O365Modern with MFA PhoneApp does not work
Brought to you by:
mguessan
Menu
▾
▴
2 Attachments
#725 O365Modern with MFA PhoneApp does not work
From FAQ "O365Modern: same logic as O365Interactive, but use client provided credentials for Oauth negotiation, trigger PhoneApp MFA check transparently"
PhoneApp check (Microsoft Authenticator) is not triggered, when O365Modern is used.
In context O365Authenticator.authenticateADFS -> O365Authenticator.processDeviceLogin
POST https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess HTTP/1.1
POST gets valid response, but in response there is no Location header, so result is "null" and auth process is terminated.
Same response receives during auth process O365InteractiveAutheticator, in this case is response correctly handled.
DeviceAuthTls is the device validation endpoint: O365 tries to check if you have a valid device client certificate (signed by MS-Organization-Access).
This means your O365 admins enabled device authentication.
This is not yet supported by DavMail O365Modern authenticator.
If your device has a valid certificate, you may try manual mode with native windows browser => should be able to access client certificate and pass device authentication.
Note that I have not tested this yet.
With O365Interactive as written above, device authentication works correct.
I hope, O365Modern support will be added soon, because of End of support for Basic Authentication access to Exchange Online API’s for Office 365 customers (10/2020)
Update on this: I discovered that device certificate (the one signed by MS-Organization-Access) uses CNG (Cryptography next generation) which was not supported by Java until about a year when it was fixed:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8026953
=> Prerequisite for device authentication is Java 13 or later.
The next step is to confirm that device authentication is actually working with Java 13, and then adjust O365Authenticator.
Fixed, see https://github.com/mguessan/davmail/pull/134