We’re experiencing authentication failures with our automation runbooks after enabling MFA Conditional Access policies in Azure AD. Our service principal used by Azure Automation accounts can’t authenticate anymore, breaking our deployment pipeline.
The Conditional Access policy was scoped to “All cloud apps” with MFA requirement. I thought service principals would be exempt, but apparently the policy is blocking them. The error we’re seeing:
Error: AADSTS50076: Due to a configuration change
Application with identifier 'xxx' requires MFA
Service principal authentication failed
We need these automation accounts running for CI/CD deployments. The policy needs to stay active for user accounts, but service principals should work without MFA since they use certificate-based authentication. Has anyone dealt with Conditional Access policy scoping that affects automation account permissions?
I’ve run into this scenario multiple times during security hardening projects. The error AADSTS50076 confirms it’s definitely a Conditional Access block requiring MFA for your service principal.
Just want to add that you should also verify the automation account’s managed identity or service principal has the correct permissions. Sometimes the authentication issue isn’t just the CA policy but also missing role assignments. Check that your service principal has Contributor or the specific roles needed for whatever resources your runbooks access. Use Azure AD audit logs to see exactly which policy is blocking the authentication attempt.
I’ve seen this before. The issue is that your Conditional Access policy isn’t excluding service principals properly. When you scope a CA policy to “All cloud apps” without user/application exclusions, it catches service principals too.
Check your policy’s assignment section. You need to explicitly exclude either the service principal itself or the Azure Automation application. Go to Azure AD > Security > Conditional Access > your policy > Assignments > Users and groups > Exclude. You can exclude specific service principals or use the “Directory roles” option to exclude service accounts.
Service principals won’t appear in the Users and groups exclusion list directly. What you need is to use the “Cloud apps or actions” exclusion instead. Go to your CA policy > Cloud apps or actions > Exclude > Select apps. Then search for “Windows Azure Service Management API” and exclude it. This covers Azure Automation and other management tools.
Alternatively, you can scope the policy more narrowly. Instead of “All cloud apps”, select specific apps that require MFA (Office 365, Azure Portal for users, etc.) and leave management APIs out. This gives you better control and avoids breaking automation workflows.
We had the exact same problem last year. Another approach is to create a separate Conditional Access policy specifically for service principals with different requirements. You can target service principals by using the “Workload identities” option in newer Azure AD configurations (if your tenant supports it). This lets you apply different rules to service principals versus human users, which is way cleaner than trying to exclude them from user policies.
Thanks for the quick response. I checked the policy exclusions but I’m not seeing a direct way to exclude service principals in the “Users and groups” section. It only shows user accounts and groups. Are service principals listed somewhere else, or do I need to create a specific group for them?