MFA Support for Windows Azure Active Directory PowerShell Module
Administering O365 is quite easy using the O365 Portal. However, power users may prefer the flexibility of script based management via PowerShell. The “Windows Azure Active Directory Module for Windows PowerShell” (WAADMfWP) provides such capability. With just a few lines of code, the power user can provision millions of accounts and modify O365 resources with no user interaction.
As one famous comic book character once said: “with great power comes great responsibility”. It is important to secure such power and adding Multi-Factor Authentication (MFA) is a good way to add an additional layer of protection.
Enabling MFA for Azure Active Directory (and O365 by extension) is quite easy for web based access. This is because Azure MFA uses HTTP redirection to control the authentication flow and the Web browser understands HTTP redirection nativily.
MFA support for the current version of WAADMfWP is not possible because the current WAADMfWP uses the “Microsoft Online Services Sign-In Assistant” to handle credential authentication.
This sign-In assistant only works with non-MFA enabled identities because it is not designed to understand the HTTP redirection associated with a MFA enabled authentication flow.
The good news is that there is a new version of WAADMfWP in public preview. This new WAADMfWP uses ADAL based authentication UI which is able to follow HTTP redirection. Because of this, the new module will work with MFA enabled identities.
Before installing the new WAADMfWP, you must do the following:
1) Uninstall the old WAADMfWP if you have one installed. The old one is 4.88 mb in size
2) Uninstall the Microsoft Online Services Sign-In Assistant
Download the preview version from here:
Once you have it installed, you must be aware of the following before starting:
With the old WAADMfWP, you can use Connect-MsolService with or without the –Credential parameter. If you do not supply the Credential parameter, you’ll be prompted with a UI to
enter the credential.
The new WAADMfWP works slightly different in that if you want it to support MFA, you’ll need to call Connect-MsolService without the -Credential parameter.
The new WAADMfWP module uses ADAL to prompt the user credential with a browser based UI.
If the user account is in a domain that is federated, the user is redirected to the federated STS
In this example, the STS is an ADFS server. The user enters the password
ADFS validates the password and determines whether the user needs step-up authentication. In this case, we've configured Azure MFA server as an MFA provider and this user satisfies an ADFS rule to require MFA. The user clicks [Continue] to initiates the configured MFA option
In this example, this users is configured to have the MFA server send a One Time Passcode (OTP). The user must enter the OTP to authenticate.
If the user fails to provide the correct OTP, the user will receive the appropriate error message from ADFS (customizable) and the Connect-MsolService command will fail
If the user enters the correct OTP, the control is returned back to the WAADMfWP and a valid session now exists.
The Credential parameter is still supported but works only for non MFA enabled identities.
A new AccessToken parameter is added to the Connect-MsolService cmdlet. I'll cover this in a future post if there is enough interests.
The new WAADMfWP also adds other new cmdlets:
Note that this new WAADMfWP will not work with tenants in China.
This post has been moved here: https://paulwu108883359.wordpress.com/2018/10/03/mfa-support-for-windows-azure-active-directory-powershell-module/