Azure MFA Enforcement Via API

Devendra singh Khurana 26 Reputation points
2023-11-23T09:40:13.11+00:00

Our organization utilizes its Active Directory and seeks to implement Azure to enforce Multi-Factor Authentication (MFA) for users. We specifically aim to offer email and an authenticator app as MFA options while leveraging the capabilities within the free tier subscription.

To achieve this, we followed a series of steps:

  1. Created an application within Azure and assigned user creation permissions.
  2. Utilized the client credentials flow via Azure API to generate an access token.
  3. Employed the Azure API to create an external user.
  4. Currently, our objective is to enable MFA for users through the Azure API.
  5. Upon a user's login to our Active Directory, we intend to present a page enabling MFA.
  6. In cases where a user hasn't registered for MFA, our plan is to retrieve a QR code via the Azure API and display it on our page.
  7. Additionally, we aim to verify the authentication code using the Azure API.

Few more queries:

  1. Is it possible to use Email As MFA method?
  2. If we are giving authenticator as MFA for how many users can be created for free?
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,484 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Domooney-MSFT 2,576 Reputation points Microsoft Employee
    2023-11-23T15:29:12.99+00:00

    Hi @Devendra singh Khurana

    Thank you for posting your query on Microsoft QnA!

    Regarding your queries,.

    5 - You mention upon login to "Active Directory" here are you referring to Azure AD or your on-prem AD? As Azure MFA is only supported for Azure AD cloud applications, unless you have an on-prem application which is integrated with a RADIUS server, which also requires a P1 license - https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension

    6 - It is not possible to use Azure AD MFA with your own web page, the users must register their method on the Microsoft registration page. The only alternative to this is when using SMS or Phone, you can pre-populate the phone number with Graph API, this would only be available with P1 or P2 licenses - https://learn.microsoft.com/en-us/graph/api/authentication-post-phonemethods?view=graph-rest-beta&tabs=http

    Email is not allowed as a method to perform MFA as it is deemed unsecure, we have a list of available methods here - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks#available-verification-methods

    With Azure AD free and Security Defaults you can have unlimited users using Authenticator App, but if you do not have a verified domain you are restricted to 50,000 objects / users.

    Let me know if you have any further queries and I would be happy to help!

    0 comments No comments