I've had problems like this this in the past, but MFA may not be the issue.
When you authenticate a Microsoft account and give it the appropriate permissions, a long-term token (aka "authorization code") is generated for use in API authentication. For API auth, only the token is required and MFA plays no part.
First step to creating the connection is to open an incognito/private browser window. If your browser is already logged into Microsoft using another account, it will automatically authenticate using that account (kind of annoying), so incognito is a must if you want to authenticate using a different account.
When creating the connection in Workato, select "Authorization code grant" but only fill out the subdomain and then click connect. This should open the pop-up with the Microsoft login. Enter your credentials, complete the MFA, and one of three things will happen:
- If the account you used is an admin, you can grant permissions for Workato in your Microsoft account. This will complete the entire process (and, behind the scenes, generate the authorization token needed for API auth).
- If the account you use is NOT an admin, you will need to request permissions. This will create a permission request in your Microsoft account that an admin must approve. (I don't remember exactly where it is on the Microsoft side.) Once an admin approves the request, repeat all of the above steps.
- If Workato was previously approved by your Microsoft admin, then everything should complete seamlessly.
Hopefully this info helps.
