Question
How can I authenticate Email Reader to a Microsoft 365 account with Multi-Factor Authentication (MFA) enabled?
Answer
As of October 2022, Microsoft have deprecated basic authentication to email accounts using the IMAP and POP3 protocols which Email Reader uses to access the mailbox. Applications which run as a background service must now authenticate using OAuth 2.0 to access Microsoft mailboxes using these protocols. Support for OAuth 2.0 authentication was added to Service Desk in the VSA 9.5.11a release.
OAuth 2.0 does not work with MFA when the application type is a background service with no manual interaction. MFA is built for manual user interaction to provide MFA code and authenticate. Microsoft provides an IP whitelisting capability so that MFA can be bypassed for requests coming from the server where the background service is running, and this is required to authenticate the application using IMAP or POP3 to an account where MFA is disabled.
With this configuration, only requests coming from the VSA server's IP address with OAuth token requests can bypass MFA. This can be done as follows:
- Log into Microsoft admin portal (https://admin.microsoft.com/adminportal/home/).
- Click Users > Active Users.
- Next, click Multi-Factor Authentication.
- Select the user whose MFA is enabled and then click service settings. You will be taken to a different page.
- Under Trusted IPs, click in the text box and type the IP address or range of addresses that you want to exclude from MFA based on the VSA server used.
- This way you will be able to set up the email parser for the O365 account which is enabled with the MFA.
- This way you will be able to set up the email parser for the O365 account which is enabled with the MFA.
- Click Save.
Related Article