1

has anybody managed to send an email in a logic app from an O365 account with mfa enabled?

When I try to add the connection it shows the Azure AD login popup, it gets authenticated with SSO (my pc is joined to Azure AD) anc then in O365 connector I have this error

OAuth2Certificate authorization flow failed for service 'Office 365 (Discovery, Certificate)'. AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000002-0000-XXXX-XXXX-000000000000'. Trace ID: xxxxxxx-4689-4387-b215-d0590b331000 Correlation ID: 21eaa05b-xxxx-yyyy-893a-c2ce136d6e51 Timestamp: 2017-06-14 08:55:00Z

Hope you can help. Thank you

Improve this question

3 Answers 3

Reset to default
1

This is long after closing. But in AAD, there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA. If you do face this, check the conditional access locations in Azure and see if your AAD admin can clear the flag. (Or set up the original account with named locations in place.)

https://learn.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I wouldn't expect this to be possible. I've never seen automated MFA logins in Azure. I would love to be disproved thou.

Improve this answer

1 Comment

How about using app password?
0

The short answer is that I doubt this is possible, much less supported.

Since a LogicApp is essentially a "service", I think the correct approach would be to register your application in Azure AD and use app-only permissions and give your service Mail.Send permissions. This would allow your application to send as any user. Alternatively, create a "service account" that does not have MFA enabled -- but this is definitely the less secure approach and any credential changes have to be changed in code, rather than at an administrative level as the Azure AD app registration would allow.

https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes#app-only-vs-delegated-scopes

https://apps.dev.office.com

Improve this answer

3 Comments

I have a corporate account with Azure AD domain and I am not sure I can give permissions to my logic app since I don't have admin rights but I will give it a try
Yeah, that could be a problem. If it's a corporate app, maybe they'll make an exception :-)
@PaulSummers - Am I correct in understanding that you are suggesting creating an Azure application registration for the Logic App? And if so, how do I override the credential prompt that appears for Logic App connectors?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.