Sep 10 2021
11:48 AM
- last edited on
Jan 14 2022
03:25 PM
by
TechCommunityAP
Sep 10 2021
11:48 AM
- last edited on
Jan 14 2022
03:25 PM
by
TechCommunityAP
Does anyone know if there is a way to manually trigger an MFA request for a user via PowerShell or another tool? The use case is that we would like to try and use Azure MFA as a means of identity validation, this is needed because of some legacy applications or other scenarios where we simply need to verify identity as there is no self-service options and would like to use Azure MFA for this as opposed to implementing a new MFA tool.
The perfect solution would use the sms method by default and automatically send an MFA code to a user of our choosing via the script/tool so they could read the response back to us to enter in a form to see if valid as proof of identity.
Does anyone know if something like this would be possible via PowerShell or another cmdlet/tool?
Oct 07 2021 04:06 AM
Jun 08 2023 06:13 AM - edited Jun 08 2023 06:23 AM
Hi - This is possible in PowerShell.
In PowerShell you can make Windows authenticate a user when they connect to an AAD object. Once connected the script can get properties of the user. I've written a simple script that does this, and then sends the resulting information to the support team. Essentially all you need to do is distribute the script to your users, then when you want them to prove who they are, ask them to click on the icon and if they successfully authenticate you will get a mail with everything you need to know.
Here is a script:
# validateUser.ps1 by Chris Ayers v1.2 18/05/2023
# v1.1 - Added Office Location to list
# v1.2 - Tidy up messagebox title and remove obsolete password line
#
# Calls Azure to force a user to enter their username and password and MFA credentials. Then it send a mail to SSC to confirm access
#
# Load framework for messages
Add-Type -AssemblyName PresentationCore,PresentationFramework
$MessageboxTitle = "User MFA Authentication for Support Desk"
#
# Main function. In a try construct to catch all errors
try {
#
# Login to force MFA
$AADLogin = Connect-AzureAD
$AADAccount = $AADLogin.Account
#
# Get user and manager
$AADuser = Get-AzureADUser -Filter "userPrincipalName eq '$AADAccount'"
$AADUserManager = Get-AzureADUserManager -ObjectId $AADUser.ObjectId
#
# Send a mail to the ServiceDesk - First compose the body
$MailBody = "The following account has been user verified by MFA
UPN: " + $AADuser.UserPrincipalName + "
Display Name: " + $AADuser.DisplayName + "
Given Name: " + $AADuser.GivenName + "
Family Name: " + $AADuser.Surname + "
CompanyName: " + $AADuser.CompanyName + "
Manager: " + $AADUserManager.DisplayName + "
Job Title: " + $AADuser.JobTitle + "
Department: " + $AADuser.Department + "
Office: " + $AADuser.PhysicalDeliveryOfficeName + "
Telephone Number: " + $AADuser.TelephoneNumber + "
Mobile: " + $AADuser.Mobile + "
eMail: " + $AADuser.Mail + "
Street Address: " + $AADuser.StreetAddress + "
City: " + $AADuser.City + "
State: " + $AADuser.State + "
Postcode: " + $AADuser.PostalCode + "
Country: " + $AADuser.Country
#
# Now send the mail
Send-Mailmessage -smtpServer smtp-mail.outlook.com -Port 587 -UseSsl -from $AADUser.Mail -to '<your service email address>' -subject ('AAD User "' + $AADuser.DisplayName + '" Successfully Authienticated by MFA') -body $MailBody
#
# Tell the user
$UserResult = [System.Windows.MessageBox]::Show("Thankyou. Your session has been authienticated.",$MessageboxTitle,0,64)
}
catch {
#
# Tell the user
$UserResult = [System.Windows.MessageBox]::Show("The system could not authienticate you. Please check your username and password and retry.",$MessageboxTitle,0,16)
}
Aug 30 2023 10:34 PM
Hi Chris,
Would you know if this is possible to trigger without a login from the user? Either by parsing it via an access policy or similar?
Dec 05 2023 06:53 AM
@John_Kalinski -- I stumbled across this article while looking for exactly the same thing, and it does the trick (at least for now -- do note that it is manually calling an API that isn't publicly documented, so there is the possibility that it breaks in the future if MS decides to lock down/alter that entry point)
https://www.cyberdrain.com/automating-with-powershell-sending-mfa-push-messages-to-users/
I do want to revisit it and go through to clean up some of the variable names and better lay out the flow. It all works, but some of the flow is obviously done by an old-school hacker who firmly believes (as do I, for the record) in reusing code that's already proven to perform the desired function elsewhere. But some of the names, or even the flow order, is less than ideal for someone else to come along and easily track what is happening. A side effect of the copy/paste coding (or using LLMs to fill in code skeletons, though I doubt that is what happened here) that doesn't hurt the code, but makes it so only the original author can easily troubleshoot in the future.
Dec 05 2023 08:32 AM
Apr 26 2024 08:33 AM
Just wanted to bump ImperatorRuscal's comment with that link. It helped me a heap with a particular requirement I had to trigger MFA for high risk transactions. I found a reference to the same blog but this blog site which uses the modern URLs and PowerShell commands to create the secrets and send the APIs requests. Can confirm this method works for now. ImperatorRuscal is right that these APIs are not exactly public. They are used for AD FS to make Authenticator requests when a user logs in.