TwistedSim
commented
1 year ago Which response code are you using? I don't see any difference between both cases. When MFA is in place, there is a new parameters in the data returned named "arrUserProofs". Maybe it could be used to infer the MFA state.
I tested this a few days ago with a Conditional Access Policy that allowed Android access.
The script looks for some hard-coded string in the login response which is not there (anymore).
Looking at the response code instead fixed the issue, as it can tell apart whether MFA gets asked for or not.