This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 43%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
We have built an Actionable message card which allows users to post a response back to our Web site from the email they receive.
We have build and tested this in our Staging environments and when we registered it on our Primary Exchange server and try in production, we are receiving a response "MFA Required" when we try to submit the reply message back to our server.
We have worked with our corporate admins to remove MFA requirements for accounts we are testing but we cannot seem to get past this issue.
We have tried applying the same "Conditional access policy" to our staging servers but we cannot cause the same error to happen.
Is there any way to diagnose or get more information about what is causing the MFA required in our production environment?
[Moderator note: personal info removed]
A robust email, calendaring, and collaboration platform developed by Microsoft, designed for enterprise-level communication and data management.Miscellaneous topics that do not fit into specific categories.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 77%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPF%3C/text%3E%3C/svg%3E)
We are experiencing this same issue. We have tried disabling MFA policies, but this has not removed the "MFA Required" issue. We are using an organization wide Actionable Message provider approved by an administrator, and our actionable cards are signed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 54%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Please note that our forum is a public platform, and we will modify your question to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data.
Thank you for reaching out to Microsoft Q&A forum
Based on your description, I think this behavior may come from the Conditional Access policy or Security Defaults are likely enforcing MFA on non-interactive sign-ins. Actionable Message cards use a background token (via Exchange/Outlook) to POST your response. If a policy requires MFA for that token exchange, the call will fail because no interactive prompt can occur.
This explain while in staging, you probably had no such policy or more relaxed settings, which is why it worked there.
In this situation, there are some initial things you can apply first to see if you can solve the problem:
1/ Check Azure AD Sign-In Logs:
Identify which policy triggered the MFA requirement. The sign-in log (under Non-interactive category) will show the specific Conditional Access policy or if Security Defaults was applied.
Link instructions: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#non-interactive-user-sign-ins
2/ Use Conditional Access "What If" tool:
In Azure AD Conditional Access, use the “What If” tool to simulate the user’s sign-in to Exchange Online. This helps confirm which policies are applying MFA.
You can read here for more information: https://learn.microsoft.com/en-us/entra/identity/conditional-access/what-if-tool
3/ Adjust Conditional Access Policies:
Modify your policy so that it doesn’t require MFA for the actionable message scenario. For example, exclude “Exchange Online” (or the specific accounts) from the MFA-required policy.
In the meantime, you can review MFA Settings by verify Security Defaults (Azure AD > Properties) – if enabled, consider disabling it and using custom policies. Also check this LINK to ensure test accounts are not enforced for MFA outside of Conditional Access.
Additionally, I have found this thread may have the necessary information to provide more insight about this concern: https://learn.microsoft.com/en-us/answers/questions/1185637/seeing-login-failures-with-non-interactive-sign-in
Hope my answer will help you, for any further concern, kindly let me know in the comment section.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
We tried all this and still do not see any login attempts in our Azure Signin logs
Thanks for replying and apologize for the inconvenience
Since the proposed approach does not work, I truly recommend you to directly reach out to Azure Support from Microsoft for this concern.
I know this is inconvenience but as a forum moderator, I have certain limitations in testing environment and resources. You can create and manage requests in the Azure portal and manage requests programmatically, using the Azure support ticket REST API, or by using Azure CLI.
Best regards
To diagnose the "MFA Required" issue when posting back to your web server from the Actionable Message card in your production environment, consider the following steps:
If these steps do not resolve the issue, consider reaching out to Microsoft support for further assistance.
References: