How to request accesstoken with Resource Owner Password grant when MFA enabled

When I enabled the MFA Gurdian Push Notification. The Resource Owner Password grant to request access token is no longer work as it will return an error mfa_required and a mfa_token. I have followed the documentation in But I got stuck when I request the MFA challenge API, I always got the error “the user is not enrolled”. My goal here is that I need to get the access token using Resource Owner Password grant with MFA enabled.

The error in question is expected if the end-user that is associated with the credentials being exchanged did not complete the enrollment before the exchange is started. This point is listed in the pre-requisites section of the documentation you linked to.

From you description it is not clear if you already ensured that the end-user completed enrollment before and you’re still experiencing an issue or if you just enabled the requirement for MFA and proceeded to do the resource owner password credentials grant. If you’re in the second situation then completing enrollment through an interactive flow (hosted login page) should resolve the issue; if on the other hand the end-user has an enrollment already if you can update the question with the series of steps required to reproduce the issue and a summary of the configuration you have then that would be great.

Thanks @jmangelo after I enrolled the user it worked.
Also Is there a way to allow some specified user to by pass the mfa?
for example : I want admin user can request the token using Resource Owner Password grant without asking for mfa. Is it possible?


I confess I never tried it, but there’s examples that show how to trigger MFA only on certain conditions so technically it should be possible to exclude forcing MFA on certain users. Having said that it could be argues that depriving MFA for certain users will reduce the security, in particular because you mention admin users.