MS Graph API - Get Access Token w/ Multi-Factor Authentication Required

1
votes

I'm attempting to use Postman to "Get User Access Token" with Microsoft Graph API; however, my org recently enabled multi-factor auth and this call is now failing, stating:

"error": "invalid_grant",

"error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access...

  The Microsoft documentation for MS Graph API using Postman is very well written, but it is missing clear instructions how to pass in this second factor to the request.

The error points to https://login.microsoftonline.com/error?code=50076, but this just gives the same info.

I have the MS authenticator app which gives me this key/second factor; however, I don't know how to add this into the body/headers. I'm trying to find the specific key name for passing in the additional security token (I've tried things like 'token,' 'pcToken,' 'key,' etc.)

.

Request Screenshot

Response Screenshot

3
postmanmicrosoft-graph-apiazure-ad-graph-apimulti-factor-authentication
Hi, do you have a chance to look into my answer? Is there anything else unclear?Allen Wu

3 Answers

2
votes

I was in the same predicament so here is what I did to solve it:

Firstly, I got the information from:

https://github.com/microsoftgraph/microsoftgraph-postman-collections/issues/4

You will need to use the OAuth 2.0 authorisation in Postman. Using the same GET request, go to Authorization -> Change the type to 'OAuth 2.0' then click 'Get New Access Token'.

From there, you can input your own details: (replace [TenantID] with your own)

Screenshot

1
votes

Username Password Authentication is not supported for MFA because MFA requires interaction. But there is no interaction if you need to use Username Password Authentication to sign in.

See Username Password Authentication

users who need to do MFA won't be able to sign-in (as there is no interaction)

0
votes

The answers above do not describe anything related to MFA by-passing via code. MFA auth you need to use broker authentication where MS Authenticator app behaves as a broker. If you integrate the proper libraries (ADAL, MSAL) your code will be able to interact with broker properly.

On Android and iOS, brokers enable:

  • Single Sign On (SSO). Your users won't need to sign-in to each application

  • Device identification (by accessing the device certificate which was created on the device when it was workplace joined). We use Intune-managed devices for this purpose.

  • Application identification verification (is it really outlook which calls me?). The way it works is when an application calls the broker, it passes its redirect url, and the broker verifies it: On iOS, the redirect URL is, for instance, ms-word://com.msft.com, the broker parses and gets the appId (after the //) and verifies it's the same as the appId of the calling app, which it knows (by the OS). On Android the redirect URLs have the following form msauth://com.msft.word/.

To enable one of these features, the application developers need to set the UseBroker Boolean to true in the platform parameters. They also need to implement a delegate to react to the broker calling back the application as described in Platform parameters properties specific to brokers on Android and iOS.

Please refer to the MS docs for broker auth examples: