| ms.subservice | core-infra |
|---|---|
| ms.topic | include |
| ms.date | 08/14/2020 |
| ms.collection | tier3 |
When the Configuration Manager site is configured to require multi-factor authentication, most tenant attach features don't work
Scenario: If the SMS provider machine that communicates with the service connection point is configured to use multi-factor authentication, you can't install applications, run CMPivot queries, and perform other actions from the admin console. You receive an error code 403, forbidden.
Workaround: The current workaround is to configure the on-premises hierarchy to the default authentication level of Windows authentication. For more information, see the Authentication section in the SMS provider article.