Our development team is using the Dynamics 365 Unified Operations Tools extension for Azure DevOps (created by Microsoft). It creates a connection to LCS and requires a user account to authenticate that connection. This connection doesn't work if the account has MFA enabled even if we use an App Password. Microsoft is requiring all Cloud Solution Providers (CSPs) to enable Multi-factor Authentication (MFA) on 100% of all accounts on August 1. We need another way of authenticating this connection.
Comments
The mentioned Azure DevOps extension (https://marketplace.visualstudio.com/items?itemName=Dyn365FinOps.dynamics365-finops-tools) is only compatible with the Native app registration authentication, which requires a UserId, Password, and AppId.
This approach requiring disabled MFA for the UserId, what is unacceptable due to security requirements (https://docs.microsoft.com/en-us/partner-center/partner-security-compliance). Or, this account needs to be configured with a conditional access policy, which complicates the maintenance process (https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#networking).
To solve this problem, it is necessary to modify the DevOps extension to allow authentication through the Web app registration (rather than Native app registration), which requires only the ClientId and Secret to be specified.
Category: Lifecycle Services
This link shows the Microsoft requirement for CSPs to have MFA even for service accounts: https://docs.microsoft.com/en-us/partner-center/partner-security-compliance
Category: Lifecycle Services
Administrator on 8/1/2019 5:02:58 AM
Thank you for the feedback. We are looking into this ask.
Manali Dongre