I am working on an application that can send mails on behalf of a user. For this, the user logs in to his email account (similar to what you know from mail clients) and the application stores the refresh token. When the user now sends an email using this application, the refresh token is used to obtain an access token and that is used to send the mail.
This application should now be able to run in the cloud and there I am facing the following problem: Microsoft allows you to skip MFA in trusted networks but the token you get is also only valid when used from within this trusted network. During the auth-flow, the user is the trusted network but the token is then used from the server in the cloud and therefor the token is not valid.
I've read about amr_values=ngcmfa but that sounds like it forces all users to use MFA. However, I would like to be able to bypass the "trusted network" rules while not focing every user to activate MFA.
How can I achieve that or is there any other solution to this?
It seems like tokens generated without MFA from within a trusted network can be used by applications outside this network, if the applications uses a client secret. So this problem can be solved by simply using a client secret when requesting the token.