Nov 11 2020 11:05 AM
Nov 11 2020 11:05 AM
Does anyone know if it is possible to trigger a "on demand" Azure AD MFA request for a user from a web app without previously using password authentication?
I am developing a web application to enable users to reset their password (not going to use the SSPR portal) and I cannot find any documentation about triggering a MFA request for a user without requering the user to first loging to Azure AD using their password.
Any guidance is much appreciated,
Thanks and best regards
Nov 16 2020 05:40 AM
@JoaquinGomez, I think you can experiment with Azure Graph APIs. It's relatively easy to get the password reset via this API and the documentation is describing this process very well (i.e., call/response). Please read all about step 5 here. As per my info, you can't force an MFA screen. The user session is being cached by a browser (if we're talking about the web app). However, you can invalidate the refresh token by calling the respective Graph API.
Nov 16 2020 01:03 PM
@Command0r thanks for your replay!
Actually, we need this page to just validate the user's MFA so we can proceed to reset the password.
In example, an user forgot her/his password, then through this app, the user would be able to provide her/his UPN and the te app would fire up a MFA request (without requiring the user to be logged in M365 or to provide a password). If the MFA request is completed then the app would proceed to reset the password with one the user will provide.
I was not able to find a way to just request a Microsoft Authenticator App validation only, do you know is there is such functionality?
Nov 17 2020 10:04 AM
@JoaquinGomez, the MFA request normally appears after you enter your password (not before), and if your password is expired or you're required to change it, you get redirected to a password change page. As per the documentation I mentioned and resources here and here, you can only force the security token to expire (invalidate it using the aforementioned Azure Graph API), so the user would have to use a second factor whenever he'll be logging in again (no matter if this is a password change or something else). This is a flow you won't be able to circumvent. You may look toward Azure B2C and the custom policies, but they only applicable in very specific scenarios. A good idea might be looking into the 'Conditional access' to make the solution more secure (instead of trying to force for an MFA, but rather as a good addition to it), which is described here. And finally, you can always ask in the Azure AD area - the guys there are aware of the preview features and that might be helpful.