domainaware / parsedmarc

A Python package and CLI for parsing aggregate and forensic DMARC reports
https://domainaware.github.io/parsedmarc/
Apache License 2.0
1.01k stars 217 forks source link

msgraph authentication method is not supporting MFA #319

Closed dt-valentin-magnan closed 9 months ago

dt-valentin-magnan commented 2 years ago

Hello,

Does parsedmarc support Microsoft account with MFA enabled when using msgraph authentication method for the mailbox? I encounter this kind of issue when activating MFA:

May 11 16:30:27 parsedmarc systemd[1]: Started parsedmarc mailbox watcher.
May 11 16:30:29 parsedmarc parsedmarc[6514]: UsernamePasswordCredential.get_token failed: Authentication failed: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.
May 11 16:30:29 parsedmarc parsedmarc[6514]: Trace ID: bc514edd-364d-4bb3-af7c-260aa4528300
May 11 16:30:29 parsedmarc parsedmarc[6514]: Correlation ID: 1c834a6d-7781-41b5-801b-6ba4ee4f7c33
May 11 16:30:29 parsedmarc parsedmarc[6514]: Timestamp: 2022-05-11 14:30:29Z
May 11 16:30:29 parsedmarc parsedmarc[6514]: Content: {"error":"invalid_grant","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: bc514edd-364d-4bb3-af7c-260aa4528300\r\nCorrelation ID: 1c834a6d-7781-41b5-801b-6ba4ee4f7c33\r\nTimestamp: 2022-05-11 14:30:29Z","error_codes":[50076],"timestamp":"2022-05-11 14:30:29Z","trace_id":"bc514edd-364d-4bb3-af7c-260aa4528300","correlation_id":"1c834a6d-7781-41b5-801b-6ba4ee4f7c33","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action"}
May 11 16:30:29 parsedmarc parsedmarc[6514]:    ERROR:cli.py:850:MS Graph Error: Authentication failed: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.
May 11 16:30:29 parsedmarc parsedmarc[6514]: Trace ID: bc514edd-364d-4bb3-af7c-260aa4528300

With MFA disabled, everything works fine since I've registered the app on Azure AD.

nathanthorpe commented 2 years ago

Not currently, you have to make a conditional access policy that excludes the account.

There is a way to do Device Code Authentication, if that is useful I can implement that.

For example, when starting up it would say: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code <CODE> to authenticate.

Made a PR for this #320

dt-valentin-magnan commented 2 years ago

Great, thank you @nathanthorpe !