@BilalelHadd 

Hi - This is possible in PowerShell.

In PowerShell you can make Windows authenticate a user when they connect to an AAD object. Once connected the script can get properties of the user. I've written a  simple script that does this, and then sends the resulting information to the support team. Essentially all you need to do is distribute the script to your users, then when you want them to prove who they are, ask them to click on the icon and if they successfully authenticate you will get a mail with everything you need to know. 

Here is a script:

# validateUser.ps1 by Chris Ayers v1.2 18/05/2023
# v1.1 - Added Office Location to list
# v1.2 - Tidy up messagebox title and remove obsolete password line
#
# Calls Azure to force a user to enter their username and password and MFA credentials. Then it send a mail to SSC to confirm access
#
# Load framework for messages
Add-Type -AssemblyName PresentationCore,PresentationFramework
$MessageboxTitle = "User MFA Authentication for Support Desk"
#
# Main function. In a try construct to catch all errors
try {
# 
# Login to force MFA
$AADLogin = Connect-AzureAD
$AADAccount = $AADLogin.Account
#
# Get user and manager 
$AADuser = Get-AzureADUser -Filter "userPrincipalName eq '$AADAccount'"
$AADUserManager = Get-AzureADUserManager -ObjectId $AADUser.ObjectId

#
# Send a mail to the ServiceDesk - First compose the body 
$MailBody = "The following account has been user verified by MFA
   UPN: " + $AADuser.UserPrincipalName + "
   Display Name: " + $AADuser.DisplayName + "
   Given Name: " + $AADuser.GivenName + "
   Family Name: " + $AADuser.Surname + "
   CompanyName: " + $AADuser.CompanyName + "
   Manager: " + $AADUserManager.DisplayName + "
   Job Title: " + $AADuser.JobTitle + "
   Department: " + $AADuser.Department + "
   Office: " + $AADuser.PhysicalDeliveryOfficeName + "
   Telephone Number: " + $AADuser.TelephoneNumber + "
   Mobile: " + $AADuser.Mobile + "
   eMail: " + $AADuser.Mail + "
   Street Address: " + $AADuser.StreetAddress + "
   City: " + $AADuser.City + "
   State: " + $AADuser.State + "
   Postcode: " + $AADuser.PostalCode + "
   Country: " + $AADuser.Country 
#
# Now send the mail 
Send-Mailmessage -smtpServer smtp-mail.outlook.com -Port 587 -UseSsl -from $AADUser.Mail -to '<your service email address>' -subject ('AAD User "' + $AADuser.DisplayName + '" Successfully Authienticated by MFA') -body $MailBody 
#
# Tell the user
$UserResult = [System.Windows.MessageBox]::Show("Thankyou. Your session has been authienticated.",$MessageboxTitle,0,64)
}
catch {
#
# Tell the user
$UserResult = [System.Windows.MessageBox]::Show("The system could not authienticate you. Please check your username and password and retry.",$MessageboxTitle,0,16)
}

Hi Chris,

Would you know if this is possible to trigger without a login from the user? Either by parsing it via an access policy or similar?

@John_Kalinski  --  I stumbled across this article while looking for exactly the same thing, and it does the trick (at least for now -- do note that it is manually calling an API that isn't publicly documented, so there is the possibility that it breaks in the future if MS decides to lock down/alter that entry point)

https://www.cyberdrain.com/automating-with-powershell-sending-mfa-push-messages-to-users/

I do want to revisit it and go through to clean up some of the variable names and better lay out the flow.  It all works, but some of the flow is obviously done by an old-school hacker who firmly believes (as do I, for the record) in reusing code that's already proven to perform the desired function elsewhere.  But some of the names, or even the flow order, is less than ideal for someone else to come along and easily track what is happening.  A side effect of the copy/paste coding (or using LLMs to fill in code skeletons, though I doubt that is what happened here) that doesn't hurt the code, but makes it so only the original author can easily troubleshoot in the future.