MscrmTools
Login not possible if phishing-resistant MFA is active
We have YubiKeys deployed for our admins in our organization. The login screen does not use the browser any more, so MFA with FIDO seems not to be functional any more.
- Connection Controls Version: 1.2024.9.59
- XrmToolBox Version: 1.2024.9.69
Sorry, but I can't do anything for you, AFAIK. The whole MFA authentication is handled by Microsoft assemblies, not XrmToolBox code itself.
XrmToolBox Version: 1.2024.9.69
I just ran into this with three of my DBA's.
Their error is:
Error Code: 53003
Request Id: 10494bef-548f-4b75-bfb5-xxxxxxx
Correlation Id: 310230c4-4203-4991-a72a-xxxxxxx
Timestamp: 2025-07-09T17:27:47.566Z
App name: Dynamics 365 Example Client Application
App id: 51f81489-12ee-4a9e-aaae-xxxxxxxxx
IP address: 20x.xx.xx.xx
Device identifier: Not available
Device platform: Windows 10
Device state: Unregistered
That app name/id doesn't exist in my tenant, so I'm curious how Xrm is attempting the connection; it should be generating an app I would think. This is just based on my experience with other tools.
Does anyone have a solution yet?
This app is the one provided by Microsoft and is available for all tenants
Reference : https://learn.microsoft.com/en-us/power-apps/developer/data-platform/xrm-tooling/use-connection-strings-xrm-tooling-connect#connection-string-parameters (See the note)
But if using Microsoft Login Control or Oauth connection, you can define your own application id. Maybe you will have more control over how it can connect
You can't exclude an app that isn't from your own tenant. So creating your own app, is the only way to even attempt to exclude.
However Microsoft doesn't allow conditional access policies to be "ordered" and they take least privilege as we'd expect. Plus, you can't exclude via app, only use group. Thus excluding the new app from the conditional access policy for the more restrictive one, and forcibly including the group and app in a new, less secure, policy, doesn't work as the original policy still Trump's the less secure new policy.
Of course you can't exclude the new group for the more secure policy, as that negates all security, not just the created app.
Thus, without the Xrm auth process supporting full browser based auth flow, the only way I can see around this, is to create a limited permissions user, to be used just for Xrm, that won't have any admin roles. Which is why we have the enhanced conditional access policy.
I spent way too much time on this yesterday 😁
Open to any other suggestions of course.
Michael Hess
There are 10 kinds of people in this world. Those who understand binary and those who don't.
From: MscrmTools @.> Sent: Thursday, July 10, 2025 12:38:25 AM To: MscrmTools/XrmToolBox @.> Cc: Michael Hess @.>; Comment @.> Subject: Re: [MscrmTools/XrmToolBox] Login not possible if phishing-resistant MFA is active (Issue #1391)
[https://avatars.githubusercontent.com/u/10774317?s=20&v=4]MscrmTools left a comment (MscrmTools/XrmToolBox#1391)https://github.com/MscrmTools/XrmToolBox/issues/1391#issuecomment-3055831774
This app is the one provided by Microsoft and is available for all tenants
Reference : https://learn.microsoft.com/en-us/power-apps/developer/data-platform/xrm-tooling/use-connection-strings-xrm-tooling-connect#connection-string-parameters (See the note)
— Reply to this email directly, view it on GitHubhttps://github.com/MscrmTools/XrmToolBox/issues/1391#issuecomment-3055831774, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AD53JL4WIVKMRZUZHFELHDT3HYC6DAVCNFSM6AAAAAB576RLKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTANJVHAZTCNZXGQ. You are receiving this because you commented.Message ID: @.***>
Can you make sure you're on the latest version of the connection controls (check in Configuration > Settings > Connection controls, should be 1.2025.7.61) and that you're using the OAuth/MFA connection method? This latest version includes the changes from https://github.com/MscrmTools/MscrmTools.Xrm.Connection/pull/169 which should allow phishing resistant MFA flows.
The built in login control also supports this, just make sure you clear everything in advanced and disable advanced mode. It will then provide a browser based auth flow
From: Mark Carrington @.> Sent: Saturday, July 19, 2025 11:59:46 AM To: MscrmTools/XrmToolBox @.> Cc: Subscribed @.***> Subject: Re: [MscrmTools/XrmToolBox] Login not possible if phishing-resistant MFA is active (Issue #1391)
Can you make sure you're on the latest version of the connection controls (check in Configuration > Settings > Connection controls, should be 1.2025.7.61) and that you're using the OAuth/MFA connection method? This latest version includes the changes from MscrmTools/MscrmTools.Xrm.Connection#169https://github.com/MscrmTools/MscrmTools.Xrm.Connection/pull/169 which should allow phishing resistant MFA flows.
— Reply to this email directly, view it on GitHubhttps://github.com/MscrmTools/XrmToolBox/issues/1391#issuecomment-3092516101 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACQUENFRHD466SFTY77543D3JKISHBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVAZTAMZXHAYDMMECUR2HS4DFUVUXG43VMWSXMYLMOVS2UMZQHEZTQMRRGA4DRJ3UOJUWOZ3FOKTGG4TFMF2GK. You are receiving this email because you are subscribed to this thread.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
