I'm developing an SPFx solution that needs to call a custom API secured with Azure Entra ID. We have a specific security requirement: users must be challenged with MFA when the SPFx solution calls this particular API, even if they've already completed MFA to access SharePoint Online.
Initially, we thought a Conditional Access (CA) policy would be sufficient. We configured a policy in Azure Entra ID to require MFA when a token is requested for our custom API's application registration.
However, the SPFx AADTokenProvider is obtaining the token silently, bypassing the Conditional Access policy. When examining the Azure Entra ID sign-in logs, we see that these requests are logged as non-interactive sign-ins. The "SharePoint Online Client Extensibility Web Application Principal" principal is requesting a token on behalf of the user, and then authenticate in the App (custom api) as the resource. Because it is a non-interactive process, the CA policy is not being applied and the user is never prompted for MFA. So:
Expected behavior:
When the SPFx web part creates AADTokenProvider for the custom API, the user should be presented with an MFA prompt (popup flow experience expected, regardless of whether they've already authenticated to SharePoint Online with MFA. The silent token acquisition should not be possible.
Observed behavior:
The AADTokenProvider silently acquires a token for the custom API, and the user is not prompted for MFA. The Azure Entra ID sign-in logs show a non-interactive sign-in by the "SharePoint Online Client Extensibility Web Application" principal.
My question:
Is it possible, using Conditional Access or other Azure Entra ID configurations, to force an MFA challenge when the SPFx AADTokenProvider requests a token for this specific API - app registration -, given that the "SharePoint Online Client Extensibility Web Application Principal" principal is involved in the silent token acquisition? We need to get the pop up experience with MFA, no matter the fact user already authenticated with MFA to get into SharePoint Online.
I'm hoping someone has encountered a similar scenario or has a deep understanding of Azure Entra ID's authentication mechanisms to offer a solution or workaround. Any insights would be greatly appreciated!
The issue is because the "SharePoint Online Client Extensibility Web Application Principal" triggers a non-interactive sign-in, and MFA is typically not prompted during silent authentication.
As a workaround, you can trigger an interactive authentication flow using MSAL.js for specific API calls where MFA is required.
Sample code:
const request = {
scopes: ["api://YOUR-API-CLIENT-ID/.default"], // Replace with your API's scope
};
async function getToken() {
try {
// Try to acquire a token interactively
const loginResponse = await msalInstance.loginPopup(request); // This triggers the interactive login flow (MFA prompt will show if needed)
console.log("Login successful:", loginResponse);
// Now acquire a token for your custom API
const tokenResponse = await msalInstance.acquireTokenSilent(request); // Silent token acquisition (if already authenticated)
console.log("Token acquired silently:", tokenResponse.accessToken);
// Use the access token to make the API call
return tokenResponse.accessToken;
} catch (error) {
// If silent acquisition fails (e.g., due to MFA), trigger interactive login
if (error instanceof msal.InteractionRequiredAuthError) {
console.log("Interactive login required");
const interactiveResponse = await msalInstance.acquireTokenPopup(request); // This forces the popup for interactive authentication (MFA included)
return interactiveResponse.accessToken;
} else {
console.error("Error acquiring token:", error);
throw error;
}
}
}
Otherwise, Manually Force Interactive Authentication by implementing custom logic that forces an interactive request for certain APIs. For instance, you could use getToken() with a forceInteractive: true flag to ensure that the MFA prompt is triggered.
const token = await aadTokenProvider.getToken(specificAPIEndpoint, { forceInteractive: true });
This method guarantees that the MFA challenge will be shown, requiring an interactive authentication flow, even if the user has already completed MFA for SharePoint Online.