Forum Discussion

Keenana4's avatar
Keenana4
Copper Contributor
Sep 10, 2021

Trigger/Invoke MFA request for specific user via PowerShell or other tool?

  Does anyone know if there is a way to manually trigger an MFA request for a user via PowerShell or another tool? The use case is that we would like to try and use Azure MFA as a means of identity ...
Azure Active Directory (AAD)
BilalelHadd's avatar
BilalelHadd
Iron Contributor
Oct 07, 2021
Hi Keenana4,

I can see that nobody has reacted yet to your question. So, as far as I know, there is no possibility to trigger an MFA warning other than signing in under that user account with an MFA method configured.

Apart from that, I recommend you check if the application supports using Service Principal instead of using Service Accounts/Non-personal accounts. Using a Service Account is an enormous risk. The account can be used for interactive login (Azure portal, for example), and a Service Account uses a username and password. I would inform the application supplier if they support Service Principals.
ChrisAyers's avatar
ChrisAyers
Brass Contributor
Jun 08, 2023

BilalelHadd 

 

Hi - This is possible in PowerShell.

In PowerShell you can make Windows authenticate a user when they connect to an AAD object. Once connected the script can get properties of the user. I've written a  simple script that does this, and then sends the resulting information to the support team. Essentially all you need to do is distribute the script to your users, then when you want them to prove who they are, ask them to click on the icon and if they successfully authenticate you will get a mail with everything you need to know. 

Here is a script:

# validateUser.ps1 by Chris Ayers v1.2 18/05/2023
# v1.1 - Added Office Location to list
# v1.2 - Tidy up messagebox title and remove obsolete password line
#
# Calls Azure to force a user to enter their username and password and MFA credentials. Then it send a mail to SSC to confirm access
#
# Load framework for messages
Add-Type -AssemblyName PresentationCore,PresentationFramework
$MessageboxTitle = "User MFA Authentication for Support Desk"
#
# Main function. In a try construct to catch all errors
try {
# 
# Login to force MFA
$AADLogin = Connect-AzureAD
$AADAccount = $AADLogin.Account
#
# Get user and manager 
$AADuser = Get-AzureADUser -Filter "userPrincipalName eq '$AADAccount'"
$AADUserManager = Get-AzureADUserManager -ObjectId $AADUser.ObjectId

#
# Send a mail to the ServiceDesk - First compose the body 
$MailBody = "The following account has been user verified by MFA
   UPN: " + $AADuser.UserPrincipalName + "
   Display Name: " + $AADuser.DisplayName + "
   Given Name: " + $AADuser.GivenName + "
   Family Name: " + $AADuser.Surname + "
   CompanyName: " + $AADuser.CompanyName + "
   Manager: " + $AADUserManager.DisplayName + "
   Job Title: " + $AADuser.JobTitle + "
   Department: " + $AADuser.Department + "
   Office: " + $AADuser.PhysicalDeliveryOfficeName + "
   Telephone Number: " + $AADuser.TelephoneNumber + "
   Mobile: " + $AADuser.Mobile + "
   eMail: " + $AADuser.Mail + "
   Street Address: " + $AADuser.StreetAddress + "
   City: " + $AADuser.City + "
   State: " + $AADuser.State + "
   Postcode: " + $AADuser.PostalCode + "
   Country: " + $AADuser.Country 
#
# Now send the mail 
Send-Mailmessage -smtpServer smtp-mail.outlook.com -Port 587 -UseSsl -from $AADUser.Mail -to '<your service email address>' -subject ('AAD User "' + $AADuser.DisplayName + '" Successfully Authienticated by MFA') -body $MailBody 
#
# Tell the user
$UserResult = [System.Windows.MessageBox]::Show("Thankyou. Your session has been authienticated.",$MessageboxTitle,0,64)
}
catch {
#
# Tell the user
$UserResult = [System.Windows.MessageBox]::Show("The system could not authienticate you. Please check your username and password and retry.",$MessageboxTitle,0,16)
}


 

  • John_Kalinski's avatar
    John_Kalinski
    Copper Contributor
    Aug 31, 2023

    Hi Chris,

    Would you know if this is possible to trigger without a login from the user? Either by parsing it via an access policy or similar?

    • ChrisAyers's avatar
      ChrisAyers
      Brass Contributor
      Dec 05, 2023
      John,

      ImperatorRuscal (below) has a way of doing what you want - I needed to force MFA which is why I called the API the way I did. I did see other methods of getting properties from the user if they are logged in, but I did not investigate these as (like I mentioned above) I wanted the force MFA.
    • ImperatorRuscal's avatar
      ImperatorRuscal
      Copper Contributor
      Dec 05, 2023

      John_Kalinski  --  I stumbled across this article while looking for exactly the same thing, and it does the trick (at least for now -- do note that it is manually calling an API that isn't publicly documented, so there is the possibility that it breaks in the future if MS decides to lock down/alter that entry point)

       

      https://www.cyberdrain.com/automating-with-powershell-sending-mfa-push-messages-to-users/

       

      I do want to revisit it and go through to clean up some of the variable names and better lay out the flow.  It all works, but some of the flow is obviously done by an old-school hacker who firmly believes (as do I, for the record) in reusing code that's already proven to perform the desired function elsewhere.  But some of the names, or even the flow order, is less than ideal for someone else to come along and easily track what is happening.  A side effect of the copy/paste coding (or using LLMs to fill in code skeletons, though I doubt that is what happened here) that doesn't hurt the code, but makes it so only the original author can easily troubleshoot in the future.

Resources