When you enable Microsoft Azure Active Directory (AAD) Multi-Factor Authentication (MFA), all cached OAuth tokens are invalidated and must be reissued by Azure. Use this article to understand your options when you need to turn MFA on or off.

Considerations when using AAD MFA

Enabling Azure MFA changes the way tokens are created and when they expire. Use the following considerations to evaluate your approach to enabling MFA in your organization:

  • Turning MFA on or off invalidates all existing OAuth refresh tokens
  • After turning MFA on or off, standard AAD users are prompted to get new tokens
  • For K2 blackpearl 4.7, renew the token associated with the K2 service account by running the K2 blackpearl for SharePoint Registration Wizard. See KB002303 for more information.
  • Without MFA, you must renew your token when you change your password or the default 90 day expiration time is reached. To check what your expiration time is for refresh tokens, see Changes to the Token Lifetime Defaults in Azure AD
  • Turning on MFA overrides the default refresh token lifespan and shortens it to a maximum of 60 days, and you can configure this using the Remember Multi-Factor Authentication feature. For information on how to set the expiration of refresh tokens, see Remember Multi-Factor Authentication for trusted devices
  • You can bypass MFA for the K2 server by adding its IP address to the whitelist. See Enhancing Azure MFA with Contextual IP Address Whitelisting for more information. Doing this allows you to use MFA throughout your organization while bypassing it for the K2 server.
Bypassing MFA for the K2 server means that its refresh token expiration time is reset to what it was before you enabled MFA.