are enabled on the tenant, which enforces MFA for all users.
The sign-in is being attempted non-interactively using the Resource Owner Password Credentials (ROPC) flow, which cannot satisfy an MFA challenge because there is no browser or UI to present one.
The user's sign-in location has changed since their last session, triggering a new MFA challenge from a Conditional Access location-based policy.
A service account or automated flow is attempting to authenticate using delegated permissions against a resource that is covered by a Conditional Access MFA policy.
How to fix it
If the sign-in is interactive: retry the sign-in in a browser. Entra ID will redirect the user through the MFA challenge, and authentication will complete once the challenge is satisfied.
If the sign-in is non-interactive (ROPC flow, automation, service account): the ROPC flow cannot handle MFA challenges. Switch to the authorization code flow or device code flow, which both support interactive MFA. For service-to-service scenarios, use a service principal with client credentials (certificate or client secret) and application permissions instead of delegated user credentials.
If the error is from a service account that should not require MFA: in the Entra admin center, navigate to Protection > Conditional Access, open the relevant MFA policy, go to Users > Exclude, and add the service account. Use exclusions cautiously and only for accounts with other compensating controls.
If per-user MFA is enforced and this is unintended: navigate to Microsoft Entra admin center > Users > Per-user MFA, select the user, and disable per-user MFA. Microsoft recommends using Conditional Access policies instead of per-user MFA.
If Security Defaults are enabled and are the cause: navigate to Microsoft Entra admin center > Overview > Properties > Manage Security Defaults and set it to Disabled. Only do this if you have equivalent Conditional Access policies in place.
Review the sign-in logs in Microsoft Entra admin center > Monitoring > Sign-in logs to identify which Conditional Access policy triggered the error and tailor the fix accordingly.
