Trigger/Invoke MFA request for specific user via PowerShell or other tool?

Question

&nbsp;Does anyone know if there is a way to manually trigger an MFA request for a user via PowerShell or another tool? The use case is that we would like to try and use Azure MFA as a means of identity validation, this is needed because of some legacy applications or other scenarios where we simply need to verify identity as there is no self-service options and would like to use Azure MFA for this as opposed to implementing a new MFA tool.&nbsp;The perfect solution would use the sms method by default and automatically send an MFA code to a user of our choosing via the script/tool so they could read the response back to us to enter in a form to see if valid as proof of identity.&nbsp;&nbsp;Does anyone know if something like this would be possible via PowerShell or another cmdlet/tool?

bilalelhadd · Answer

Hi Keenana4,I can see that nobody has reacted yet to your question. So, as far as I know, there is no possibility to trigger an MFA warning other than signing in under that user account with an MFA method configured.Apart from that, I recommend you check if the application supports using Service Principal instead of using Service Accounts/Non-personal accounts. Using a Service Account is an enormous risk. The account can be used for interactive login (Azure portal, for example), and a Service Account uses a username and password. I would inform the application supplier if they support Service Principals.

chrisayers · Answer

BilalelHadd&nbsp;&nbsp;Hi - This is possible in PowerShell.In PowerShell you can make Windows authenticate a user when they connect to an AAD object. Once connected the script can get properties of the user. I've written a&nbsp; simple script that does this, and then sends the resulting information to the support team. Essentially all you need to do is distribute the script to your users, then when you want them to prove who they are, ask them to click on the icon and if they successfully authenticate you will get a mail with everything you need to know.&nbsp;Here is a script:# validateUser.ps1 by Chris Ayers v1.2 18/05/2023# v1.1 - Added Office Location to list# v1.2 - Tidy up messagebox title and remove obsolete password line## Calls Azure to force a user to enter their username and password and MFA credentials. Then it send a mail to SSC to confirm access## Load framework for messagesAdd-Type -AssemblyName PresentationCore,PresentationFramework$MessageboxTitle = "User MFA Authentication for Support Desk"## Main function. In a try construct to catch all errorstry {# # Login to force MFA$AADLogin = Connect-AzureAD$AADAccount = $AADLogin.Account## Get user and manager $AADuser = Get-AzureADUser -Filter "userPrincipalName eq '$AADAccount'"$AADUserManager = Get-AzureADUserManager -ObjectId $AADUser.ObjectId## Send a mail to the ServiceDesk - First compose the body $MailBody = "The following account has been user verified by MFA   UPN: " + $AADuser.UserPrincipalName + "   Display Name: " + $AADuser.DisplayName + "   Given Name: " + $AADuser.GivenName + "   Family Name: " + $AADuser.Surname + "   CompanyName: " + $AADuser.CompanyName + "   Manager: " + $AADUserManager.DisplayName + "   Job Title: " + $AADuser.JobTitle + "   Department: " + $AADuser.Department + "   Office: " + $AADuser.PhysicalDeliveryOfficeName + "   Telephone Number: " + $AADuser.TelephoneNumber + "   Mobile: " + $AADuser.Mobile + "   eMail: " + $AADuser.Mail + "   Street Address: " + $AADuser.StreetAddress + "   City: " + $AADuser.City + "   State: " + $AADuser.State + "   Postcode: " + $AADuser.PostalCode + "   Country: " + $AADuser.Country ## Now send the mail Send-Mailmessage -smtpServer smtp-mail.outlook.com -Port 587 -UseSsl -from $AADUser.Mail -to '&lt;your service email address&gt;' -subject ('AAD User "' + $AADuser.DisplayName + '" Successfully Authienticated by MFA') -body $MailBody ## Tell the user$UserResult = [System.Windows.MessageBox]::Show("Thankyou. Your session has been authienticated.",$MessageboxTitle,0,64)}catch {## Tell the user$UserResult = [System.Windows.MessageBox]::Show("The system could not authienticate you. Please check your username and password and retry.",$MessageboxTitle,0,16)}&nbsp;

john_kalinski · Answer

Hi Chris,Would you know if this is possible to trigger without a login from the user? Either by parsing it via an access policy or similar?

imperatorruscal · Answer

John_Kalinski&nbsp; --&nbsp; I stumbled across this article while looking for exactly the same thing, and it does the trick (at least for now -- do note that it is manually calling an API that isn't publicly documented, so there is the possibility that it breaks in the future if MS decides to lock down/alter that entry point)&nbsp;https://www.cyberdrain.com/automating-with-powershell-sending-mfa-push-messages-to-users/&nbsp;I do want to revisit it and go through to clean up some of the variable names and better lay out the flow.&nbsp; It all works, but some of the flow is obviously done by an old-school hacker who firmly believes (as do I, for the record) in reusing code that's already proven to perform the desired function elsewhere.&nbsp; But some of the names, or even the flow order, is less than ideal for someone else to come along and easily track what is happening.&nbsp; A side effect of the copy/paste coding (or using LLMs to fill in code skeletons, though I doubt that is what happened here) that doesn't hurt the code, but makes it so only the original author can easily troubleshoot in the future.

chrisayers · Answer

John,ImperatorRuscal (below) has a way of doing what you want - I needed to force MFA which is why I called the API the way I did. I did see other methods of getting properties from the user if they are logged in, but I did not investigate these as (like I mentioned above) I wanted the force MFA.

Forum Discussion

Trigger/Invoke MFA request for specific user via PowerShell or other tool?

6 Replies

Resources