This article has been replaced with steps mentioned in a newer blog post on this topic which shows how to work with MFA enabled Office 365.
Support Multi Factor Authentication for Office 365 Access Token
However if you wish to whitelist based on IP address you can still reference the options mentioned in the following article.
Two-step verification is available by default for global administrators who have Azure Active Directory, and Office 365 users. However, if you wish to take advantage of this for your end users, then you can purchase the full version of Azure Multi-Factor Authentication (MFA).
Please refer to following link for more details
The way most companies set this up is that they bypass MFA for their internal company IP ranges but enforce that when users access Office 365 from outside company network. This poses a challenge when you are calling Office 365 API programatically. If a software program for e.g. WebService is running as a background thread it cannot do a MFA easily. So MFA needs to be bypassed for such background threads based on IP range. Typically it works fine for most companies as such services are hosted within the company network and as I mentioned earlier they bypass MFA within company network hence eliminating need for MFA.
How this applies to AgilePoint Server
When you are creating an access token for SharePoint, the code to verify access token is not executing in your browser. Browser is just the place where you are filling data but that goes to AgilePoint server which is hosted in cloud hosted in Amazon/Azure or OnPremises and this AgilePoint server will make call to Office 365 to check if connectivity is OK between both servers. It is done because eventually that access token will be used by workflow activities to make connection to Office 365 to read/write data and these workflow activities will be executed on the server background thread. No user will be logged on as these are workflow activities executed on server side so we need to ensure server-server connectivity is working fine.
So though your browser might be in your network, if AgilePoint server is considered to be outside your network (as it is in AWS/Azure) as far as Office 365 is concerned and hence it gets challenged for MFA which obviously would pose challenge for server-server connection. Hence you need to whitelist the IP of AgilePoint NX server and portal.
The answer to white listing will depend on how you have bypassed the MFA for users logged on to the network. Is it based on managed option in Windows Azure AD or are these accounts federated using OnPrem ADFS? If it is managed through Windows Azure AD, you can just add trusted IP in Windows Azure AD. However for Enterprises, I assume you are federating Windows Azure AD through ADFS. If ADFS then you can specify the IP white list in 2 ways, for all users logged into corporate network or based on IP ranges. It is explained here.
So depends if your network is setup using All federated user option then MFA will only be bypassed from your network and automatically challenge for MFA outside network. So in that case AgilePoint server needs to be in your network just like your users are to bypass MFA. However if you have done it based on IP then, you can simply add IP to trusted IP range and AgilePoint NX server can be anywhere.
Server to Server call will be backend calls and cannot verify authentication at 2nd level for you manually through phone or text as no user would be logged in for workflow to move forward on server side. If that is not possible, just install AgilePoint server in your network so that you do not need to do any setting based on IP.
Enabling multi factor auth is pretty common in Office 365 or Salesforce and certainly lot of our customers do that. The scenario is not specific to AgilePoint but is common for any app connection to O365 from outside using a service account. Different customers follow different mechanism for bypassing MFA for service account which I have explained below based on how their O365 is federated
Option 1: If they manage users in O365, they just create service account and disable MFA for that account only. O365 UI lets you do that for specific accounts like service account.
Option 2: if you manage users in Windows Azure AD, you just add IP address of trusted servers to bypass MFA and add AgilePoint trial server to it.
Option 3: If using Windows Azure AD Federated through ADFS, and using trusted IP address range option shown below then just add AgilePoint server IP to that list.
Option 4: If you are federating through ADFS and have a setting that disable MFA for calls coming from corporate network, i.e. if you have enabled it through “skip multi-factor auth for requests from federated users on my intranet” and you do not wish to follow option 1 i.e. explicitly disable MFA for service account, then in that case just install AgilePoint server OnPrem which will then bypass MFA for server to server call. We have plenty of Enterprise clients who install AgilePoint server OnPrem and connect to O365 so that is fine with us.
Option5: Office 365 also supports headless app based connectivity using OAuth2. You can register an app using OAuth2 as shown in the following article which will not be using service account credentials and can make connection to SharePoint as an app account as shown in the following post. This usually is not subject to two-factor authentication.
2 thoughts on “Bypass Multi Factor Authentication in Office 365”