I'm creating users in AzureAD using graph api. I want to enable multi-factor-authentication either while creating users using MS Graph API or else is there any other way to enable Multi-Factor-Authentication using MS Graph API.
0
Add a comment
|
3 Answers
Currently this is not available in Microsoft Graph API. I found a vote in azure feedback https://feedback.azure.com/forums/34192--general-feedback/suggestions/32683693-add-mfa-status-to-user-entity-info-returned-by-gra
If MFA authentication needs to be enforced, maybe an alternative would be to have a conditional access policy requiring MFA for a group of users (e.g. the baseline MFA for admins) and check that the user is a member of that group using Graph API.
answered Oct 29, 2020 at 6:39
Sri Hari Krishna Yalamanchili
2,4453 gold badges14 silver badges26 bronze badges
Comments
I made it this way:
Blazor wasm client, informing the user about the process and providing information about Microsoft Authenticator install, how-to, etc.
Azure Function Rest Api, able to check a user "mfa status" and able to add a user to a specific group. Both are simply "give me status" and "give me mfa", no parameters. Everything is controlled by the token provided to Azure Function controller.
Both use authentication, meaning that the user authenticates via AAD, and this identity is presented to both api.
If the user is not already added to the group, the user gets the option to "order mfa". In the backend, the user is simply added to the group.
The group is set in Azures "conditional access".
I did not want to do this through Graph API, because then I had to give the users some "other possibilities" that i feel they not should have.
Comments
If you are using Graph Client in your back end C# project then you can Enable/Disable/Enforce Users MFA using Powershell.
Scroll down to “Change state using Powershell”
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
