MIM2016: Using Azure MFA in an Authorization Workflow with PowerShell


While thinking about Azure MFA and it’s usage in MIM for password reset or as authorization step when requesting a PAM role, I thought to myself, why not use this as an workflow activity in an authorization workflow. For example when requesting a group membership. Sadly you can not configure the OOB MFA activities that comes with MIM.

So why not doing it on my own, using the Azure MFA SDK. And I find out it’s quite simple so far.
This demo approves a member join to a group by Azure MFA with a phone call, you have to anser the call with a # to get into the group. The MobilePhone attribute of your MIM Portal users have to be set to a valid number for this demo to work.

First thing you need to do is to setup Azure MFA as pay as you go, you can find these steps in the MIM documentation of setting up Azure MFA for password reset. Also download the SDK like descibed in the doccumentation, I used the ASP.Net 2.0 VB in my example.

Next thing is we need to build a class library of the SDKs .vb file, I pretty sure you could use it in other ways, but thats the way I go.

You will find the file called pf/pf_auth.vb in the extracted SDK folder. This file contains personal keys and secrets so keep it secure.

I started a new project for a class library in Visual Studio (2013 in my case) and pasted the content of the pf_auth.vb file into the projects .vb file (completly overwrite the existing content). In my example I renamed the project to MFASDK and renamed class library and Root Namespace to MFAClass but you can do it like you want.

Now I did a compile with .Net Framework 4.5 (which was default in my case).
You will have the following 3 files now in your ..\bin\ folder (release or debug).

  • MFASDK.dll
  • MFASDK.pdb
  • MFASDK.xml

In my case I copied over those three files to C:\Temp\MFATest.
I also copied over the cert_key.p12 file from the pf\certs folder of the extracted Azure MFA SDK folder. (Also keep that file secure)

Now it’s time for the PowerShell part, I created the following script named it MFACall.ps1 and also put it in C:\Temp\MFATest\

param($Username,$MobilePhone)

if (-not $Username) { throw "Username must be provided to the script" }
if (-not $MobilePhone) { throw "MobilePhone must be provided to the script" }

Add-Type -Path C:\temp\MFATest\MFASDK.dll

$mfa = New-Object -TypeName MFAClass.PfAuthParams

$mfa.Username = $username
$mfa.CountryCode = "49"
$mfa.Phone = $MobilePhone.Replace("+49","")
$mfa.Mode = [MFAClass.pf_auth]::MODE_STANDARD
$mfa.Hostname = "MIMServer"
$mfa.AllowInternationalCalls = $true
$mfa.Language = "en"
$mfa.CertFilePath = "c:\temp\MFATest\cert_key.p12"

[int]$callStatus=0
[int]$errorId=0

$result = [MFAClass.pf_auth]::pf_authenticate($mfa, [ref]$callStatus, [ref]$errorId)

if ($result)
{
Write-Debug "Azure MFA Authentication successful"
}
else
{
throw "Azure MFA Authentication failed with errorId: " + $errorId
}

As you can see I simple load the DLL which is not in the GAC right now for this example. Then create a new object for the MFA parameters (PfAuthParams) which I guess are self explaining. The MODE_STANDARD is the default MFA method phone call, where you have to enter a # to be validated. I’ve not tested any other method like mobile app right now. You can not use the SMS options since we have no UI to enter the code later of.

After that the pf_authenticate() method of the pf_auth module is called with at least the PfAuthParams and references to two variables for storing return and error codes. The pf_authenticate() method itself returns a true or false when the Azure MFA call is done.

I did not find out exactly how to return success/error back to the MIM workflow but it seems for me to work to do nothing if it is successful and throw an exception on a failed verification, in the last case I get a “denied” on the MIM workflow. (In fact I could not find any documentation on how to use PS activity in an authorization workflow)

Not it’s time for the MIM parts:

  • Create a group that you want to protect my MFA (I used a DL in this demo).
  • Create a set which contains the groups you want to protect my MFA
  • Create an authorization workflow like following:

AzureMFA1

Where the first two function evaluator activities goes like this:

AzureMFA2

AzureMFA3

And at least the PowerShell activity (I used this one: http://fimpowershellwf.codeplex.com)

AzureMFA4

The PowerShell code use here is the following:

$Username = $fimwf.WorkflowDictionary.Username
$MobilePhone = $fimwf.WorkflowDictionary.MobilePhone
powershell -Version 4.0 -File "c:\temp\MFATest\MFACall.ps1" -MobilePhone $MobilePhone -Username $Username

We must call a Version 4.0 (at least 3.0 I think) PowerShell because the SDK is compiled with a newer version of that .Net Framework than the MIM components.

Last thing is to setup an Management Policy Rule (MPR) to combine our objects and get it working:

  • PolicyType: Request based
  • Requestor: All People
  • Operation: Add multivalue attribute
  • Target (before and after): The set created above that contains the groups to protect by MFA
  • Select specific attribute: Manually-managed Membership (ExplicitMember)
  • PolicyWorkflow: The Authorization Workflow we created above.

Done.

You can now try out to join to that group as a user or admin and should recieve a call from Microsoft regarding MFA Auth which you should anser with a #

This example is far away from a productive usage, as I have to do more error handling and a lot of other things but it should be enough on how to get it working.

 

Advertisements

About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

One Response to MIM2016: Using Azure MFA in an Authorization Workflow with PowerShell

  1. Pingback: MIM2016: Using Azure MFA Mobile App Auth in authorization workflows | JustIDM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: