Moved errors to troubleshooting section of mfa doc

mikefrobbins · mikefrobbins · commit e82b0e118e5a · 2025-07-17T13:38:15.000-05:00
diff --git a/docs-conceptual/azps-14.2.0/authenticate-mfa.md b/docs-conceptual/azps-14.2.0/authenticate-mfa.md
@@ -161,6 +161,58 @@ To learn more about federated identities, see:
 
 ## Troubleshooting
 
+### Multifactor authentication (MFA) interactive login failures
+
+If you encounter errors when running Azure PowerShell cmdlets that create, modify, or delete Azure
+resources, the issue might be caused by a Microsoft Entra ID conditional access policy that requires
+multifactor authentication (MFA).
+
+#### Common error messages
+
+You might see an error like the following:
+
+```Output
+Resource was disallowed by policy. Users must use MFA for Create operation.
+Users must authenticate with multi-factor authentication to create or update resources.
+Run the cmdlet below to authenticate interactively; additional parameters may be added as needed.
+Connect-AzAccount -Tenant (Get-AzContext).Tenant.Id -ClaimsChallenge "<claims-challenge-token>"
+```
+
+Or:
+
+```Output
+SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user
+someone@contoso.com. Ensure that you have authenticated with a developer tool that supports Azure
+single sign on.
+```
+
+These messages indicate that your session doesn't meet the conditional access requirements,
+typically, that MFA is required but not enforced at login.
+
+### Resolution steps
+
+To resolve these errors, upgrade to either or these supported module versions:
+
+- **Az** PowerShell module: version 14.3.0 or later
+- **Az.Accounts** module: version 5.x.y or later
+
+These versions improve error reporting by identifying the exact conditional access policy causing
+the issue and providing guidance.
+
+Recommended Actions:
+
+- Preferred: Ask your Azure administrator to enforce MFA at sign-in for your account. This ensures
+  compatibility with conditional access policies that require MFA.
+- Alternative: If MFA can't be enforced at sign-in, use interactive authentication with the
+  **ClaimsChallenge** parameter as shown in the following example:
+
+  ```PowerShell
+  Connect-AzAccount -Tenant (Get-AzContext).Tenant.Id -ClaimsChallenge "<claims-challenge-token>"
+  ```
+
+For more information about Microsoft Entra ID conditional access policies that require MFA, see
+[Planning for mandatory multifactor authentication for Azure and other admin portals][01]
+
 ### ROPC error: Due to a configuration change made by your administrator
 
 You use the Resource Owner Password Credential (ROPC) flow when signing into Azure using a password.
@@ -233,3 +285,4 @@ The Microsoft Entra ID documentation site offers more detail on MFA.
 [steps-assign-role]: /azure/role-based-access-control/role-assignments-steps
 [assign-roles]: /azure/role-based-access-control/role-assignments-powershell
 [fic-serviceconn-blog]: https://devblogs.microsoft.com/azure-sdk/improve-security-posture-in-azure-service-connections-with-azurepipelinescredential/
+[01]: /entra/identity/authentication/concept-mandatory-multifactor-authentication
diff --git a/docs-conceptual/azps-14.2.0/troubleshooting.md b/docs-conceptual/azps-14.2.0/troubleshooting.md
@@ -55,36 +55,6 @@ Update-AzConfig -EnableLoginByWam $false
 - WAM popup window to select an account isn't easy to find. Minimize other windows to locate the
   popup window.
 
-## SharedTokenCacheCredential authentication unavailable
-
-If you receive this error when running an Azure PowerShell cmdlet that creates or modifies Azure
-resources, it's likely that you're blocked by the Microsoft Entra ID Conditional Access policy.
-
-The complete error message is as follows:
-
-```Output
-SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user
-someone@contoso.com. Ensure that you have authenticated with a developer tool that supports
-Azure single sign on.
-```
-
-To resolve this issue, update to one of the following versions:
-
-- **Az** PowerShell module version 14.X.Y or later
-- Or equivalently, **Az.Accounts** PowerShell module version 5.X.Y or later
-
-These versions provide improved error messages that identify the specific Conditional Access policy
-causing the issue and offer guidance for resolving it.
-
-For example, if your organization requires multifactor authentication (MFA), you see an error
-message like:
-
-```powershell
-{Placeholder for error message}
-```
-
-To complete sign-in using MFA, follow the instructions in the error message.
-
 ## Installation
 
 This section contains a list of solutions to common problems when installing the Az PowerShell
