![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 8%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello Rozerin Akkus
No, Phase 2 MFA enforcement has no effect on OAuth2 renew token flows used for SharePoint CSOM/REST or the Microsoft Graph API.
According to the documentation, requests made to Azure Resource Manager (https://management.azure.com/) are primarily subject to required MFA enforcement. In general, this enforcement does not apply to Microsoft Graph APIs.
Therefore:
- Refresh tokens that already exist won't be invalidated just because they weren't obtained using MFA. -
- Until their normal expiration or revocation events (password reset, admin revocation, Conditional Access modifications, etc.), refresh tokens will remain functional.
- Integrations that use the Graph or SharePoint APIs for read operations should keep working as usual.
Microsoft recommends adopting service principals or managed identities instead of user accounts for automation as a long-term best practice.
If the assistance was helpful, kindly take a moment to click on 
and click on Yes for was this answer helpful. And, if you have any further query do let us know.