Question / Problem:
When attempting to configure an MS Graph mailbox connection in the KTA Designer, the following error is encountered:
<username> failed to login using MSGraph.
Answer / Solution:
First validate that all required App permissions and proper configurations are done on both the KTA and Azure side. For more information on this, go to the KTA Administrators guide and search for the term MS Graph. Here is a link to all KTA documentation for reference.
If configurations are configured properly, then attempt to access the desired mailbox using the same user credentials and mailbox in a browser session OWA login (e.g. outlook.office365.com/owa). Closely pay attention to the login process through the browser to see if an additional authentication is being performed like ADFS (Active Directory Federation Services). In the example below, you would see the following screen:
If this is the case, then this authentication process is not supported through the Message Connector. Currently the Message Connector uses Resource Owner Password Credentials which isn't supported in a hybrid identity federation scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). There is an open Enhancement Request to support this and will be implemented in KTA 7.9 and higher.
Enhancement Request 1523928: Support for MS Graph in Federation Security environment
The only workaround around to this, is to have your IT Systems move the account into a Azure AD group that does not require the additional on-premise authentication step.