Troubleshooting Microsoft Entra mandatory MFA issues in Cayosoft Guardian

Overview

Microsoft Entra ID enforces mandatory multi-factor authentication (MFA) for user-based sign-ins. Because Cayosoft Guardian uses the Azure SDK and Microsoft Entra authentication mechanisms, mandatory MFA enforcement can impact certain Guardian operations that rely on legacy user-based authentication, particularly Forest Recovery workflows.

This article explains how to identify MFA-related failures, how to remediate them, and what long-term changes are planned.

Affected scenarios

Mandatory MFA enforcement may affect the following Guardian operations:

• Forest Recovery plan execution
• Cloud resource access during recovery
• Azure-based operations authenticated with user credentials

NOTE: Operations authenticated using Microsoft Entra applications (app-only authentication) are not affected by mandatory MFA.

Symptoms

You may observe one or more of the following issues:

1. Forest Recovery jobs fail during execution
2. Authentication-related errors appear in Cayosoft Guardian logs
3. Errors indicating MFA or conditional access enforcement
   

Root cause

Mandatory MFA is enforced by Microsoft Entra ID for interactive user sign-ins. Legacy user-based accounts used by Cayosoft Guardian cannot complete interactive MFA challenges, which causes authentication failures during automated operations.

Resolution

Temporary workaround (recommended)

To switch from legacy user-based authentication to Microsoft Entra application (app-only) authentication:

1. Identify the Cayosoft Guardian operation failing due to MFA enforcement.
2. Contact Cayosoft Support.
3. Request the official script to replace the legacy user account with a Microsoft Entra application.
4. Apply the script as instructed.
5. Re-run the affected Forest Recovery operation.

This approach removes dependency on interactive user authentication and bypasses MFA enforcement.

After applying the workaround:

1. Re-run the failed Forest Recovery job.
2. Confirm the operation completes successfully.
3. Verify no MFA-related errors appear in logs.

NOTE: Cayosoft is actively working on replacing legacy user-based authentication with Microsoft Entra application–based authentication to ensure Cayosoft Guardian operations are fully compatible with mandatory MFA enforcement and do not rely on interactive sign-in flows for automated processes.