My NT-service on Windows use EWS API to access Office 365 accounts to perform some periodical job. It's written in C++. When customer install my app he selects user/password which NT-service uses to send EWS requests. User/password is saved in some conf-file in encrypted view. Now Microsoft force to use MFA for Office 365. Question is how background NT-service can pass MFA with additional SMS-code if it does not interact with user? I read about app-pasword https://learn.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords
It works but they write "Your administrator may not allow you to use app passwords". Also it adds problems to user to manage this app password. Is any alternative solutions to use MFA from app which do not interact with user (like NT-services)? Can anyone help?
You can register your app in your Exchange tenant and authenticate using a certificate - https://developermessaging.azurewebsites.net/2018/09/11/authenticating-against-exchange-web-services-using-certificate-based-oauth2-tokens/
No password prompt would ever be necessary.