MIM2016: Using Azure MFA Mobile App Auth in authorization workflows


This is a follow-up post to my article regarding Azure MFA used in an authorization workflow for MIM 2016. You can get some details on the scenario from that post.

As a limitation the Azure MFA SDK can only be used for Phone or SMS (one-way, two-way) authentication but not with the mobile app method. That’s because of mobile app uses a Web Service to get messages pushed and this one needs to be implemented with MFA-Server.

But I find it a neat solution to have an authorization task for an approval of group membership with using the mobile app. There are a couple of things needed to get this working:

  • Azure MFA Server
  • Installation of Web Service SDK
  • Installation of Web Service for Mobile App
  • Public Trusted Certificate (or Self Signed for demo lab like I did)
  • Optionally: Azure MFA User Portal (For user registering mobile app with QR-Code)

I do not explain how to install these components because there is a lot of very good documentation out there. I used the following one which worked like charm:

https://4sysops.com/archives/azure-multi-factor-authentication-part-4-portals/

As stated above you don’t need to install User Portal but it can be an easy way for users to registering their phone and mobile app by QR-Code. Instead of that you can also create a register code and URL as an admin from the MFA-Server console, or by using a Web Service method.

Make sure the Mobile App Web Service is accessibly from the internet and that the name of the certificate matches, check connectivity with a browser a make sure you have no certificate warning.

If you just want to setup a demo lab you can create a self-signed certificate with PowerShell like this:

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname mfaserver.mydomain.com

Don’t forget to configure the Mobile App section in the MFA Server console, you need to enter the URL to the Mobile App Web Service and an AccountName which is for example the company name that should be display in the mobile app.

MFAServer1

Now it’s time to get some users into the MFA-Server, you can simply import them from Active Directory or create them manually in the Users section of the MFA-Server. If you create them manually like I did because your MFA server is not domain joined make sure you configure the username resolution in the company settings of the MFA Server to case-sensitive string match instead of objectSID.

MFAServer2

Set default auth method for users to mobile app on the company settings page.

MFAServer3

For testing, modify a user’s properties and click on the Create Activation Code button on the Mobile Application tab of that user. Enter these values in the Azure Authenticator mobile app of your phone.

MFAServer4

If you use a self-signed certificate for testing, like I did, you need to import that certificate on your phone.

There is also a Testing button on the users page to initiate an Azure MFA auth to see everything is setup correctly.

Now that you setup your MFA properly it’s time for the MIM part.

See my last post on configure Azure MFA for authorization to setup Sets, Workfow, MPR but with the following differences:

  • You only need to pass the UserPrincipalName (or Mail) to the script that matches the username in Azure MFA-Server

And here is the script to call the MFA WebService SDK:

$UPN=$fimwf.WorkflowDictionary.UPN

$Password = 'myPassword' | ConvertTo-SecureString -AsPlainText -Force
$UserName = "DOMAIN\MFASDKAccount"
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName, $Password

# Call the SOAP Azure MFA WebService SDK
$proxy = New-WebServiceProxy -Uri https://mfa.mydomain.com:8080/MFASDK/PfWsSdk.asmx?WSDL -Credential $Creds

# Get Namespace for Objects
$ns = $proxy.GetType().Namespace

# Define Parameters for PfAuthUser Method
$callresult = New-Object ($ns + ".CallResult")
$errorid = New-Object ($ns + ".Error")
$authRequestId = ""
$authType= "pfsdk"
$initiatingIP="192.168.1.26"
$requireUserMatch=$true
$appName="MIMPortal"

# Initiate MFA
$result = $proxy.PfAuthUser_4($UPN.ToLower(), $authType, $initiatingIP, $appName, $requireUserMatch,[ref]$callresult, [ref]$authRequestId, [ref]$errorid)

if ($result)
{
$callresult.Description
}
else
{
Throw "ErrorCode: " + $errorid.Code + " - " + $errorid.Description
}

I’m pretty sure you find a better way to secure the account data of the service account used in that script, but use the same user here that you entered into the web.config files in installing Web Service SDK and User Portal.

 

Addition:

I’m quite sure it’s also possible to use this PowerShell activity also in the Privileged Access Management (PAM) scenario, which by default only supports phone call MFA. I guess we will have to check if MFA is enabled on a PAM Role and put that into the script above. I will maybe give it a try and come back if I find out any special thing on that.

 

Advertisements

About Peter Stapf
Senior Consultant Infrastructure Services (Main focus: Identity Management) MVP Directory Services

One Response to MIM2016: Using Azure MFA Mobile App Auth in authorization workflows

  1. Banu says:

    I wondered upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: