Trigger/Invoke MFA request for specific user via PowerShell or other tool?

%3CLINGO-SUB%20id%3D%22lingo-sub-2741066%22%20slang%3D%22en-US%22%3ETrigger%2FInvoke%20MFA%20request%20for%20specific%20user%20via%20PowerShell%20or%20other%20tool%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2741066%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20if%20there%20is%20a%20way%20to%20manually%20trigger%20an%20MFA%20request%20for%20a%20user%20via%20PowerShell%20or%20another%20tool%3F%20The%20use%20case%20is%20that%20we%20would%20like%20to%20try%20and%20use%20Azure%20MFA%20as%20a%20means%20of%20identity%20validation%2C%20this%20is%20needed%20because%20of%20some%20legacy%20applications%20or%20other%20scenarios%20where%20we%20simply%20need%20to%20verify%20identity%20as%20there%20is%20no%20self-service%20options%20and%20would%20like%20to%20use%20Azure%20MFA%20for%20this%20as%20opposed%20to%20implementing%20a%20new%20MFA%20tool.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20perfect%20solution%20would%20use%20the%20sms%20method%20by%20default%20and%20automatically%20send%20an%20MFA%20code%20to%20a%20user%20of%20our%20choosing%20via%20the%20script%2Ftool%20so%20they%20could%20read%20the%20response%20back%20to%20us%20to%20enter%20in%20a%20form%20to%20see%20if%20valid%20as%20proof%20of%20identity.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20if%20something%20like%20this%20would%20be%20possible%20via%20PowerShell%20or%20another%20cmdlet%2Ftool%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2741066%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2821750%22%20slang%3D%22en-US%22%3ERe%3A%20Trigger%2FInvoke%20MFA%20request%20for%20specific%20user%20via%20PowerShell%20or%20other%20tool%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2821750%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1152542%22%20target%3D%22_blank%22%3E%40Keenana4%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20can%20see%20that%20nobody%20has%20reacted%20yet%20to%20your%20question.%20So%2C%20as%20far%20as%20I%20know%2C%20there%20is%20no%20possibility%20to%20trigger%20an%20MFA%20warning%20other%20than%20signing%20in%20under%20that%20user%20account%20with%20an%20MFA%20method%20configured.%3CBR%20%2F%3E%3CBR%20%2F%3EApart%20from%20that%2C%20I%20recommend%20you%20check%20if%20the%20application%20supports%20using%20Service%20Principal%20instead%20of%20using%20Service%20Accounts%2FNon-personal%20accounts.%20Using%20a%20Service%20Account%20is%20an%20enormous%20risk.%20The%20account%20can%20be%20used%20for%20interactive%20login%20(Azure%20portal%2C%20for%20example)%2C%20and%20a%20Service%20Account%20uses%20a%20username%20and%20password.%20I%20would%20inform%20the%20application%20supplier%20if%20they%20support%20Service%20Principals.%3C%2FLINGO-BODY%3E
Occasional Visitor

 

Does anyone know if there is a way to manually trigger an MFA request for a user via PowerShell or another tool? The use case is that we would like to try and use Azure MFA as a means of identity validation, this is needed because of some legacy applications or other scenarios where we simply need to verify identity as there is no self-service options and would like to use Azure MFA for this as opposed to implementing a new MFA tool.

 

The perfect solution would use the sms method by default and automatically send an MFA code to a user of our choosing via the script/tool so they could read the response back to us to enter in a form to see if valid as proof of identity. 

 

Does anyone know if something like this would be possible via PowerShell or another cmdlet/tool?

1 Reply
Hi @Keenana4,

I can see that nobody has reacted yet to your question. So, as far as I know, there is no possibility to trigger an MFA warning other than signing in under that user account with an MFA method configured.

Apart from that, I recommend you check if the application supports using Service Principal instead of using Service Accounts/Non-personal accounts. Using a Service Account is an enormous risk. The account can be used for interactive login (Azure portal, for example), and a Service Account uses a username and password. I would inform the application supplier if they support Service Principals.