Trigger/Invoke MFA request for specific user via PowerShell or other tool?

Copper Contributor


Does anyone know if there is a way to manually trigger an MFA request for a user via PowerShell or another tool? The use case is that we would like to try and use Azure MFA as a means of identity validation, this is needed because of some legacy applications or other scenarios where we simply need to verify identity as there is no self-service options and would like to use Azure MFA for this as opposed to implementing a new MFA tool.


The perfect solution would use the sms method by default and automatically send an MFA code to a user of our choosing via the script/tool so they could read the response back to us to enter in a form to see if valid as proof of identity. 


Does anyone know if something like this would be possible via PowerShell or another cmdlet/tool?

6 Replies
Hi @Keenana4,

I can see that nobody has reacted yet to your question. So, as far as I know, there is no possibility to trigger an MFA warning other than signing in under that user account with an MFA method configured.

Apart from that, I recommend you check if the application supports using Service Principal instead of using Service Accounts/Non-personal accounts. Using a Service Account is an enormous risk. The account can be used for interactive login (Azure portal, for example), and a Service Account uses a username and password. I would inform the application supplier if they support Service Principals.



Hi - This is possible in PowerShell.

In PowerShell you can make Windows authenticate a user when they connect to an AAD object. Once connected the script can get properties of the user. I've written a  simple script that does this, and then sends the resulting information to the support team. Essentially all you need to do is distribute the script to your users, then when you want them to prove who they are, ask them to click on the icon and if they successfully authenticate you will get a mail with everything you need to know. 

Here is a script:

# validateUser.ps1 by Chris Ayers v1.2 18/05/2023
# v1.1 - Added Office Location to list
# v1.2 - Tidy up messagebox title and remove obsolete password line
# Calls Azure to force a user to enter their username and password and MFA credentials. Then it send a mail to SSC to confirm access
# Load framework for messages
Add-Type -AssemblyName PresentationCore,PresentationFramework
$MessageboxTitle = "User MFA Authentication for Support Desk"
# Main function. In a try construct to catch all errors
try {
# Login to force MFA
$AADLogin = Connect-AzureAD
$AADAccount = $AADLogin.Account
# Get user and manager
$AADuser = Get-AzureADUser -Filter "userPrincipalName eq '$AADAccount'"
$AADUserManager = Get-AzureADUserManager -ObjectId $AADUser.ObjectId

# Send a mail to the ServiceDesk - First compose the body
$MailBody = "The following account has been user verified by MFA
UPN: " + $AADuser.UserPrincipalName + "
Display Name: " + $AADuser.DisplayName + "
Given Name: " + $AADuser.GivenName + "
Family Name: " + $AADuser.Surname + "
CompanyName: " + $AADuser.CompanyName + "
Manager: " + $AADUserManager.DisplayName + "
Job Title: " + $AADuser.JobTitle + "
Department: " + $AADuser.Department + "
Office: " + $AADuser.PhysicalDeliveryOfficeName + "
Telephone Number: " + $AADuser.TelephoneNumber + "
Mobile: " + $AADuser.Mobile + "
eMail: " + $AADuser.Mail + "
Street Address: " + $AADuser.StreetAddress + "
City: " + $AADuser.City + "
State: " + $AADuser.State + "
Postcode: " + $AADuser.PostalCode + "
Country: " + $AADuser.Country
# Now send the mail
Send-Mailmessage -smtpServer -Port 587 -UseSsl -from $AADUser.Mail -to '<your service email address>' -subject ('AAD User "' + $AADuser.DisplayName + '" Successfully Authienticated by MFA') -body $MailBody
# Tell the user
$UserResult = [System.Windows.MessageBox]::Show("Thankyou. Your session has been authienticated.",$MessageboxTitle,0,64)
catch {
# Tell the user
$UserResult = [System.Windows.MessageBox]::Show("The system could not authienticate you. Please check your username and password and retry.",$MessageboxTitle,0,16)


Hi Chris,

Would you know if this is possible to trigger without a login from the user? Either by parsing it via an access policy or similar?

@John_Kalinski  --  I stumbled across this article while looking for exactly the same thing, and it does the trick (at least for now -- do note that it is manually calling an API that isn't publicly documented, so there is the possibility that it breaks in the future if MS decides to lock down/alter that entry point)


I do want to revisit it and go through to clean up some of the variable names and better lay out the flow.  It all works, but some of the flow is obviously done by an old-school hacker who firmly believes (as do I, for the record) in reusing code that's already proven to perform the desired function elsewhere.  But some of the names, or even the flow order, is less than ideal for someone else to come along and easily track what is happening.  A side effect of the copy/paste coding (or using LLMs to fill in code skeletons, though I doubt that is what happened here) that doesn't hurt the code, but makes it so only the original author can easily troubleshoot in the future.


ImperatorRuscal (below) has a way of doing what you want - I needed to force MFA which is why I called the API the way I did. I did see other methods of getting properties from the user if they are logged in, but I did not investigate these as (like I mentioned above) I wanted the force MFA.



Just wanted to bump ImperatorRuscal's comment with that link. It helped me a heap with a particular requirement I had to trigger MFA for high risk transactions. I found a reference to the same blog but this blog site  which uses the modern URLs and PowerShell commands to create the secrets and send the APIs requests. Can confirm this method works for now. ImperatorRuscal is right that these APIs are not exactly public. They are used for AD FS to make Authenticator requests when a user logs in.