PSA – Enabling MFA for O365 may break Flow Connections

It seems like every day I hear about yet another data breach.  I decided it was time to do take every precaution I can to protect my Office 365 account, so I enabled Multi Factor Authentication (MFA) for our company.

The day after enabling MFA, I got this email telling me one of my Flow’s has an issue:

This gets me to the Public Service Announcement:  Enabling MFA can break existing Flow’s which use Office 365 related connectors!  These connectors include SharePoint, OneDrive, Teams, etc.

The Fix

If this happens to you don’t panic, it is an easy fix.  Just go to your Flow and refresh the connector in question.  Flow should also send you an email notification like I got above when your Flow tries to run, letting you know there is an issue.  If you click the “Fix my Flow” button from the email that will take you to the edit screen and prompt you to refresh your connector.

Once you do this initial refresh for your connectors you shouldn’t have to do it again.  By default, the Refresh token for MFA is set to stay indefinitely.  However, these refresh token limits can be changed  by your administrator.  So, if you find your connectors routinely break then your company may have a policy where the refresh token expires every 15, 30, (insert number here) days.  For more information about these tokens see this article:  https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes

Conclusion

If your company is planning to implement Multi-Factor Authentication in Office 365, take an inventory of your Flow’s and be prepared to refresh those connectors to minimize any interruption.