Forum Discussion

JoaquinGomez's avatar
JoaquinGomez
Copper Contributor
Nov 11, 2020

Trigger Azure AD MFA to authenticate a users and reset their password

Hello community,

 

Does anyone know if it is possible to trigger a "on demand" Azure AD MFA request for a user from a web app without previously using password authentication?

 

I am developing a web application to enable users to reset their password (not going to use the SSPR portal) and I cannot find any documentation about triggering a MFA request for a user without requering the user to first loging to Azure AD using their password.

 

Any guidance is much appreciated,

Thanks and best regards

  • Command0r's avatar
    Command0r
    Iron Contributor

    JoaquinGomez, I think you can experiment with Azure Graph APIs. It's relatively easy to get the password reset via this API and the documentation is describing this process very well (i.e., call/response). Please read all about step 5 here. As per my info, you can't force an MFA screen. The user session is being cached by a browser (if we're talking about the web app). However, you can invalidate the refresh token by calling the respective Graph API.

    • JoaquinGomez's avatar
      JoaquinGomez
      Copper Contributor

      Command0r thanks for your replay!


      Actually, we need this page to just validate the user's MFA so we can proceed to reset the password.

       

      In example, an user forgot her/his password, then through this app, the user would be able to provide her/his UPN and the te app would fire up a MFA request (without requiring the user to be logged in M365 or to provide a password). If the MFA request is completed then the app would proceed to reset the password with one the user will provide.

       

      I was not able to find a way to just request a Microsoft Authenticator App validation only, do you know is there is such functionality?

       

       

       

      • Command0r's avatar
        Command0r
        Iron Contributor

        JoaquinGomez, the MFA request normally appears after you enter your password (not before), and if your password is expired or you're required to change it, you get redirected to a password change page. As per the documentation I mentioned and resources here and here, you can only force the security token to expire (invalidate it using the aforementioned Azure Graph API), so the user would have to use a second factor whenever he'll be logging in again (no matter if this is a password change or something else). This is a flow you won't be able to circumvent. You may look toward Azure B2C and the custom policies, but they only applicable in very specific scenarios. A good idea might be looking into the 'Conditional access' to make the solution more secure (instead of trying to force for an MFA, but rather as a good addition to it), which is described here. And finally, you can always ask in the Azure AD area - the guys there are aware of the preview features and that might be helpful.

Resources