Is MFA Supported Azure Active Directory a User Provisioning Tool?

Issue

After enabling MFA for site administrator in Tableau Online, the login failed in Active Directory with the following error message due to a missing Personal Access Token (PAT). The following error message appears:

You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrator account.

Error code: DiceCredentialValidationFailure

Details: We are unable to authorize access to Tableau Online. Please ensure that the credentials provided are valid and are authorized to provision objects in the target system.

Environment

Tableau Online
Azure AD User Provisioning Tool

Resolution

Reach out to Azure Active Directory to request that they add Personal Access Token (PAT) support.

Cause

Tableau Online IdP user management uses the System for Cross-domain Identity Management (SCIM) standard, which is an open standard for automating the exchange of user identity information. Currently Tableau Online only supports SCIM with the following IdPs:

Okta
OneLogin

Azure Active Directory is using Rest API to build the automatic user provisioning tool without involving the Tableau team. As documentation mentions, Personal Access Token (PAT) must be sent when enabling MFA.

Tableau Online only:
If multi-factor authentication (MFA) is enabled with Tableau authentication, PATs are required. You must use a PAT, instead of user name and password, to make a REST API sign in request to Tableau Online.

Azure Active Directory did not send in Personal Access Token (PAT) from the user provisioning tool to Tableau Online which is causing Site Administrator login to fail after enabling MFA. Azure AD is not officially supported by Tableau Online.