parsedmarc icon indicating copy to clipboard operation
parsedmarc copied to clipboard
verified publisher icon domainaware

msgraph authentication method is not supporting MFA

Open dt-valentin-magnan opened this issue 3 years ago • 2 comments

Hello,

Does parsedmarc support Microsoft account with MFA enabled when using msgraph authentication method for the mailbox? I encounter this kind of issue when activating MFA:

May 11 16:30:27 parsedmarc systemd[1]: Started parsedmarc mailbox watcher.
May 11 16:30:29 parsedmarc parsedmarc[6514]: UsernamePasswordCredential.get_token failed: Authentication failed: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.
May 11 16:30:29 parsedmarc parsedmarc[6514]: Trace ID: bc514edd-364d-4bb3-af7c-260aa4528300
May 11 16:30:29 parsedmarc parsedmarc[6514]: Correlation ID: 1c834a6d-7781-41b5-801b-6ba4ee4f7c33
May 11 16:30:29 parsedmarc parsedmarc[6514]: Timestamp: 2022-05-11 14:30:29Z
May 11 16:30:29 parsedmarc parsedmarc[6514]: Content: {"error":"invalid_grant","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: bc514edd-364d-4bb3-af7c-260aa4528300\r\nCorrelation ID: 1c834a6d-7781-41b5-801b-6ba4ee4f7c33\r\nTimestamp: 2022-05-11 14:30:29Z","error_codes":[50076],"timestamp":"2022-05-11 14:30:29Z","trace_id":"bc514edd-364d-4bb3-af7c-260aa4528300","correlation_id":"1c834a6d-7781-41b5-801b-6ba4ee4f7c33","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action"}
May 11 16:30:29 parsedmarc parsedmarc[6514]:    ERROR:cli.py:850:MS Graph Error: Authentication failed: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.
May 11 16:30:29 parsedmarc parsedmarc[6514]: Trace ID: bc514edd-364d-4bb3-af7c-260aa4528300

With MFA disabled, everything works fine since I've registered the app on Azure AD.

dt-valentin-magnan avatar May 12 '22 14:05 dt-valentin-magnan

Not currently, you have to make a conditional access policy that excludes the account.

There is a way to do Device Code Authentication, if that is useful I can implement that.

For example, when starting up it would say: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code <CODE> to authenticate.

Made a PR for this #320

nathanthorpe avatar May 12 '22 14:05 nathanthorpe

Great, thank you @nathanthorpe !

dt-valentin-magnan avatar May 13 '22 07:05 dt-valentin-magnan