Using Graph for authentication (MFA) using Authenticator app
I am trying to add multi-factor authentication (MFA) using Azure into my client's CRM. My client currently has Office365 set up to force users to use MFA via the Authenticator app.
Ideally we do not want use the old fashioned way, which is to direct the user to Microsoft for the authentication step and provide MS with a return URL where they will return the results. It is my understanding that the Graph API was updated in mid June 2024 to allow API calls to be used instead.
I have explored the new authentication document here https://learn.microsoft.com/en-us/entra/identity/authentication/ but I am still not sure I will be able to implement our ideal solution. We would like to be able to do the following:
- Keep the user on the CRM. No third-party redirects.
- Look up the user authentication status ideally on a per device basis. I believe I can use this endpoint /users/{emailaddr}/authentication/microsoftAuthenticatorMethods/{$microsoftAuthenticatorAuthenticationMethodId}
- If not authenticated on MS we'll redirect a user to a CRM page where the user can enter an Authenticator app code. Upon submission we will need to authenticate against this code. This is the step I don't know how to do.
- We would like to have single sign-on (SSO) between Office365 and the MFA for the CRM. I am currently using a separate Azure app for testing. How would this be done?
In summary, given an Authenticator app code what Graph API call should I use to authenticate a user? How would SSO be done with Office365 and MFA for the CRM?