Azure MFA Enforcement Via API

Question

Azure MFA Enforcement Via API

Devendra singh Khurana 26

Our organization utilizes its Active Directory and seeks to implement Azure to enforce Multi-Factor Authentication (MFA) for users. We specifically aim to offer email and an authenticator app as MFA options while leveraging the capabilities within the free tier subscription.

To achieve this, we followed a series of steps:

Created an application within Azure and assigned user creation permissions.
Utilized the client credentials flow via Azure API to generate an access token.
Employed the Azure API to create an external user.
Currently, our objective is to enable MFA for users through the Azure API.
Upon a user's login to our Active Directory, we intend to present a page enabling MFA.
In cases where a user hasn't registered for MFA, our plan is to retrieve a QR code via the Azure API and display it on our page.
Additionally, we aim to verify the authentication code using the Azure API.

Few more queries:

Is it possible to use Email As MFA method?
If we are giving authenticator as MFA for how many users can be created for free?

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-12-05T20:31:41.23+00:00

@Devendra singh Khurana

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-12-05T20:31:41.23+00:00

@Devendra singh Khurana

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Hi @Devendra singh Khurana

Thank you for posting your query on Microsoft QnA!

Regarding your queries,.

5 - You mention upon login to "Active Directory" here are you referring to Azure AD or your on-prem AD? As Azure MFA is only supported for Azure AD cloud applications, unless you have an on-prem application which is integrated with a RADIUS server, which also requires a P1 license - https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension

6 - It is not possible to use Azure AD MFA with your own web page, the users must register their method on the Microsoft registration page. The only alternative to this is when using SMS or Phone, you can pre-populate the phone number with Graph API, this would only be available with P1 or P2 licenses - https://learn.microsoft.com/en-us/graph/api/authentication-post-phonemethods?view=graph-rest-beta&tabs=http

Email is not allowed as a method to perform MFA as it is deemed unsecure, we have a list of available methods here - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks#available-verification-methods

With Azure AD free and Security Defaults you can have unlimited users using Authenticator App, but if you do not have a verified domain you are restricted to 50,000 objects / users.

Let me know if you have any further queries and I would be happy to help!

Share via

Azure MFA Enforcement Via API

1 answer

Your answer