Effective July 1st, 2025, Microsoft will begin enforcing Multi-Factor Authentication (MFA) on all first-party enterprise applications, including those utilized by Configuration Manager for tenant authentication. Service account authentication cannot satisfy the MFA requirement, and as such will shortly be deprecated and no longer available in the product.
What's changing?
To enhance security and prevent cyberattacks, Microsoft has announced that authentication to Azure portals and Microsoft first-party applications will enforce mandatory MFA starting July 1st, 2025. As a result, any authentication method that does not satisfy this MFA requirement can no longer be used. For more information about this change, see Microsoft’s announcement here.
Impact on Configuration Manager
When onboarding a tenant, you can choose between multiple authentication methods, including the use of a service account. Service accounts are Entra ID user accounts that facilitate tenant authentication with a username and password. Because these accounts are non-interactive, MFA cannot be applied, and service accounts are unable to satisfy Microsoft’s MFA requirements. This means service account–based authentication must be deprecated.
Deprecation timeline
You will soon see a “deprecated soon” badge next to the service account authentication option on the tenant install page. This serves as an early warning of this change and is designed to encourage users to select our default option, delegated authentication.
Closer to July 1st, the service account authentication option will be removed from the app entirely. This means you will no longer be able to select it.
Actions required
If any of your tenants are using service account authentication, you must take action before July 1st, 2025. Tenants installed with delegated authentication or service principal-only authentication are not impacted by this change.
Any tenant installed with a service account must be reinstalled with a different authentication method to avoid disruption in the Sync. Users have two options:
- Option 1: reinstall your tenant to use delegated authentication. Delegated authentication allows you to capture the user authentication as a refresh token and supports accounts utilizing MFA.
- Option 2: reinstall your tenant to disable user-based authentication and instead rely only on service principal authentication. This option requires no user account but reduces the number of supported configurations.
Failure to take action will result in the inability to authenticate and run Syncs on impacted tenants.
Need Help?
If you need help migrating your tenant(s) from service account to delegated authentication or have questions about this change, please contact our support team.