I am working on an integration solution where in I would be creating users in Azure AD using Graph APIs. Problem is that the customer has enforced MFA and we cannot have any manual intervention as this our integration solution's goal is to automate user creation via a server-server call. Does anybody have a solution to this issue? I could see 3 options for MFA - email, phone (SMS) and microsoft authenticator. The first two are impossible to integrate AFAIK, the last one looks possible but IMHO there is no API for that as well.
My automation performs the following:
- POST to https://login.microsoftonline.com/organizations/oauth2/v2.0/token with the following details:
Header
x-www-form-urlencoded
Body
client_id xx9x9xxx00xxxxxx scope Directory.ReadWrite.All client_secret sdvds8vdsvsc8sd username [email protected] password $@#%#%#%#%#% grant_type password
Without MFA, everything works perfectly i.e. on another account without MFA (my own account, not the customers).
This is the error I am getting:
{ "error": "invalid_grant", "error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: a05be65f-5bd7-4db0-9896-5a8907d10a00\r\nCorrelation ID: 34454b92-46da-46b5-8ccf-8f07325ea8ff\r\nTimestamp: 2021-06-16 04:18:43Z", "error_codes": [ 50076 ], "timestamp": "2021-06-16 04:18:43Z", "trace_id": "a05be65f-5bd7-4db0-9896-5a8907d10a00", "correlation_id": "34454b92-46da-46b5-8ccf-8f07325ea8ff", "error_uri": "https://login.microsoftonline.com/error?code=50076", "suberror": "basic_action" }
Can anybody advise any workarounds, solutions or suggestions on how to overcome this?
