I have the following issue where I only found a workaround...
We have an O365 tenant where MFA is enabled for users. I would like to connect from OutSystems to this tenant for some self-service activities in O365 (like updating phone number, department, location, city, country). Before MFA was enabled, I was able to get a delegated token for a user by submitting user name + password. After MFA, it is no longer possible to get a delegated token as an interactive login (for 2nd factor) is required.
As a workaround we are now making an IP exception in the MFA settings. This is however not a sustainable solution.
Anyone with an idea how I can trigger an interactive sign-in when authenticating via Microsoft Graph?
Hello Erik,
I had to deal with a similar situation on a project and in that case, we ended up creating a tenant with limited permissions just to be able to use certain services, with that we were able to log in with the user and password as you mentioned.
It is also a workaround but it's not locked to an IP.
Hope it helps!
Paulo Rosário
Hi Paulo,
I understand the route you followed. Setting up an additional O365 tenant sounds like quite some extra administration for IT. How did you handle the topic of different accounts/passwords from a user perspective? I assume that user had multiple accounts with different passwords?
Thanks for your reply,
Eric.
As I understand it the tenant had multiple users, and one of them was set up so that an MFA was not required, which allowed us to use the API
Hi,
just some thoughts. As an alternative you could include Microsoft Login Connector Reactive - Overview | OutSystems in the Login Flow of your self service application. This lets users login with their Azure Account (and do MFA if necessary). If now a user wants scopes in its profile you can retrieve the user token using the GetUserToken from the MicrosoftLoginConnectorCore module and use that as Bearer Token to perform the Graph operations.
Best
Stefan
Hi Stefan,
I tested the Login Connector some time ago but it wasn't supporting MFA. Does it now support MFA?
Interesting what you write. The Login Connector just implements the OAUTH flow. The browser gets redirected to the Identity Provider (Azure AD) and the user performs the authentication there. If MFA is enabled that is done by the Identity Provider, not by the Login Connector. I have been using the Login Connector Reactive for quite a while now and we also have MFA enabled for all our users (well we do have Conditional rules there. So you only need the second factor when not using a company device). Maybe something else was not working during your last test ?
We don't have conditional access rules in Azure. That meads that second factor is needed always. I will give it another try but last time I used it, I was only able to submit username & password to get the token and there was no interactive login where I could enter the second factor (SMS code in our case).