Microsoft 365 Multi-Factor Authentication Requirement Error
Resolve authentication errors when MFA is required during Microsoft 365 connector configuration for migration.
Overview
This article addresses authentication errors that occur when configuring Microsoft 365 connectors for migration tasks. These errors typically indicate that the migration account is subject to Multi-Factor Authentication (MFA) requirements that prevent automated authentication.
Common Authentication Error
This error occurs when migration accounts are subject to MFA policies, preventing non-interactive authentication.
Error Messages
You may encounter one of the following error messages when configuring your Microsoft 365 connector:
"Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication."
"Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '[TargetTenantID]'."
Root Cause
These errors typically stem from misconfigured migration accounts, particularly when both Source and Target connectors require proper MFA exclusions.
Resolution Steps
Follow these verification steps for both Source and Target migration accounts to resolve the authentication error:
Verification Checklist
Turn off MFA for migration accounts
Exclude from access policies
Verify admin permissions
Verify account access
1. Disable MFA for Migration Accounts
Multi-Factor Authentication must be turned off for the migration accounts to allow non-interactive authentication.
Steps to Disable Per-User MFA
- 1
Sign in to the Microsoft 365 admin center
- 2
Navigate to Users → Active users
- 3
Select Multi-factor authentication from the menu
- 4
Find your migration account and set its MFA status to Disabled
Security Consideration
Only disable MFA for dedicated migration service accounts. Never disable MFA for regular user accounts or global admin accounts used for daily operations.
2. Conditional Access Policy Exclusion
Ensure migration accounts are excluded from any Conditional Access Policies that enforce MFA or restrict access based on location or network settings.
Steps to Exclude from Conditional Access
- 1
Go to Azure Portal → Microsoft Entra ID
- 2
Navigate to Security → Conditional Access → Policies
- 3
Review each enabled policy and click to edit
- 4
Under Users, add your migration account to the Exclude list
- 5
Save the policy changes
Policies to Check
- • MFA enforcement policies
- • Location-based access policies
- • Network/IP restriction policies
- • Device compliance policies
- • Security defaults (if enabled)
3. Administrative Permissions
Verify that migration accounts possess appropriate administrative permissions for the services being migrated.
SharePoint Migration
- SharePoint Administrator
- Site Collection Admin
Exchange/Mail Migration
- Exchange Administrator
- Application Impersonation
Global Admin Alternative
Global Administrator rights provide all necessary permissions but may be subject to additional security policies. A dedicated service account with specific roles is recommended.
4. Test Account Login
After making the above changes, test the migration account by attempting to log in manually.
Login Test Steps
- 1
Open an incognito/private browser window
- 2
Navigate to https://admin.microsoft.com
- 3
Sign in with the migration account credentials
- 4
Verify you can access the admin center without MFA prompts
If MFA Is Still Required
If you're still prompted for MFA after making the above changes:
- • Wait 15-30 minutes for policy changes to propagate
- • Check for Security Defaults being enabled (disables per-user MFA settings)
- • Review all Conditional Access policies again
- • Consider using certificate-based authentication via Azure App Registration
Alternative: App-Only Authentication
For organizations that cannot disable MFA, consider using Azure App Registration with certificate-based authentication. This bypasses user-based MFA entirely.
Recommended Approach
App-only authentication is the most secure and reliable method for enterprise migrations. See our Azure App Registration guide for setup instructions.