Skipping MFA for Office 365 Account in Logic App Email Action

Question

Skipping MFA for Office 365 Account in Logic App Email Action

Sowjanya Mandalapu 0

Hello,

I am seeking guidance on configuring an Azure Logic App to send emails using an Office 365 account without triggering Multi-Factor Authentication (MFA). Our current setup enforces MFA for this account, which is interfering with automated workflows in the Logic App.

We understand the importance of MFA for security, but in this specific case, we are looking for a secure and supported method to bypass MFA for this automation scenario. We have explored several options, including:

Using service accounts with conditional access exclusions

Attempting to disable MFA via the Microsoft 365 Admin Center

Reviewing managed identity options for Logic Apps

However, none have successfully allowed the Logic App to send emails without MFA prompts.

Could you please advise on:

Whether it is possible to bypass MFA for a Logic App using an Office 365 connector.

If so, what are the recommended steps or configurations (e.g., using managed identities, app registrations, or conditional access policies)?

Any official documentation or best practices for securely enabling this scenario.

We would greatly appreciate any insights, examples, or references to Microsoft Learn or TechCommunity articles that could help us implement this correctly.

Thank you in advance!

Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-06-18T12:14:17.4733333+00:00

@Sowjanya Mandalapu ,

I wanted to check in and see if my earlier response addressed your question. If you still need assistance or have additional questions, feel free to reach out.
Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-06-19T09:36:46.6266667+00:00

@Sowjanya Mandalapu ,

Just checking again to see if my response addressed your question. If you still need assistance or have additional questions, feel free to reach out.

Sowjanya Mandalapu 0

Hi Khadeer,

I have followed the same steps you mentioned above, but I am getting the following error message.

I didn't grant the permissions for Mail.Send. When I try to grant it, it gives access to all users, but I need it for only one particular user. I am sharing the API URL, header, and body which I invoked and shared in the API call. Please let me know if you need anything else.

URI: https://graph.microsoft.com/v1.0/me/sendMail

Method: POST

body:

{

"message": {

    "body": {

        "content": "The new cafeteria is open.",

        "contentType": "Text"

    },

    "ccRecipients": [

        {

            "emailAddress": {

                "address": "my email address"

            }

        }

    ],

    "subject": "Meet for lunch?",

    "toRecipients": [

        {

            "emailAddress": {

                "address": "my email address"

            }

        }

    ]

},

"saveToSentItems": "false"

}

Header:

{

"Authorization": "Bearer accesstoken",

"Content-Type": "application/json"

}

Output:

{

"error": {

    "code": "BadRequest",

    "innerError": {

        "client-request-id": "a86d94af-7734-4231-bee9-ac8e4120675a",

        "date": "2025-06-19T05:40:15",

        "request-id": "a86d94af-7734-4231-bee9-ac8e4120675a"

    },

    "message": "/me request is only valid with delegated authentication flow."

}

}

Praveen Kumar Gudipudi 1,875 Reputation points Microsoft External Staff Moderator

2025-06-19T15:37:40.6666667+00:00

@Sowjanya Mandalapu ,

Using the following steps, you can identify which apps use the Graph API to send emails and how to restrict them to send only from the email addresses to which you give them permission.

Please let me know if you have any queries.
Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-06-20T16:46:06.5166667+00:00

@Sowjanya Mandalapu,Just checking if the document provided by the @Praveen Kumar Gudipudi helpful.
Sowjanya Mandalapu 0 Reputation points

2025-06-20T17:00:17.91+00:00

Hi @Khadeer Ali @Praveen Kumar Gudipudi IT team is currently looking into feasibility, Will update you once I received any update.

Is this method involves any 3-rd party tools or else Microsoft tools only?
LeelaRajeshSayana-MSFT 17,771 Reputation points Moderator

2025-07-01T21:47:45.97+00:00

@Sowjanya Mandalapu Following up to see if you still need any additional assistance with the issue.
Sowjanya Mandalapu 0 Reputation points

2025-07-02T14:07:43.9666667+00:00

@LeelaRajeshSayana-MSFT My IT team is trying to use App passwords, but I heard that App passwords are no longer supported for logic apps since they've been deprecated for security reasons. Is that accurate?
LeelaRajeshSayana-MSFT 17,771 Reputation points Moderator

2025-07-02T22:29:29.71+00:00

@Sowjanya Mandalapu If you are referring to Basic Authentication approach, it is still supported but not recommended due to the security risks involved. I would still suggest the initial approach recommended on this thread which is use Graph API.

I see you have some concerns with regards to assigning Mail.Send permissions. Please note that we are assigning these permissions to the App and not associated with any user directly. Although, once the App gets authenticated into the Logic App, any user would be able to run it. But the same goes with App credentials approach you are trying to follow.

You also mentioned that disabling MFA for the account still prompted you to key in credentials. I wanted to check if you have deleted the existing connection and recreate a new connection and test this behavior? Sometimes, the existing connections do not see the changes reflect right away.

For the time being, I am converting the initial suggestion on the thread to answer to help other community members find an approach to this issue. If you do have any additional questions, please do let me know and we would be glad to address them.

1 answer

Your answer

Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-06-18T12:14:17.4733333+00:00

@Sowjanya Mandalapu ,

I wanted to check in and see if my earlier response addressed your question. If you still need assistance or have additional questions, feel free to reach out.
Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-06-19T09:36:46.6266667+00:00

@Sowjanya Mandalapu ,

Just checking again to see if my response addressed your question. If you still need assistance or have additional questions, feel free to reach out.
Sowjanya Mandalapu 0 Reputation points

2025-06-19T13:42:59.6366667+00:00

Hi Khadeer,

I have followed the same steps you mentioned above, but I am getting the following error message.

I didn't grant the permissions for Mail.Send. When I try to grant it, it gives access to all users, but I need it for only one particular user. I am sharing the API URL, header, and body which I invoked and shared in the API call. Please let me know if you need anything else.

URI: https://graph.microsoft.com/v1.0/me/sendMail

Method: POST

body:

{

"message": { "body": { "content": "The new cafeteria is open.", "contentType": "Text" }, "ccRecipients": [ { "emailAddress": { "address": "my email address" } } ], "subject": "Meet for lunch?", "toRecipients": [ { "emailAddress": { "address": "my email address" } } ] }, "saveToSentItems": "false"

}

Header:

{

"Authorization": "Bearer accesstoken", "Content-Type": "application/json"

}

Output:

{

"error": { "code": "BadRequest", "innerError": { "client-request-id": "a86d94af-7734-4231-bee9-ac8e4120675a", "date": "2025-06-19T05:40:15", "request-id": "a86d94af-7734-4231-bee9-ac8e4120675a" }, "message": "/me request is only valid with delegated authentication flow." }

}
Praveen Kumar Gudipudi 1,875 Reputation points Microsoft External Staff Moderator

2025-06-19T15:37:40.6666667+00:00

@Sowjanya Mandalapu ,

Using the following steps, you can identify which apps use the Graph API to send emails and how to restrict them to send only from the email addresses to which you give them permission.

Please let me know if you have any queries.
Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-06-20T16:46:06.5166667+00:00

@Sowjanya Mandalapu,Just checking if the document provided by the @Praveen Kumar Gudipudi helpful.
Sowjanya Mandalapu 0 Reputation points

2025-06-20T17:00:17.91+00:00

Hi @Khadeer Ali @Praveen Kumar Gudipudi IT team is currently looking into feasibility, Will update you once I received any update.

Is this method involves any 3-rd party tools or else Microsoft tools only?
LeelaRajeshSayana-MSFT 17,771 Reputation points Moderator

2025-07-01T21:47:45.97+00:00

@Sowjanya Mandalapu Following up to see if you still need any additional assistance with the issue.
Sowjanya Mandalapu 0 Reputation points

2025-07-02T14:07:43.9666667+00:00

@LeelaRajeshSayana-MSFT My IT team is trying to use App passwords, but I heard that App passwords are no longer supported for logic apps since they've been deprecated for security reasons. Is that accurate?
LeelaRajeshSayana-MSFT 17,771 Reputation points Moderator

2025-07-02T22:29:29.71+00:00

@Sowjanya Mandalapu If you are referring to Basic Authentication approach, it is still supported but not recommended due to the security risks involved. I would still suggest the initial approach recommended on this thread which is use Graph API.

I see you have some concerns with regards to assigning Mail.Send permissions. Please note that we are assigning these permissions to the App and not associated with any user directly. Although, once the App gets authenticated into the Logic App, any user would be able to run it. But the same goes with App credentials approach you are trying to follow.

You also mentioned that disabling MFA for the account still prompted you to key in credentials. I wanted to check if you have deleted the existing connection and recreate a new connection and test this behavior? Sometimes, the existing connections do not see the changes reflect right away.

For the time being, I am converting the initial suggestion on the thread to answer to help other community members find an approach to this issue. If you do have any additional questions, please do let me know and we would be glad to address them.

Answer 1

@Sowjanya Mandalapu ,

Thanks for your query.

To securely send emails from an Azure Logic App using an Office 365 account without triggering MFA, once try this approach: use Azure AD App Registration with Microsoft Graph API and the client credentials flow.

This method is designed for automation scenarios and works without MFA, as it uses application identity (not a user identity) for authentication.

Summary of Steps:

Register an App in Azure AD
Grant Application Permission: Mail.Send in Microsoft Graph
Create a client secret or certificate
Use Logic App HTTP action to:

Fetch a token from Azure AD
Call the Graph API sendMail endpoint

This avoids MFA entirely and is Microsoft’s recommended pattern for service-to-service communication.

Send Mail using Graph API

Client Credentials Flow (No MFA)

Share via

Skipping MFA for Office 365 Account in Logic App Email Action

1 answer

Your answer