Trigger Azure AD MFA to authenticate a users and reset their password

%3CLINGO-SUB%20id%3D%22lingo-sub-1877787%22%20slang%3D%22en-US%22%3ETrigger%20Azure%20AD%20MFA%20to%20authenticate%20a%20users%20and%20reset%20their%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1877787%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20if%20it%20is%20possible%20to%20trigger%20a%20%22on%20demand%22%20Azure%20AD%20MFA%20request%20for%20a%20user%20from%20a%20web%20app%20without%20previously%20using%20password%20authentication%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20developing%20a%20web%20application%20to%20enable%20users%20to%20reset%20their%20password%20(not%20going%20to%20use%20the%20SSPR%20portal)%20and%20I%20cannot%20find%20any%20documentation%20about%20triggering%20a%20MFA%20request%20for%20a%20user%20without%20requering%20the%20user%20to%20first%20loging%20to%20Azure%20AD%20using%20their%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20guidance%20is%20much%20appreciated%2C%3C%2FP%3E%3CP%3EThanks%20and%20best%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1890531%22%20slang%3D%22en-US%22%3ERe%3A%20Trigger%20Azure%20AD%20MFA%20to%20authenticate%20a%20users%20and%20reset%20their%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1890531%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F339428%22%20target%3D%22_blank%22%3E%40JoaquinGomez%3C%2FA%3E%2C%26nbsp%3BI%20think%20you%20can%20experiment%20with%20Azure%20Graph%20APIs.%20It's%20relatively%20easy%20to%20get%20the%20password%20reset%20via%20this%20API%20and%20the%20documentation%20is%20describing%20this%20process%20very%20well%20(i.e.%2C%20call%2Fresponse).%20Please%20read%20all%20about%20step%205%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauthenticationmethods-get-started%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20As%20per%20my%20info%2C%20you%20can't%20force%20an%20MFA%20screen.%20The%20user%20session%20is%20being%20cached%20by%20a%20browser%20(if%20we're%20talking%20about%20the%20web%20app).%20However%2C%20you%20can%20invalidate%20the%20refresh%20token%20by%20calling%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fuser-revokesigninsessions%3Fview%3Dgraph-rest-1.0%26amp%3Btabs%3Dhttp%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Erespective%20Graph%20API%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello community,

 

Does anyone know if it is possible to trigger a "on demand" Azure AD MFA request for a user from a web app without previously using password authentication?

 

I am developing a web application to enable users to reset their password (not going to use the SSPR portal) and I cannot find any documentation about triggering a MFA request for a user without requering the user to first loging to Azure AD using their password.

 

Any guidance is much appreciated,

Thanks and best regards

3 Replies

@JoaquinGomez, I think you can experiment with Azure Graph APIs. It's relatively easy to get the password reset via this API and the documentation is describing this process very well (i.e., call/response). Please read all about step 5 here. As per my info, you can't force an MFA screen. The user session is being cached by a browser (if we're talking about the web app). However, you can invalidate the refresh token by calling the respective Graph API.

@Command0r thanks for your replay!


Actually, we need this page to just validate the user's MFA so we can proceed to reset the password.

 

In example, an user forgot her/his password, then through this app, the user would be able to provide her/his UPN and the te app would fire up a MFA request (without requiring the user to be logged in M365 or to provide a password). If the MFA request is completed then the app would proceed to reset the password with one the user will provide.

 

I was not able to find a way to just request a Microsoft Authenticator App validation only, do you know is there is such functionality?

 

 

 

@JoaquinGomez, the MFA request normally appears after you enter your password (not before), and if your password is expired or you're required to change it, you get redirected to a password change page. As per the documentation I mentioned and resources here and here, you can only force the security token to expire (invalidate it using the aforementioned Azure Graph API), so the user would have to use a second factor whenever he'll be logging in again (no matter if this is a password change or something else). This is a flow you won't be able to circumvent. You may look toward Azure B2C and the custom policies, but they only applicable in very specific scenarios. A good idea might be looking into the 'Conditional access' to make the solution more secure (instead of trying to force for an MFA, but rather as a good addition to it), which is described here. And finally, you can always ask in the Azure AD area - the guys there are aware of the preview features and that might be helpful.