How to disable multi factor authentication (MFA) for a Dynamics 365 trial environment

 You might have noticed that if you now setup a new Dynamics 365 trial environment, users who login are greeted with "Help us protect your account" which requires to setup multi factor authentication (MFA) even for accounts in trial/demo tenants. This is part of the Azure Active Directory security defaults. 

To get rid of this setting you need to login to https://portal.azure.com and change this setting for the Azure Active Directory used by your demo/trial tenant. Navigate to Azure Active Directory in your subscription and select Properties in the left navigation pane. At the bottom of this screen, you will find the Access Management for Azure resources section.

Click the link Manage Security Default in this section and change the setting to Enable security defaults No.

Access token endpoint versions in Azure AD

You might have noticed that there are two different urls that you can use for retrieving an access token in Azure AD:

• https://login.microsoftonline.com/<tenantid>/oauth2/token
• https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token

And although most of the time it is better to use the more recent version, I did wanted to know the difference between both. After deciding that in this case google was not my friend I reached out a colleague @KevinDockx  (Definitely check out his Pluralsight training Microsoft Azure for .NET developers - Building secure services and applications )

Evolution of Microsoft identity platform explains how Azure AD developer platform evolved towards the new Microsoft identity platform. In short the /oauth/token endpoint is part of Azure AD for developers and /oauth2/v2.0/token is linked to Microsoft identity platform.

If you need to decide whether to use Microsoft identity platform (v 2.0) or Azure Active Directory (v1.0) endpoints - definitely take a look at Why update to Microsoft platform (v2.0) and check out the limitations section as well.

In short try to use the v2 as much as possible since it provides more features and is more in line with common standards. The v1 endpoints will still exist for quite a while and as far as I know there is no end of life announced (yet) but Microsoft did already announce the deprecation of the Azure Active Directory Authentication Library (ADAL) - see Migrate applications to Microsoft Authentication Library (MSAL). Everything evolves quite fast and there even is a newer alternative for MSAL called Microsoft Identity Web 

You might also take a look at OpenID Connect (OIDC) which is an authentication protocol built on OAuth 2.0 since Microsoft Identity platform is compliant with this standard as well - see Microsoft identity platform and OpenID Connect protocol for more details

References:

• OAuth with Azure - the just make it work edition
• Microsoft identity platform and the OAuth 2.0 client credentials flow
• Get auth tokens - get access without a user (client credential flow)  walkthrough with examples for Microsoft Graph API
• Azure AD Endpoint v1 vs v2 - notes - older article so not sure if everything is still up to date but still contains some valuable links