MFA login error attempting az cli command after successful MFA login

Question

MFA login error attempting az cli command after successful MFA login

robertmglynn 1

I'm attempting to run:

az containerapp update --name some-container-app-name --resource-group some-resource-group --yaml some-yaml-config.yaml

and when submitting that command the response is:

(RequestDisallowedByAzure) Resource 'some-resource-name' was disallowed by Azure: You are receiving this error because you tried to create, update or delete Azure resources without authenticating through MFA. User accounts must be authenticated through MFA to manage your resources. To resolve this error, go to https://aka.ms/MFAforAzure.

Here are the steps I take:

az login -> get login page in browser -> choose account -> enter password -> get MFA prompt in browser -> enter MFA code from prompt into Authenticator app -> success message in browser -> az cli prompts me to choose tenant -> hit enter for default -> attempt cli command above -> get error.

I have the issue before and after updating to most recent az cli version. I have quadrouple-checked the tenant, container name, resource group values are all correct. My account has owner role for the container app I'm trying to update.

I can perform other commands successfully, such as az group list . This makes me believe this is a policy permission issue or something else that's not an actual MFA error. However, I am stuck as to where to go to find the real cause of the issue. I have read the page at the URI in the error message, but it is not helpful in my case.

Rukmini 42,510 Reputation points Microsoft External Staff Moderator

2026-06-05T20:36:22.8+00:00
Hey! That error message:

(RequestDisallowedByAzure) Resource … was disallowed by Azure: … creating, update or delete Azure resources without authenticating through MFA

isn’t really saying “you didn’t successfully do MFA at all.” It usually means Azure/your tenant’s Conditional Access policy is requiring an MFA “claims” context for resource management operations, and the token you used for the CLI call doesn’t satisfy that requirement.

Below are the most relevant things to check and the common fixes.

1) Confirm MFA is actually enforced for your user (Conditional Access / Security defaults)

Per the MFA troubleshooting guidance, Entra ID MFA prompting can depend on how it’s enforced:

Check whether the tenant has Security defaults enabled (MFA is prompted only in certain scenarios, not always).

If you have Conditional Access, verify there is a policy with “Multifactor authentication” grant control that applies to the user.

Also check if the user is excluded from the relevant Conditional Access policy.

If you have per-user MFA or managed policies, make sure the user isn’t excluded.

If the policy requires MFA for “create/update/delete resources” (which can include your az containerapp update), then an interactive login that doesn’t include the required MFA claim may still fail the management call.

2) Use the interactive claims-challenge flow in Azure CLI

The Azure CLI MFA troubleshooting guidance specifically calls out cases where you can log in interactively, but later resource operations are blocked by policy until the CLI login is performed with the correct interactive MFA challenge.

Try this approach:

Sign out

Re-authenticate with MFA claims-challenge

The doc provides this pattern:

az logout az login --tenant "<TENANT_ID>" \ --scope "https://management.core.windows.net//.default" \ --claims-challenge "<claims-challenge-token>"

Note: The "<claims-challenge-token>" value is generated by the environment/policy flow—your tenant admin may need to help obtain it, or you may be able to capture it from the error details. The key point is: you need an Azure CLI auth session that satisfies the Conditional Access MFA requirement for management-plane calls.

3) Check for “stale” / method registration edge cases

Even when MFA is configured, prompting/verification can fail due to stale authentication methods. The MFA guide suggests:

Review the user’s registered authentication methods (for example, ensure the methods the user uses are actually present and valid).

If needed, force re-registration of MFA methods in the Entra admin portal (so the next sign-in redoes registration).

4) If your tenant admin can enforce MFA at sign-in, that’s often the cleanest fix

The CLI troubleshooting doc lists a resolution option:

Ask your Azure admin to enforce MFA at sign-in so the session meets Conditional Access requirements without extra steps.

Follow-up questions (so we can pinpoint the exact cause)

In Entra ID, do you use Conditional Access to require MFA for “Azure management” / “create/update/delete” scenarios? If yes, what is the policy name (or the scope conditions) that matches this user?

When you run az login and then the failing az containerapp update, does the CLI error include any policy resource IDs or details about the policy?

What Azure CLI version are you using on the machine where the failure happens?

Are you running this from a normal terminal, or from a constrained environment (for example, automation, Cloud Shell, WSL, CI/CD)? (This can affect how tokens are cached.)

Does az group list succeed in the same session where az containerapp update fails—i.e., is it only management updates that fail?

Reference list (all relevant documentation provided)

Troubleshooting Azure CLI (including MFA-required-by-Conditional-Access and --claims-challenge guidance): https://learn.microsoft.com/cli/azure/use-azure-cli-successfully-troubleshooting?view=azure-cli-latest&wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#troubleshooting-multifactor-authentication-mfa

Impact of multifactor authentication on Azure CLI in automation scenarios (ROPС/MFA incompatibilities): https://learn.microsoft.com/cli/azure/authenticate-azure-cli-mfa?view=azure-cli-latest&wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#troubleshooting

Troubleshooting the Az PowerShell module (similar “Resource was disallowed by policy / ClaimsChallenge” pattern): https://learn.microsoft.com/powershell/azure/troubleshooting?view=azps-16.0.0&wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#troubleshooting-multifactor-authentication-mfa

Hope this helps—if you share the missing claims-challenge context (or any policy details included in the error), we can narrow it down to the exact Conditional Access requirement that’s blocking the az containerapp update call.

Note: This content was drafted with the help of an AI system.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
robertmglynn 1 Reputation point

2026-06-05T21:22:43.7266667+00:00
We don't use Conditional Access.

It does not contain any other details or policy IDs.

2.87.0

Normal terminal.

Succeeds in same session.

My previous reply to your response had more detail, but was deleted.
Rukmini 42,510 Reputation points Microsoft External Staff Moderator

2026-06-05T21:28:24.5666667+00:00
Hello @robertmglynn

Could you ask your tenant administrator to verify the following:

Whether MFA enforcement for Azure resource management has been enabled at the tenant level.

Whether there are any tenant-wide security settings or policies requiring MFA for create/update/delete operations.

Whether the affected account's sign-in logs show a failed authorization event or claims challenge at the time the az containerapp update command is executed.

Additionally, please capture the output of:

az account show az containerapp update --debug

robertmglynn 1

az account show results in:

{
  "environmentName": "AzureCloud",
  "homeTenantId": "ID-starting-with-4",
  "id": "ID-starting-with-b",   
  "isDefault": true,   
  "managedByTenants": [],   
  "name": "Pay-As-You-Go",   
  "state": "Enabled",   
  "tenantDefaultDomain": "ourdefaultdomain.onmicrosoft.com",   
  "tenantDisplayName": "Default Directory",   
  "tenantId": "same-ID-starting-with-4",   
  "user": {     
        "name": "******@domain.tld",     
        "type": "user"   
  } 
}

az containerapp update --debug gives me:

cli.azure.cli.core.azclierror: (--name --resource-group | --ids) are requiredaz_command_data_logger: (--name --resource-group | --ids) are required

adding --debug onto my previous az containerapp update command with all the parameters results in tons of text, all of which seems normal, but results in the same error message as I started with, no additional details related to the error. I'm not sure you want me to post the entire text, it's a lot.

I will definitely ask my tenant administrator about what you've listed, but unfortunately they are not available until Monday.

Rukmini 42,510 Reputation points Microsoft External Staff Moderator

2026-06-05T21:53:03.19+00:00

@robertmglynn Please share the details once the admin is available!
Rukmini 42,510 Reputation points Microsoft External Staff Moderator

2026-06-12T16:54:31.39+00:00

Hello @robertmglynn Please confirm whether your issue is resolved or still facing any errors.

1 answer

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
robertmglynn 1 Reputation point

2026-06-05T21:22:43.7266667+00:00

We don't use Conditional Access.

It does not contain any other details or policy IDs.

2.87.0

Normal terminal.

Succeeds in same session.

My previous reply to your response had more detail, but was deleted.
Rukmini 42,510 Reputation points Microsoft External Staff Moderator

2026-06-05T21:28:24.5666667+00:00

Hello @robertmglynn

Could you ask your tenant administrator to verify the following:

Whether MFA enforcement for Azure resource management has been enabled at the tenant level.

Whether there are any tenant-wide security settings or policies requiring MFA for create/update/delete operations.

Whether the affected account's sign-in logs show a failed authorization event or claims challenge at the time the az containerapp update command is executed.

Additionally, please capture the output of:

az account show az containerapp update --debug
robertmglynn 1 Reputation point

2026-06-05T21:45:49.39+00:00

az account show results in:

{ "environmentName": "AzureCloud", "homeTenantId": "ID-starting-with-4", "id": "ID-starting-with-b", "isDefault": true, "managedByTenants": [], "name": "Pay-As-You-Go", "state": "Enabled", "tenantDefaultDomain": "ourdefaultdomain.onmicrosoft.com", "tenantDisplayName": "Default Directory", "tenantId": "same-ID-starting-with-4", "user": { "name": "******@domain.tld", "type": "user" } }

az containerapp update --debug gives me:

cli.azure.cli.core.azclierror: (--name --resource-group | --ids) are requiredaz_command_data_logger: (--name --resource-group | --ids) are required

adding --debug onto my previous az containerapp update command with all the parameters results in tons of text, all of which seems normal, but results in the same error message as I started with, no additional details related to the error. I'm not sure you want me to post the entire text, it's a lot.

I will definitely ask my tenant administrator about what you've listed, but unfortunately they are not available until Monday.
Rukmini 42,510 Reputation points Microsoft External Staff Moderator

2026-06-05T21:53:03.19+00:00

@robertmglynn Please share the details once the admin is available!
Rukmini 42,510 Reputation points Microsoft External Staff Moderator

2026-06-12T16:54:31.39+00:00

Hello @robertmglynn Please confirm whether your issue is resolved or still facing any errors.

Answer 1

The error is caused by a Conditional Access / Azure Policy requirement that the specific create/update/delete operation be performed with an MFA-authenticated token that satisfies the policy, even though an MFA challenge was completed at sign-in.

For Azure CLI, this scenario is explicitly called out: when a policy enforces MFA for certain resource operations, Azure CLI can return errors like:

Resource was disallowed by policy. Reasons: MFA is required.

In enforcement mode, each denied create/update/delete is logged as a deny event, and the client (Azure CLI) shows this message when the token used for the operation does not meet the MFA requirement.

To resolve:

Ensure the tenant’s Conditional Access policy enforces MFA at sign-in rather than only as a per-resource requirement. This allows the CLI session token obtained at az login to satisfy the policy for subsequent resource operations.
If enforcing MFA at sign-in is not possible, use the --claims-challenge flow so the CLI can obtain a token that meets the policy for the specific operation:
```
   az logout
   az login \
     --tenant "<tenant-id>" \
     --scope "https://management.core.windows.net//.default" \
     --claims-challenge "<claims-challenge-token>"
```
The claims challenge token is provided in the error details when using Azure CLI 2.76.0 or later.
If the organization is enforcing MFA via Azure Policy (MFA self-enforcement), review the deny events in the activity log to confirm that the policy is blocking the az containerapp update operation. Adjust the policy or ensure that the sign-in token is MFA-compliant for that operation.

Because az group list is a read-only operation, it is not blocked by the MFA-enforcement policy, while az containerapp update is a write operation and therefore subject to the MFA requirement.

References:

Share via

MFA login error attempting az cli command after successful MFA login

1) Confirm MFA is actually enforced for your user (Conditional Access / Security defaults)

2) Use the interactive claims-challenge flow in Azure CLI

3) Check for “stale” / method registration edge cases

4) If your tenant admin can enforce MFA at sign-in, that’s often the cleanest fix

Follow-up questions (so we can pinpoint the exact cause)

Reference list (all relevant documentation provided)

1 answer

Your answer