MicrosoftDocs · isra-fel · Jul 4, 2025 · Jul 8, 2025 · Jul 17, 2025 · Jul 17, 2025
@@ -161,6 +161,58 @@ To learn more about federated identities, see:
 
 ## Troubleshooting
 
+### Multifactor authentication (MFA) interactive login failures
+
+If you encounter errors when running Azure PowerShell cmdlets that create, modify, or delete Azure
+resources, the issue might be caused by a Microsoft Entra ID conditional access policy that requires
+multifactor authentication (MFA).
+
+#### Common error messages
+
+You might see an error like the following:
+
+```Output
+Resource was disallowed by policy. Users must use MFA for Create operation.
+Users must authenticate with multi-factor authentication to create or update resources.
+Run the cmdlet below to authenticate interactively; additional parameters may be added as needed.
+Connect-AzAccount -Tenant (Get-AzContext).Tenant.Id -ClaimsChallenge "<claims-challenge-token>"
+```
+
+Or:
+
+```Output
+SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user
+someone@contoso.com. Ensure that you have authenticated with a developer tool that supports Azure
+single sign on.
+```
+
+These messages indicate that your session doesn't meet the conditional access requirements,
+typically, that MFA is required but not enforced at login.
+
+### Resolution steps
+
+To resolve these errors, upgrade to either or these supported module versions:
+
+- **Az** PowerShell module: version 14.3.0 or later
+- **Az.Accounts** module: version 5.x.y or later
+
+These versions improve error reporting by identifying the exact conditional access policy causing
+the issue and providing guidance.
+
+Recommended Actions:
+
+- Preferred: Ask your Azure administrator to enforce MFA at sign-in for your account. This ensures
+  compatibility with conditional access policies that require MFA.
+- Alternative: If MFA can't be enforced at sign-in, use interactive authentication with the
+  **ClaimsChallenge** parameter as shown in the following example:
+
+  ```PowerShell
+  Connect-AzAccount -Tenant (Get-AzContext).Tenant.Id -ClaimsChallenge "<claims-challenge-token>"
+  ```
+
+For more information about Microsoft Entra ID conditional access policies that require MFA, see
+[Planning for mandatory multifactor authentication for Azure and other admin portals][01]
+
 ### ROPC error: Due to a configuration change made by your administrator
 
 You use the Resource Owner Password Credential (ROPC) flow when signing into Azure using a password.
@@ -233,3 +285,4 @@ The Microsoft Entra ID documentation site offers more detail on MFA.
 [steps-assign-role]: /azure/role-based-access-control/role-assignments-steps
 [assign-roles]: /azure/role-based-access-control/role-assignments-powershell
 [fic-serviceconn-blog]: https://devblogs.microsoft.com/azure-sdk/improve-security-posture-in-azure-service-connections-with-azurepipelinescredential/
+[01]: /entra/identity/authentication/concept-mandatory-multifactor-authentication