Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MS Authenticator Programming

Brass Contributor
Anyone know how to use MS Authenticator Code in a programmatic way to authenticate users.  Here is the scenario:
  1. User calls helpdesk on resetting password (we do have SSPR, but there are some who still call JamesRV_0-1626381110252.png)
  2. Agent asks the user to read the code from their authenticator app
  3. Agent types it on a custom screen or any available screen from AAD
  4. Once validated we provide temporary passcode
3 Replies
TOTP works based on shared secrets, so unless you have these shared secrets, you will not be able to validate the user at all. They cannot be programmatically retrieved either.

If there is no other way to "authenticate" a user based on personal or company information, you might consider setting up a system where the user selects a short "code word or phrase" which is stored securely. Only if the user can provide this specific code word or phrase, you will be able to determine if the user is who the user claims to be. As a 2nd option, perhaps this can be completed based on a second MFA code using SMS and a registered phonenumber.
These are our AAD users so we do know them I am trying to stay away from Knowledge based verification and use the security code displayed on Authenticator app as the additional factor before we can reset user password.

@JamesRV Did you find an answer to your request yet? I'm facing exactly the same demand at the moment and am looking for a way how to deal with an authentication method for our users agains the helpdesk.