Any problem with robot script doing multi-factor authentication to Microsoft Dynamics 365

Hello community!

I have an assignment to do UI test automation in Microsoft Dynamics365 customized applications. I got into a huge problem with making robot passing multi-factor authentication to get into D365 apps. My question is that has anyone encountered the same problem as I did. If so how did you succeed to do that. Thank you very much! :pray:

Hi Anh,

Solving the 2FA question always starts with how does the 2FA work? This is going to vary depending on your organisation’s security policy, is the second factor a:

  • SMS message?
  • an email?
  • an RSA key using a physical device or the RSA smart phone app?
  • a physical swipe card
  • something else

Because there are so many ways 2FA can be implemented there is no one library or way to deal with it.

If you are testing the application (Microsoft Dynamics365 in this case) and not the 2FA system, the easiest way to deal with 2FA is to have your security team disable it for your test accounts.

If you can’t simply disable 2FA for your test accounts then when you know which method is being used we can try to offer some suggestions for that delivery method.

Hope that helps,

Dave.

Hello damies13,
Thanks for your response. Appreciated! I’m working with the security team at the moment. It looks like the issue is much more complicated than we thought :sweat_smile:

Hi Anh,

I’ve successfully implemented UI testing framework against MFA enabled D365 app using Browser library’s capabilities, but test user account needs to have e.g. certain session lifetime settings enabled.

I suggest you to take a look at these Browser library’s keywords:

https://marketsquare.github.io/robotframework-browser/Browser.html#New%20Context

https://marketsquare.github.io/robotframework-browser/Browser.html#New%20Persistent%20Context

1 Like

Hi damies13,

I am also stuck in same kind of situation. I need to automate one portal but in order to get into the portal the login pass through multi-factor authentication.

  1. It generate one code and that code I need to enter through authenticator app that is installed on my mobile
  2. Other way is text message to my mobile number and the code that is generated through sms I need to enter that code in order to login to portal

Hi Gituwalia,

As with my advice to Anh, the easiest way to deal with it is to have the security team remove it from your automation users, In my current and several previous workplaces the automation users have mfa disabled but the manual test accounts have it enabled, so any competent security team can do this.

If they won’t do it for what ever political reason (it’s not a technical reason), then sms code to a mobile phone number might be your best bet

  • many laptops have sim card slots
  • there are usb devices for connecting a sim card to a computer (searc for something like " 4G LTE USB", " LTE 3G USB" “USB sim card reader”, etc)
  • there is software for most OS’s that will read the SMS’s sent to the sim card attached to the computer (I know there is multiple software for this for Windows, Linux and Mac’s, probably other OS’s)
  • Simply buy the cheapest 365 day prepaid sim card with the minimum credit amount
  • configure your user account to have that mobile number as the place to send the sms code
  • then automate that software that reads the sms’s to give you the code

If you have multiple accounts that need to run the automation you’ll need to pair the sim card with the machine and the user so it all works and you’ll need one sim card and one reader per user (well maybe you can have several users share the same number but you’ll probably only be able to log them in one at a time then)
If the cost of the sim cards and readers is an issue for your team, ask your manager to internally bill the cost to the security teams budget (their requirement they can foot the bill, it might motivate them to change their political stance)

Hope that helps,

Dave.

Hi @damies13,

I haven’t read too far up but to throw another spin on an approach on top of you solid given options, AppiumLibrary could be used with a real device and could possibly be an option for requesting and then storing the code either in a suite/global variable or file for the code generated, if they aren’t willing to change their stance on MFA for automated users as a possible workaround (this could still hold a cost to a real device I guess unless an emulated device and a code can be received via email? not sure what options they give) and then, the test thereafter could continue so you’d have the device in the first instance as a point of access rather than from a browser requesting it, and then picking up the rest of the test once the code had been received via the browser, not ideal but an alternative option possibly.

All the best mate :slight_smile:

Hi Daryl,

That could be a good solution except from my experience the authenticator app 's need the sim card in the phone, if it doesn’t then this could work out cheaper in the long term but the new usb sim readers are cheaper than a typical second hand android/iphone mobile phone, plus several of the sms reading applications can run on the command line making them trivial to automate with Process Library or OperatingSystem Library.

I’ll admit this was based on the costs in my local conditions, if you can pick up second hand mobile phones that are in good condition and are reliable and not network locked for under US$20 then that would be the way to go.

That was my reasoning for suggesting that route, but as always there is not a single right or wrong way, but rather many options.

Dave.

1 Like

All good Dave, thanks for the response.
You’re experience definitely outweighs mine in this area, and was just an idea on top of what you listed to throw out there that strung to mind.
All the best