Sending Manual MFA Prompts

Question

I am looking to see if there is the capabilities to utilize the existing Multifactor Authentication System in Azure to prompt to send a Authentication Requests for when dealing with users to verify their identity when working with them remotely. Can not find an api to call or command to prompt for user authentication in any automation/scripting platform (Power Automate, Powershell, etc.)

Would like to sent to their default device and if it selected as Authentication App, they would just need to approve; if it is selected as sending a 6 digit code. a prompt for me to input so I can verify their identity.

This thought process is to avoid verification questions found in common social media (Mother's maiden name, middle name, etc.)

Wasn't sure if it can only be use as a prompt when the user is signing onto the account themselves.

Answer 1

Picking this back up as there Jared raised a good question and use-case.

In recent cyber incidents we have seen threat actors contact internal help/service desks to reset a privileged user's password and then launch an attack or drop a payload.

Without giving IT staff access to end-user personal information or using a paid third-party services, there are very few ways IT help/service desk staff can verify a caller's identity for requests such as password resets and MFA re-registering.

Can the Microsoft team look at enabling the functionality to send a manual MFA prompt from with-in Entra, as in the use-case Jared described and also detailed below:

Scenarios: An helpdesk agent receives a phone call from a user.

A) “Hi, it’s John Smith here, I am trying to login to outlook on the web, but it won’t accept my password. My username is ******@smith.com, can you help me reset it?”

B) “Hi, it’s John Smith here, I’ve just got a new phone, unfortunately I dropped mine last night and the screen is broken. I am trying to sign-in to my work account but my password isn’t accepted, and I can’t use SSPR to reset my password as I can’t approve the MFA request on my phone. My username is ******@smith.com, can you help me reset it?”

Considerations:

Most helpdesk agents have limited ways to verify the identity of the caller unless special attributes like employee ID are stored in a user record/account in AD. This in itself poses other challenges and without robust JML processes and HCM to AD/AAD integrations to keep information up to date, how else can we verify a caller is who he/she says they are? Giving helpdesk agents access to PII could have regulatory requirements/implications.

MFA helps protect an account, but MFA methods can be reset by an agent at the click of a button. Scenario two above could easily happen with a fake caller and an account hi-jacked. Where some user’s have privileged accounts, this could be costly.

Proposed Solution:

To help protect identities managed in a Microsoft 365 tenant we’d like to see the ability to push Microsoft Authenticator or SMS OTP from within Microsoft Entra directly to the user.

In scenario A the agent could send the user a Microsoft Authenticator number matching prompt to verify or an SMS for them to return an OTP. Once verified the agent can reset the password and help get the user logged in.

In scenario B the agent could send the user a SMS for them to return an OTP, as the OTP will be sent to their registered mobile number the agent can help a genuine user reset their password and re-enrol Microsoft Authenticator as a method for MFA, where as a threat actor would be left with no OTP to share. (Let's leave SIM cloning incidents for another day :-) )

When a user’s identity needs to be verified for sensitive tasks, such as password resets, VPN access etc, these options could help an agent verify and be confident that a caller is who they say they are. Third-party solutions could be used to facilitate this, but not without integration and all the information, features and functionality are already available in Entra, it just needs to be accessible in this type of use case.

Thanks in advance.

MrV