KNOWLEDGE BASE

Is MFA Supported Azure Active Directory a User Provisioning Tool?


Published: 08 Feb 2022
Last Modified Date: 25 Mar 2022

Issue

After enabling MFA for site administrator in Tableau Online, the login failed in Active Directory with the following error message due to a missing Personal Access Token (PAT). The following error message appears:
 
You appear to have entered invalid credentials.  Please confirm you are using the correct information for an administrator account.
 
Error code: DiceCredentialValidationFailure

Details: We are unable to authorize access to Tableau Online.  Please ensure that the credentials provided are valid and are authorized to provision objects in the target system.


User-added image

Environment

  • Tableau Online
  • Azure AD User Provisioning Tool

Resolution

Reach out to Azure Active Directory to request that they add Personal Access Token (PAT) support. 

Cause

​​​Tableau Online IdP user management uses the System for Cross-domain Identity Management (SCIM) standard, which is an open standard for automating the exchange of user identity information. Currently Tableau Online only supports SCIM with the following IdPs:
  • Okta
  • OneLogin
Azure Active Directory is using Rest API to build the automatic user provisioning tool without involving the Tableau team.  As documentation mentions, Personal Access Token (PAT) must be sent when enabling MFA. 
 
Tableau Online only:
If multi-factor authentication (MFA) is enabled with Tableau authentication, PATs are required. You must use a PAT, instead of user name and password, to make a REST API sign in request to Tableau Online.
 
Azure Active Directory did not send in Personal Access Token (PAT) from the user provisioning tool to Tableau Online which is causing Site Administrator login to fail after enabling MFA. Azure AD is not officially supported by Tableau Online.
Did this article resolve the issue?